Notifications
Clear all
Topic starter
06/06/2026 2:00 am
TL;DR: Non-human identities no longer fit neatly inside human-centric IAM, because service accounts, API keys, tokens, and certificates often lack ownership, visibility, and lifecycle control, according to Oasis Security. That gap makes discovery, least privilege, rotation, and recertification the practical boundary, not a feature checklist.
NHIMG editorial — based on content published by Oasis Security: Non Human Identity Security - Why Now?
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams handle non-human identities that do not fit human IAM workflows?
A: Treat non-human identities as first-class governed assets, not exceptions.
Q: Why do service accounts and API keys increase governance risk?
A: They often exist outside interactive controls such as MFA and SSO, and many are created with standing access that is never reviewed.
Q: What breaks when non-human identities are not included in recertification?
A: Access remains active even after the business need changes, so expired service accounts and unused keys continue to represent live privilege.
Practitioner guidance
- Inventory NHIs across every environment Automate discovery for service accounts, API keys, tokens, and certificates in cloud, SaaS, on-prem, and CI/CD systems.
- Attach NHIs to a governance workflow Route machine identities into access review and attestation processes alongside human identities, with evidence of approval, purpose, and retirement.
- Right-size privileges before rotation Review what each secret or service principal can reach, then reduce scope before changing credentials.
What's in the full article
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- A vendor walk-through of discovery coverage across service accounts, API keys, tokens, and certificates in cloud, SaaS, and on-prem environments.
- Operational guidance on secrets vaulting and automatic rotation cadences for non-human identities.
- Examples of how ownership context and consumer resolution reduce remediation risk when rightsizing access.
- A practical view of how the vendor positions NHI workflows inside existing IGA and PAM programmes.
👉 Read Oasis Security's analysis of why non-human identity security matters now →
Non-human identity security: why IAM controls are falling behind?
Explore further
06/06/2026 3:25 am
The identity paradox is really a governance paradox. The article's core claim is that organisations can no longer assume the identity subject is a person, because NHIs now carry sensitive access and often evade the protection layers built for humans. That changes the question from who logged in to what identity class is actually acting. The implication is that IAM programmes must classify identity by behaviour and lifecycle, not by familiarity.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- A separate finding shows that 79% of organisations have experienced secrets leaks, with 77% of those incidents resulting in tangible damage.
A question worth separating out:
Q: Who should own non-human identity offboarding and rotation?
A: The application or service owner should own the business decision, while IAM or security should enforce the workflow and evidence. That split prevents orphaned credentials, ensures accountability, and makes retirement defensible in audit and incident response.
👉 Read our full editorial: Non-human identity security now requires lifecycle governance
