NHI Forum
Read full article here: https://aembit.io/blog/the-story-behind-snowflakes-push-to-rein-in-non-human-identities/?source=nhimg
Snowflake has built its reputation as one of the world’s most trusted cloud data platforms, helping organizations centralize and analyze vast amounts of information across regions, clouds, and teams. But as the platform expanded, so did the complexity of its identity landscape and the rise of non-human identities (NHIs) became an urgent security challenge.
Cameron Tekiyeh, who leads Snowflake’s global security analytics team, noticed a familiar but fast-growing issue: the number of non-human and workload identities, applications, CI/CD services, and AI agents, had quietly outpaced the number of employees.
This trend is not unique to Snowflake. Across enterprises, NHIs now outnumber human identities by 25x–50x, often powered by hardcoded credentials, unmanaged service accounts, and inconsistent provisioning workflows. Left unchecked, this identity sprawl poses serious security and compliance risks.
Recognizing the Risk Beyond Human Users
Snowflake runs between 300–400 SaaS, cloud, and custom applications at any given time. As AI and automation accelerated, the security team saw:
- Credential reuse across services
- Manual provisioning slowing DevOps teams
- Inconsistent service account management leading to blind spots
As Tekiyeh put it: “We first saw the number of non-human identities far outnumbered the number of human identities. The problem and the opportunity, was going to be a lot larger.”
Snowflake’s prior success in tightening workforce identity controls (through MFA, passwordless access, and Okta expansion) had proven that strong identity governance can reduce friction, not add to it. Now, the same principles needed to be applied to NHIs, but at a much greater scale.
Why Static Secrets Weren’t Enough
The security team evaluated several options:
- Governance tools → Good for visibility but didn’t automate credential lifecycle.
- Cloud provider tools → Useful within silos but couldn’t cover Snowflake’s multi-cloud, SaaS-heavy ecosystem.
- Secrets managers → Still left long-lived credentials in circulation, prone to leaks and mismanagement.
The conclusion was clear: visibility alone wasn’t enough. Snowflake needed to eliminate static credentials and automate authentication for NHIs in real time.
MFA for Machines: A New Model for Workload Identity
Snowflake adopted workload identity and access management (Workload IAM) from Aembit. Instead of static API keys, service accounts, or secrets stored in vaults, Aembitissues ephemeral credentials at runtime—based on policy and environmental signals.
Think of it as “MFA for machines.”
- Credentials are issued dynamically at authentication time
- Access is granted just-in-time and least-privilege
- Every interaction is logged and auditable
The first deployment secured Snowflake’s internal security-owned apps connecting to its data lake. From there, the approach scaled to CI/CD pipelines and integrations with GitLab, Jira, Confluence, AWS, and Azure—removing static credentials from critical workflows.
Scaling Security Without Slowing Teams
Adoption wasn’t just a technical challenge, it required cultural trust. Developers and engineers often resist new controls if they fear disruption. Snowflake’s security team led by example, rolling out the solution internally first and sharing results.
As Tekiyeh explained: “When we went to our partners, we could say, ‘We’ve lived this solution. We’re not asking you to do something we haven’t done before.’”
This transparency drove adoption and reduced resistance, proving that identity-first security can enhance speed and usability rather than slow it down.
Key Takeaways for Enterprises
Snowflake’s journey highlights important lessons for any organization grappling with non-human identity sprawl:
- Inventory is not enough – Visibility helps, but without automated lifecycle management, risks persist.
- Secrets managers are stopgaps – Long-lived credentials, even in vaults, remain exploitable.
- Policy-based, real-time authentication is the future – Just as humans moved to passwordless MFA, machines need ephemeral, identity-first access.
- Cultural alignment matters – Security adoption succeeds when teams see reduced friction, not added burden.
Final Thoughts
The rise of non-human identities is reshaping enterprise security. For Snowflake, the solution was to move beyond static secrets and embrace real-time workload identity, automating authentication and governance across humans, machines, and AI agents alike.
For organizations facing similar challenges, the message is clear: identity-first, automated, and policy-driven controls are essential to secure NHIs at scale.