NHI security vs. service accounts: where the governance gap is

TL;DR: Nonhuman identity now outnumbers human identity by roughly 144 to 1, according to Entro Security’s H1 2025 report, while ephemeral workloads and agentic AI are pushing access patterns beyond static service account tooling. The governance question is no longer whether machine access matters, but whether IAM can move from credential administration to runtime identity control.

NHIMG editorial — based on content published by Aembit: Nonhuman identity management beyond service accounts

By the numbers:

• Nonhuman identities now outnumber human ones by roughly 144 to 1, up from 92 to 1 just a year earlier.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

Questions worth separating out

Q: What breaks when nonhuman identities are managed like simple service accounts?

A: Static service-account management breaks when identities are ephemeral, cross-platform, or context-sensitive.

Q: Why do nonhuman identities need different controls in cloud and SaaS environments?

A: Cloud and SaaS environments create runtime trust decisions that legacy service-account tooling was never designed to make.

Q: How do security teams know if NHI governance is actually working?

A: A working NHI programme shows clear ownership, short-lived credentials, frequent revocation, and low numbers of dormant or shared machine accounts.

Practitioner guidance

• Split legacy and ephemeral identities in your inventory Classify long-lived service accounts separately from workload identities, API tokens, and federated machine credentials so ownership, review cadence, and retirement rules are not mixed.
• Move from credential reviews to access-path reviews Map which systems each nonhuman identity can reach, which calls are allowed at runtime, and where standing privileges still exist in cloud, SaaS, and CI/CD flows.
• Automate revocation around workload lifecycle events Trigger credential revocation and key retirement when containers terminate, pipelines complete, or integrations are decommissioned, rather than waiting for manual cleanup.

What's in the full article

Aembit's full analysis covers the operational detail this post intentionally leaves for the source:

• How the platform maps workload identity across clouds and SaaS services without relying on static credentials.
• What short-lived credential issuance looks like in practice for CI/CD, microservices, and federated workloads.
• Where conditional access policies are enforced at runtime and how audit trails are centralized across environments.
• Why teams comparing service-account controls with workload identity controls will want the implementation detail rather than the governance frame.

👉 Read Aembit's analysis of why nonhuman identity is outgrowing service accounts →

NHI security vs. service accounts: where the governance gap is?

Explore further

View Full Forum →  |  NHI Foundation Course →