Notifications
Clear all
Topic starter
22/06/2026 1:41 pm
TL;DR: Traditional IAM tools miss most non-human identities because they track credentials and silos, not the identities, owners, and relationships that create real risk, according to SPHERE and Gartner. That blind spot becomes more dangerous as service accounts, orphaned identities, and AI agents multiply faster than manual governance can keep up.
NHIMG editorial — based on content published by SPHERE: Identity visibility is lagging behind machine and AI agent sprawl
By the numbers:
- Gartner's 2025 Hype Cycle says IVIP addresses 97% of identities that traditional IAM solutions miss.
Questions worth separating out
Q: How should security teams govern service accounts that are hidden outside central IAM?
A: They should start by discovering where those identities are created, used, and stored, then assign ownership and business purpose before any access review.
Q: Why do machine identities create more governance risk than human accounts?
A: Machine identities often operate continuously, are created in many different systems, and accumulate access faster than teams can review them.
Q: How do organisations know whether identity visibility is actually improving?
A: They should measure how many identities have clear ownership, complete context, and documented dependencies, not just how many secrets are rotated.
Practitioner guidance
- Map identity ownership before you map secrets Build an inventory that starts with the identity, its business purpose, and its owner, then attach credentials, dependencies, and access paths.
- Extend discovery beyond directories and vaults Scan application configs, scripts, schedulers, container manifests, and cloud automation for service accounts and embedded credentials.
- Join PAM and IGA views around shared identities Reconcile privileged access data with governance records so orphaned or over-privileged machine identities are visible in one review cycle.
What's in the full article
SPHERE Technology Solutions' full article covers the operational detail this post intentionally leaves for the source:
- Detailed explanation of the IVIP model and how the vendor positions visibility, intelligence, and governance as separate capabilities
- The full breakdown of the service-account explosion, including where hidden machine identities typically appear across enterprise systems
- Vendor framing of AI agent identity behaviour, including why the article treats autonomous actors as a new governance problem
- The article’s own FAQ section on identity intelligence, service-account discovery, and identity hygiene
👉 Read SPHERE Technology Solutions' analysis of identity visibility and AI agent risk →
Identity visibility vs credential management: what IAM teams are missing?
Explore further
This topic was modified 1 hour ago by Mr NHI
22/06/2026 1:46 pm
Credential management is no longer a sufficient proxy for identity governance. The article correctly separates the thing that authenticates from the entity that acts, and that distinction is now central to NHI governance. Service accounts, API keys, and tokens are only the visible edge of a much larger identity graph. Practitioners should treat identity visibility as the control plane, not an optional enhancement.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- The same report found that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who should be accountable when an unmanaged identity is used in a breach?
A: Accountability should sit with the team that owns the identity lifecycle, not only the team that stores the credential. If the underlying service account or agent was never assigned purpose, review, and offboarding responsibility, governance has failed before the incident begins. That is why IAM, PAM, and IGA ownership must be explicit.
👉 Read our full editorial: Identity visibility is lagging behind machine and AI agent sprawl
