NHI sprawl and static credentials: what security teams need to know

TL;DR: Snowflake’s workload identity experience shows how non-human identities can quietly outnumber employees, with static credentials, manual provisioning, and inconsistent controls creating both operational drag and security exposure, according to Aembit. The lesson is that visibility alone is not enough when machine access has to be automated, policy-based, and auditable at scale.

NHIMG editorial — based on content published by Aembit: Snowflake Secures Workload Access

By the numbers:

• 69% of organisations now have more machine identities than human ones.
• Only 38% have automated certificate lifecycle management in place.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

Questions worth separating out

Q: How should security teams replace static credentials for workloads?

A: They should move workloads to short-lived, policy-based authentication that issues access at runtime and removes reusable secrets from code, pipelines, and shared vaults.

Q: Why do service accounts become harder to govern at scale?

A: Service accounts become harder to govern when ownership, rotation, and usage are spread across teams and platforms without a single lifecycle view.

Q: What breaks when machine identities rely on manual provisioning?

A: Manual provisioning breaks consistency.

Practitioner guidance

• Inventory every non-human identity and owner relationship Build a complete register of applications, service accounts, pipelines, and integrations, then assign a clear owner and lifecycle state to each.
• Eliminate hardcoded and long-lived workload secrets Move workloads toward short-lived, policy-issued access and remove secrets from code, config files, and shared vault patterns that keep credentials in circulation.
• Standardise runtime policy for cross-platform access Use a single authorization model that can govern access across SaaS, cloud, and custom applications instead of letting each platform define its own credential habit.

What's in the full article

Aembit's full post covers the operational detail this analysis intentionally leaves for the source:

• Snowflake’s internal decision path for evaluating workload access options across governance tooling, cloud-native tools, and secrets managers.
• The deployment sequence across security-owned applications, CI/CD pipelines, and core enterprise workflows such as GitLab, Jira, Confluence, AWS, and Azure.
• The practical mechanics of dynamic authentication for workloads, including how policy and environmental signals were combined in the access flow.
• The adoption and audit-readiness lessons Snowflake used to persuade partner teams to follow the same model.

👉 Read Aembit’s analysis of Snowflake’s workload identity approach →

NHI sprawl and static credentials: what security teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →