Notifications
Clear all
Topic starter
25/06/2026 5:09 pm
TL;DR: Non-human identities now outnumber human users by more than 40:1, and a recent token-based Salesforce compromise showed how valid access can persist outside ownership, lifecycle, and review controls, according to Omada Identity. The governance model is failing because it was built for people, not for machine identities that can act and adapt at runtime.
NHIMG editorial — based on content published by Omada Identity: Non-Human Identities and AI Agents: The Governance Blind Spot
By the numbers:
- Non-human identities now outnumber human users in most enterprises by more than 40:1.
Questions worth separating out
Q: What breaks when non-human identities are governed like human users?
A: Lifecycle triggers, ownership, and review processes stop working because machine identities do not generate joiner, mover, or leaver events.
Q: Why do service accounts and tokens increase breach risk in cloud environments?
A: They often hold standing privilege, operate silently, and are reused across systems without interactive oversight.
Q: How do organisations know if NHI governance is actually working?
A: They can answer three questions consistently: what each identity is for, who owns it, and when it should be removed or re-authorised.
Practitioner guidance
- Build a complete NHI inventory Enumerate service accounts, workload credentials, API keys, OAuth tokens, and vendor-issued identities across cloud and SaaS estates.
- Assign accountable ownership to every machine identity Require a named business or technical owner for each NHI, including third-party tokens.
- Tie lifecycle controls to system events Trigger review, renewal, and retirement based on workload changes, vendor changes, application decommissioning, and integration scope changes.
What's in the full article
Omada Identity's full blog post covers the operational detail this post intentionally leaves for the source:
- The article's stepwise explanation of why lifecycle triggers fail for service accounts, OAuth tokens, and AI agents
- The vendor's breakdown of NIS2, DORA, and EU AI Act implications for privileged non-human identities
- The original three-part series structure that moves from governance blind spot to operational controls
- The article's FAQ examples on ownership, lifecycle governance, and AI agent accountability
👉 Read Omada Identity's analysis of non-human identity governance and AI agents →
AI agents and NHI governance: where the blind spot widens?
Explore further
25/06/2026 5:41 pm
Non-human identity governance failed because organisations still treat machine access as if it were human access. The article's core point is that HR-linked lifecycle triggers do not exist for service accounts, API keys, or OAuth tokens. That creates an inventory, ownership, and lifecycle gap that traditional IGA cannot close on its own. The implication is that NHI governance must stand as its own control domain, not as an appendix to human IAM.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- With 80% of organisations reporting AI agents have already performed actions beyond their intended scope, the governance gap is already operational, not hypothetical.
A question worth separating out:
Q: Who is accountable when a third-party token exposes customer data?
A: Accountability sits with the organisation that allowed the token to remain valid, the service owner that failed to retire it, and the vendor relationship owner if the access should have ended with the contract. Regulators will care less about which system executed the access than whether the access path was governed, documented, and removable.
👉 Read our full editorial: Non-human identity governance is breaking under AI agents
