Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow AI and NHI sprawl: what identity teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Identiverse 2025 conversations highlighted a shift from identity governance to identity intelligence as machine identities, shadow AI, and real-time policy enforcement became central concerns, according to Zluri. The governance model is changing because visibility without action is no longer enough for NHIs, AI agents, and human access programmes.

NHIMG editorial — based on content published by Zluri: Zluri features learnings from Identiverse 2025 on shadow AI, NHIs, and smarter access

By the numbers:

Questions worth separating out

Q: How should security teams govern shadow AI that connects to corporate systems?

A: Security teams should treat shadow AI as an identity governance problem, not just an application discovery problem.

Q: Why do machine identities force IAM teams to change review processes?

A: Machine identities change the pace of governance because they can be created, used, and abandoned faster than periodic access reviews can respond.

Q: What do organisations get wrong about visibility in identity governance?

A: They often assume that seeing an identity relationship is the same as controlling it.

Practitioner guidance

  • Build one inventory for human and machine identities Unify discovery across SaaS apps, cloud platforms, service accounts, API keys, and AI-connected tools so governance teams can see the full identity surface in one place.
  • Classify shadow AI as an identity governance issue Treat unsanctioned AI tools as active identity relationships when they authenticate to corporate systems, because the risk sits in delegated access and offboarding gaps, not in the model alone.
  • Trigger policy from live identity context Use role changes, new write permissions, and unexpected app connections as control triggers so risky access is restricted before the next review cycle.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • How Zluri frames its visibility, intelligence, and action model across identity workflows
  • The platform-specific examples it gives for shadow app detection and policy enforcement
  • The article's own view of where identity intelligence sits in the modern IAM stack
  • The broader Identiverse 2025 discussion themes that shaped the vendor's observations

👉 Read Zluri's analysis of Identiverse 2025 identity intelligence themes →

Shadow AI and NHI sprawl: what identity teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Identity intelligence is becoming the operating model because visibility alone does not change risk. The article reflects a real shift in the field: CISOs no longer want another inventory, they want systems that translate identity context into enforcement. That is a governance change, not just a tooling preference. Practitioners should treat identity intelligence as the bridge between discovery and control.

A few things that frame the scale:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: How can identity teams keep pace with access changes in modern environments?

A: Identity teams should connect policy enforcement to live events such as role changes, new integrations, and unexpected privilege grants. That approach reduces the delay between detection and remediation, which is where many governance failures occur. It also works better for NHIs and AI-connected access than quarterly review cycles do.

👉 Read our full editorial: Shadow AI and NHIs are forcing identity governance to change



   
ReplyQuote
Share: