TL;DR: RSA 2025 conversations highlighted a widening gap between AI-driven identity governance aspirations and the reality of machine identity sprawl, with 45:1 machine-to-human ratios and 60%+ shadow IT visibility issues shaping the discussion, according to Zluri. The governance problem is no longer review volume alone; it is that legacy IAM controls were built for human directories, not fast-moving non-human identity estates.
NHIMG editorial — based on content published by Zluri: Access Management AI and Identity Governance, What We Learned at RSAC 2025
By the numbers:
- 2025 is the year when machine identities outnumber humans by 45:1.
- Over 60% of IT resources in a typical organization exist as either unmanaged or shadow IT.
- The automated access reviews module has helped my team save 90% of our time for SOC2 audits.
Questions worth separating out
Q: How should teams govern non-human identities when access is scattered across SaaS and AI tools?
A: Start by inventorying identities outside the human directory, then map each one to an owner, purpose, and revocation path.
Q: Why do shadow AI tools create more identity risk than ordinary application sprawl?
A: Shadow AI often brings hidden identity relationships with it, such as OAuth grants, embedded secrets, and delegated API permissions.
Q: What do security teams get wrong about automating access reviews?
A: They often automate the decision process before fixing the entitlement data behind it.
Practitioner guidance
- Inventory non-human identities outside the HR and IdP stack Search for service accounts, API keys, certificates, access tokens, and AI-connected applications that never pass through normal joiner-mover-leaver controls.
- Trace shadow AI access paths to connected data sources Document every unsanctioned AI application, then identify the OAuth grants, embedded secrets, or delegated permissions that make it useful to the business.
- Make access reviews evidence-based instead of form-based Use activity data, entitlement context, and remediation closure tracking so reviews can validate whether access is still needed.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- How Zluri positions its VIA framework across visibility, intelligence, and action for identity operations
- The specific workflow automation examples discussed for access reviews and remediation
- Direct observations from RSA 2025 conversations with CISOs and identity leaders
- Product-oriented detail on discovery coverage across identities, applications, and access risks
👉 Read Zluri's RSA 2025 analysis of AI identity governance and NHI sprawl →
AI-driven identity governance and NHI sprawl: what teams missed at RSA?
Explore further
Machine identity governance is now the primary stress test for legacy IAM. The article’s core signal is not that AI is changing security rhetoric, but that the access estate has moved beyond people as the default unit of governance. Service accounts, tokens, certificates, and AI agents all behave differently from human users, yet many programmes still try to manage them with the same review logic. The implication is that governance boundaries must be redrawn around identity type, not just application ownership.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Another finding from our Ultimate Guide to NHIs shows that 97% of NHIs carry excessive privileges, which helps explain why hidden access becomes such a persistent control problem.
A question worth separating out:
Q: How can organisations tell whether identity governance is actually reducing risk?
A: Look for faster revocation, fewer orphaned identities, higher-quality ownership data, and review decisions grounded in usage evidence rather than static lists. If access issues are still discovered late or remain unresolved after reviews, the programme is generating compliance artefacts but not governance outcomes.
👉 Read our full editorial: AI-driven identity governance is colliding with NHI sprawl