TL;DR: IGA programs still miss the identities that now carry the most operational risk: service accounts, API keys, OAuth tokens, cloud service principals, and AI agent credentials, according to Zluri. NHI governance closes that blind spot by extending discovery, ownership, lifecycle, review, and audit controls to machine identities that were never tied to HR events.
NHIMG editorial — based on content published by Zluri: Security & Compliance NHI Governance, focusing on service accounts, API keys, and AI agents in IGA programs
Questions worth separating out
Q: How should security teams govern service accounts and API keys in an IGA program?
A: Treat them as identities, not just technical artifacts.
Q: Why do non-human identities create more risk than many teams expect?
A: They are often long-lived, widely privileged, and created outside HR processes, so they escape normal onboarding and offboarding controls.
Q: What breaks when access reviews do not include machine identities?
A: Ownership and accountability break first, because no one is formally asked to confirm that the account still has a valid purpose.
Practitioner guidance
- Inventory non-human identities across all control planes Build a single inventory that spans cloud IAM, SaaS connections, code repositories, CI/CD systems, and vaults.
- Assign a human owner to every machine identity Require owner assignment at creation and use metadata inference only when explicit ownership is missing.
- Certify long-lived access on a fixed review cadence Include service accounts, tokens, and connected applications in quarterly or semi-annual access reviews.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- How Zluri maps service accounts, API keys, and OAuth applications into an identity governance workflow
- The access review and certification logic used to support non-human identity attestation
- Operational examples for lifecycle management, ownership assignment, and decommissioning
- The product-specific steps for connecting SaaS identity data to governance workflows
👉 Read Zluri's analysis of NHI governance for service accounts, API keys, and AI agents →
Service accounts, API keys, and AI agents: the NHI governance gap?
Explore further
NHI governance is now an identity control-plane problem, not a credential hygiene problem. The article shows that service accounts, API keys, OAuth tokens, and AI agent credentials sit outside HR-led identity governance, which means the core IGA assumption has already failed. The discipline now has to govern discovery, ownership, lifecycle, review, and audit evidence across machine identities that are created and retired by software teams. The practitioner conclusion is straightforward: if the identity estate is incomplete, the governance programme is incomplete.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security.
- That same research found that 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
A question worth separating out:
Q: Who is accountable when a service account or AI agent is over-privileged?
A: The accountable human owner and the identity governance process are both in scope. Teams need a named owner, a clear purpose, and a review trail that shows when access was approved, certified, or revoked. Without that, responsibility becomes diffuse and remediation slows down.
👉 Read our full editorial: NHI governance for service accounts, API keys, and AI agents