TL;DR: Machine identities now outnumber human users in most enterprises, yet 72% of companies say managing them is harder because internal processes and tools are not keeping up, according to Apono. The governance gap is no longer about visibility alone, but about lifecycle, privilege, and rotation controls that conventional IAM still treats as secondary.
NHIMG editorial — based on content published by Apono: Machine Identity Management: How to Discover, Manage, and Secure
By the numbers:
- 69% of companies now manage more machine identities than human ones.
- 72% admit that managing them is more difficult due to poor internal processes and inadequate tools.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern machine identities in cloud environments?
A: Security teams should govern machine identities through continuous discovery, ownership attribution, least privilege, and automated lifecycle controls.
Q: Why do machine identities create more risk than many IAM programmes expect?
A: Machine identities create more risk because they scale faster than manual governance, often carry excessive privileges, and are frequently invisible to standard access review processes.
Q: What breaks when machine identities are not inventoried and owned?
A: When machine identities are not inventoried and owned, teams lose the ability to apply policy, monitor behaviour, rotate secrets, or revoke access consistently.
Practitioner guidance
- Inventory machine identities continuously Scan cloud accounts, CI/CD tools, code repositories, and configuration stores for service accounts, API keys, certificates, and tokens, then attribute each credential to an owner and workload.
- Replace standing access with task-scoped access Use JIT and just-enough privilege so machine identities receive only the permissions required for a specific job and only for the shortest viable duration.
- Automate rotation and revocation workflows Tie secret rotation to deployment events, lifecycle changes, and ownership changes, and ensure revocation removes access immediately when a service is retired or replaced.
What's in the full article
Apono's full article covers the operational detail this post intentionally leaves for the source:
- A practical lifecycle model for machine identities, including creation, provisioning, monitoring, rotation, deprovisioning, and revocation.
- Examples of how JIT and just-enough privilege are applied in CI/CD pipelines and cloud-native deployment flows.
- A detailed walkthrough of discovery and attribution workflows for service accounts, API keys, tokens, and certificates.
- Concrete deployment scenarios showing how centralized access control can be applied across applications and workloads.
👉 Read Apono's analysis of machine identity management risks and best practices →
Machine identity sprawl: what IAM teams need to fix now?
Explore further
Machine identity sprawl is now a governance problem, not just an operations problem. The article describes an environment where machine identities already outnumber human users in most enterprises, which means the identity perimeter has shifted into workloads, APIs, and pipelines. Traditional IAM fails when identities are created programmatically but governed manually. The practitioner conclusion is simple: machine identity governance must be treated as core identity architecture, not a side project.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows why discovery without fast revocation leaves exploitable exposure in place.
A question worth separating out:
Q: Who should be accountable for machine identity lifecycle management?
A: Accountability should sit with the platform or application owner who benefits from the identity, supported by IAM, security, and operations teams. If nobody owns rotation, offboarding, and review, the credential will outlive the system it was meant to support. Lifecycle control is only real when revocation is assigned and tested.
👉 Read our full editorial: Machine identity management gaps are widening across enterprise stacks