Shadow AI and NHI sprawl: what identity teams need to change

TL;DR: Identiverse 2025 conversations highlighted a shift from identity governance to identity intelligence as machine identities, shadow AI, and real-time policy enforcement became central concerns, according to Zluri. The governance model is changing because visibility without action is no longer enough for NHIs, AI agents, and human access programmes.

NHIMG editorial — based on content published by Zluri: Zluri features learnings from Identiverse 2025 on shadow AI, NHIs, and smarter access

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams govern shadow AI that connects to corporate systems?

A: Security teams should treat shadow AI as an identity governance problem, not just an application discovery problem.

Q: Why do machine identities force IAM teams to change review processes?

A: Machine identities change the pace of governance because they can be created, used, and abandoned faster than periodic access reviews can respond.

Q: What do organisations get wrong about visibility in identity governance?

A: They often assume that seeing an identity relationship is the same as controlling it.

Practitioner guidance

• Build one inventory for human and machine identities Unify discovery across SaaS apps, cloud platforms, service accounts, API keys, and AI-connected tools so governance teams can see the full identity surface in one place.
• Classify shadow AI as an identity governance issue Treat unsanctioned AI tools as active identity relationships when they authenticate to corporate systems, because the risk sits in delegated access and offboarding gaps, not in the model alone.
• Trigger policy from live identity context Use role changes, new write permissions, and unexpected app connections as control triggers so risky access is restricted before the next review cycle.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• How Zluri frames its visibility, intelligence, and action model across identity workflows
• The platform-specific examples it gives for shadow app detection and policy enforcement
• The article's own view of where identity intelligence sits in the modern IAM stack
• The broader Identiverse 2025 discussion themes that shaped the vendor's observations

👉 Read Zluri's analysis of Identiverse 2025 identity intelligence themes →

Shadow AI and NHI sprawl: what identity teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →