Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

NHI sprawl in cloud environments: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9064
Topic starter  

TL;DR: Microsoft’s 2024 multicloud security data shows one human identity for every 10 workload identities, while more than 83% of the 209 million cloud identities analyzed were non-human, according to Semperis and Microsoft. That scale shifts identity governance from user-centric control to machine identity visibility, privilege, and lifecycle management.

NHIMG editorial — based on content published by Semperis: Why non-human identities actually matter more than users

By the numbers:

Questions worth separating out

Q: How should security teams govern workload identities at cloud scale?

A: Security teams should govern workload identities as first-class principals with an owner, purpose, permission boundary, and retirement path.

Q: Why do non-human identities create more risk than human accounts in cloud environments?

A: Non-human identities create more risk because they often exist in far greater numbers, run continuously, and hold persistent access to systems that human users rarely touch directly.

Q: What breaks when service accounts have broad permissions and no clear owner?

A: When service accounts have broad permissions and no clear owner, accountability breaks first and containment breaks next.

Practitioner guidance

  • Inventory machine identities by function and privilege Build a current register of service accounts, application identities, tokens, certificates, and agent identities, then classify each by owner, workload, and access scope.
  • Reduce standing privilege across workload principals Review cloud permissions for tenant-wide or resource-wide access, remove unnecessary role assignments, and require task-scoped access where the workload can tolerate it.
  • Tie lifecycle ownership to every non-human principal Assign a business and technical owner to each machine identity, then make creation, review, rotation, and retirement part of the same governance record.

What's in the full article

Semperis's full article covers the operational detail this post intentionally leaves for the source:

  • The Microsoft Entra ID taxonomy of user, device, workload, and agent identities in more implementation detail.
  • The specific Microsoft findings behind the 209 million cloud identity figure and how the report frames NHI growth.
  • The article series path into agent identities and the next-step taxonomy discussion for Entra ID environments.

👉 Read Semperis's analysis of why non-human identities matter more than users →

NHI sprawl in cloud environments: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8499
 

Non-human identities are now the dominant identity class, not a side category. When there is one human identity for every 10 workload identities, the old assumption that user accounts define the main identity risk no longer holds. The control surface has shifted to machine principals that create access, move data, and trigger state changes at cloud scale. Practitioners must re-centre IAM on the identities that actually run the environment.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: Who should be accountable for agent identities in IAM programmes?

A: Accountability should sit with both the technical team running the workload and the business owner that depends on it. Agent identities can initiate actions, so they need explicit ownership, scoped permissions, logging, and retirement criteria before production use. That combination ensures governance exists before the identity starts making meaningful changes.

👉 Read our full editorial: Non-human identities now dominate cloud access and attack surface



   
ReplyQuote
Share: