Notifications
Clear all
Topic starter
06/06/2026 11:12 am
TL;DR: Machine identities now outnumber human identities by roughly 82 to 1, and CyberArk reports that 42 percent of them hold privileged access while 61 percent of organisations lack workload identity controls. Aembit frames workload IAM as the discipline that replaces static credentials with runtime identity checks, policy evaluation, and ephemeral access for workloads, containers, pipelines, and AI agents.
NHIMG editorial — based on content published by Aembit: Workload IAM closes the gap between human and machine identity
By the numbers:
- For every human identity your IAM program governs, there are roughly 82 machine identities operating outside it.
- 42 percent of machine identities carry privileged access, while 61 percent of organizations lack identity security controls for cloud workloads.
Questions worth separating out
Q: How should security teams govern workload access in multicloud environments?
A: Security teams should govern workload access by binding identity to runtime context, then issuing short-lived credentials only when policy conditions are met.
Q: Why do static secrets create more risk for workloads than for human users?
A: Static secrets create more risk because they are reusable, hard to trace back to a single execution, and often survive long after the workload they were created for has changed.
Q: What breaks when workload identity is handled only through secrets management?
A: What breaks is the access decision itself.
Practitioner guidance
- Inventory the workloads that already behave like identities Start with critical applications, CI/CD pipelines, containers, and third-party integrations, then map who owns each workload and what secrets it uses.
- Replace reusable secrets with runtime-issued credentials Use workload identity federation, platform-managed identities, or brokered tokens so the credential is minted at access time and expires automatically.
- Enforce policy on every workload request Tie access to context such as workload posture, environment, namespace, and resource sensitivity rather than to broad roles alone.
What's in the full article
Aembit's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step workload identity flows for Kubernetes, AWS, Azure, and GCP.
- Practical guidance on replacing static API keys with short-lived credentials in CI/CD and service-to-service access.
- Operational comparisons between secrets managers, cloud federation, and workload IAM platforms.
- Implementation considerations for AI agents that need scoped runtime access across trust boundaries.
👉 Read Aembit's guide to workload IAM for cloud and AI workloads →
Workload identity management: what IAM teams need to know now?
Explore further
06/06/2026 11:52 am
Workload identity management is becoming the missing control plane for NHI governance. Human IAM controls were built around people, while workloads authenticate at machine speed, across trust boundaries, and with credentials that are often invisible to governance teams. That mismatch is why workload IAM is now a distinct discipline rather than a side feature of secrets management. Practitioners should treat workload identity as a separate control surface, not a subset of human access.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which shows how often the weakest link is process, not technology.
A question worth separating out:
Q: How can organisations tell whether workload IAM is actually working?
A: Workload IAM is working when access is issued at request time, credentials are short-lived, and every transaction is attributable to a specific workload, resource, and policy decision. If service accounts remain difficult to inventory, secrets are still embedded in code, or access persists after deployment, the programme is only partially governed.
👉 Read our full editorial: Workload IAM closes the gap between human and machine identity
