TL;DR: KuppingerCole’s Leadership Compass reports point to a convergence between secrets management and non-human identity management, reflecting growing pressure to govern machine identities, certificates, keys, and privileged access together according to Akeyless. The shift makes fragmented IAM and secrets controls harder to defend, especially as automation and AI expand the number of identities that never pass through human workflows.
NHIMG editorial — based on content published by Akeyless: Akeyless earns leadership recognition across secrets and non-human identity categories
By the numbers:
- Non-human identities outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams govern secrets and machine identities together?
A: Security teams should govern them as one lifecycle problem.
Q: Why do machine identities create more risk than stored secrets alone?
A: Machine identities create more risk because they can reuse credentials across multiple systems, carry excessive privileges, and persist after the workload or application changes.
Q: What breaks when secret rotation is treated as a standalone control?
A: Rotation alone breaks when teams do not also handle ownership, offboarding, and entitlement review.
Practitioner guidance
- Unify ownership for machine credentials Assign a named owner to every service account, token, certificate, and key so secrets management and identity governance do not drift into separate queues.
- Tie rotation to lifecycle events Rotate and revoke credentials when applications change, integrations move, or workloads are retired, rather than relying on calendar-only rotation rules.
- Audit standing privilege in machine access paths Review whether non-human identities hold persistent rights that should be short-lived, task-scoped, or policy-mediated at runtime.
What's in the full article
Akeyless's full article covers the operational detail this post intentionally leaves for the source:
- KuppingerCole category criteria for secrets management and non-human identity leadership
- Akeyless's platform capabilities across secrets, certificates, keys, and privileged access
- The vendor's own explanation of Distributed Fragments Cryptography and zero-knowledge architecture
- Examples of cloud, DevOps, and automation integrations discussed in the source article
👉 Read Akeyless's analysis of secrets management and non-human identity convergence →
Secrets and NHI convergence: what it means for IAM teams?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Secrets management and non-human identity management are now the same governance problem. The old split between vaulting credentials and governing machine access was designed for a world where storage and identity could be controlled separately. That assumption fails when a service account, certificate, or token is both the credential and the identity itself. The implication is that lifecycle, privilege, and runtime access now have to be assessed together, not in separate silos.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when a machine credential exposes privileged access?
A: Accountability should sit with the business or platform owner that created or approved the machine identity, supported by IAM, PAM, and security operations. If no owner can explain why the identity exists, what it can access, and when it should be removed, the governance model is already failing.
👉 Read our full editorial: Secrets and NHI convergence is reshaping identity security