AI-driven identity governance and NHI sprawl: what teams missed at RSA

TL;DR: RSA 2025 conversations highlighted a widening gap between AI-driven identity governance aspirations and the reality of machine identity sprawl, with 45:1 machine-to-human ratios and 60%+ shadow IT visibility issues shaping the discussion, according to Zluri. The governance problem is no longer review volume alone; it is that legacy IAM controls were built for human directories, not fast-moving non-human identity estates.

NHIMG editorial — based on content published by Zluri: Access Management AI and Identity Governance, What We Learned at RSAC 2025

By the numbers:

• 2025 is the year when machine identities outnumber humans by 45:1.
• Over 60% of IT resources in a typical organization exist as either unmanaged or shadow IT.
• The automated access reviews module has helped my team save 90% of our time for SOC2 audits.

Questions worth separating out

Q: How should teams govern non-human identities when access is scattered across SaaS and AI tools?

A: Start by inventorying identities outside the human directory, then map each one to an owner, purpose, and revocation path.

Q: Why do shadow AI tools create more identity risk than ordinary application sprawl?

A: Shadow AI often brings hidden identity relationships with it, such as OAuth grants, embedded secrets, and delegated API permissions.

Q: What do security teams get wrong about automating access reviews?

A: They often automate the decision process before fixing the entitlement data behind it.

Practitioner guidance

• Inventory non-human identities outside the HR and IdP stack Search for service accounts, API keys, certificates, access tokens, and AI-connected applications that never pass through normal joiner-mover-leaver controls.
• Trace shadow AI access paths to connected data sources Document every unsanctioned AI application, then identify the OAuth grants, embedded secrets, or delegated permissions that make it useful to the business.
• Make access reviews evidence-based instead of form-based Use activity data, entitlement context, and remediation closure tracking so reviews can validate whether access is still needed.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• How Zluri positions its VIA framework across visibility, intelligence, and action for identity operations
• The specific workflow automation examples discussed for access reviews and remediation
• Direct observations from RSA 2025 conversations with CISOs and identity leaders
• Product-oriented detail on discovery coverage across identities, applications, and access risks

👉 Read Zluri's RSA 2025 analysis of AI identity governance and NHI sprawl →

AI-driven identity governance and NHI sprawl: what teams missed at RSA?

Explore further

View Full Forum →  |  NHI Foundation Course →