Notifications
Clear all
Topic starter
06/06/2026 2:05 am
TL;DR: Non-human identities now outnumber human identities by 10 to 50 times, and the article argues that traditional IAM, PAM, and secret management tools were built for human-centric identity models that cannot keep up, according to Oasis Security. The real issue is not just scale but a governance model that cannot see ownership, usage, permissions, and lifecycle together.
NHIMG editorial — based on content published by Oasis Security: What's Broken with Identity Management?
By the numbers:
- Non-human identities now outnumber human identities by 10-50x, opening a massive attack surface.
Questions worth separating out
Q: How should security teams inventory non-human identities across cloud and SaaS environments?
A: Start with ownership, runtime location, and privilege level, not just credential type.
Q: Why do secret managers not solve non-human identity governance on their own?
A: Secret managers protect stored credentials, but they do not establish who owns the identity, what it can reach, or whether it should still exist.
Q: What breaks when NHI lifecycle management is missing?
A: Orphaned service accounts, stale tokens, and untracked privileges accumulate until teams cannot safely rotate or revoke them.
Practitioner guidance
- Build a complete NHI inventory Classify service accounts, API keys, tokens, roles, and certificates by owner, workload, environment, and privilege level before applying policy.
- Separate vaulting from governance Keep secret rotation, access approval, and entitlement review as distinct controls so a protected credential is not mistaken for a governed identity.
- Map privileged NHIs to critical dependencies Identify which business services fail if a privileged identity is rotated, revoked, or deleted, then define the minimum safe response path for each one.
What's in the full article
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- How the platform discovers NHIs across hybrid cloud and enterprise SaaS environments
- What its contextual enrichment layer adds to ownership and permission analysis
- How auto-generated remediation plans are structured for manual, semi-automatic, and autonomous execution
- What the vendor means by continuous analysis of posture risk across the complete lifecycle
👉 Read Oasis Security's analysis of what is broken in identity management for NHIs →
NHI sprawl and identity gaps: what IAM teams need to know?
Explore further
06/06/2026 3:34 am
NHI sprawl is no longer a hygiene issue. It is a governance boundary problem. Once machine identities outnumber human identities by an order of magnitude, user-centric IAM stops describing the real attack surface. The result is not just more accounts, but more unowned access paths, more hidden privilege, and more places where accountability disappears. Practitioners should treat NHI inventory and lifecycle control as a separate governance plane, not a side task.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when a privileged non-human identity causes a security incident?
A: Accountability should rest with the team that owns the workload, the identity platform, and the business service exposed by that access. In mature governance models, responsibility is shared but explicit, with named owners for provisioning, review, and revocation. If ownership is ambiguous, accountability has already failed before the incident begins.
👉 Read our full editorial: What's broken with identity management for NHI sprawl
