In most modern enterprises, NHIs outnumber human identities by a ratio of 25:1 to 50:1. A significant proportion — estimates suggest 30-50% — are unknown to the security team and completely unmanaged. When Agentic AI becomes mainstream, this ratio will increase dramatically.
Why This Matters for Security Teams
A typical enterprise does not just have “a lot” of NHIs; it often has an identity estate that is already larger than the human workforce. The practical problem is not the count itself, but the way scale hides ownership gaps, stale secrets, and over-privileged service accounts. NHIs are also central to machine-to-machine traffic, CI/CD, cloud automation, and third-party integrations, so their blast radius can be wider than a single human account.
NHIMG research shows NHIs outnumber human identities by 25x to 50x in modern enterprises, and only 5.7% of organisations report full visibility into their service accounts in the Ultimate Guide to NHIs. That gap matters because a large inventory is only useful if it is governable. NIST’s NIST Cybersecurity Framework 2.0 still maps well here: you cannot protect, detect, and respond to identities you have not discovered, classified, and assigned to an owner. In practice, many security teams encounter NHI exposure only after a token leak, privilege misuse, or offboarding failure has already caused impact, rather than through intentional identity governance.
How It Works in Practice
Counting NHIs starts with discovery, then moves to classification. Security teams usually need to separate service accounts, API keys, workload identities, bots, integration tokens, and agent identities because each behaves differently and carries a different control burden. A mature inventory should answer three questions: what is this identity, what does it access, and who is responsible for its lifecycle?
That lifecycle is where most enterprises struggle. The common failure pattern is long-lived credentials without clear expiry, ownership, or revocation paths. The Top 10 NHI Issues highlights that unmanaged secrets and weak rotation remain widespread, while the 52 NHI Breaches Analysis shows how often the issue becomes visible only after compromise. The operational answer is to reduce standing privilege, bind identities to specific workloads, and rotate secrets automatically. In parallel, teams should align to NIST Cybersecurity Framework 2.0 by treating NHI discovery, access governance, and continuous monitoring as routine control activities rather than one-time projects.
- Build a complete inventory with owner, purpose, environment, and expiry data.
- Classify high-risk NHIs such as admin bots, release pipelines, and external integrations.
- Require secret rotation, revocation, and offboarding paths for every NHI.
- Apply least privilege and remove broad shared credentials where possible.
For deeper background on identity types and governance patterns, the Ultimate Guide to NHIs — What are Non-Human Identities and Ultimate Guide to NHIs — Why NHI Security Matters Now provide the broader control context. These controls tend to break down when identities are embedded in legacy automation, because nobody can confidently map the credential back to a business service or revoke it without causing outages.
Common Variations and Edge Cases
Tighter NHI control often increases operational overhead, requiring organisations to balance stronger security against deployment speed and service continuity. That tradeoff becomes sharper in cloud-native and DevOps-heavy environments, where ephemeral workloads can create and destroy identities faster than manual governance can track.
There is no universal standard for how many NHIs a “typical” enterprise should have, because the number varies with cloud adoption, third-party integrations, CI/CD maturity, and automation density. Guidance suggests focusing less on the raw count and more on whether each identity has a named owner, a documented purpose, and a short, enforceable lifespan. This is especially important for shared service accounts, vendor-connected integrations, and machine identities used by internal platform tools. Current best practice is also evolving toward workload identity and just-in-time access instead of static credentials, but implementation maturity differs widely across sectors.
For organisations preparing for autonomous systems and agentic AI, the same inventory problem becomes harder because agents are goal-driven and may need runtime access decisions. In that setting, the identity question shifts from “how many” to “how dynamically governed.” That is why NHI management must connect to broader AI governance models, not sit beside them as a separate spreadsheet exercise. The edge case is large-scale orchestration platforms where a single agent can spawn many short-lived identities, making traditional manual review cycles too slow to be effective.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Inventory and ownership are central when NHIs vastly outnumber humans. |
| NIST CSF 2.0 | PR.AC-1 | Identity management and access control fit this question's discovery-and-governance focus. |
| NIST AI RMF | AI governance matters as autonomous agents expand NHI scale and complexity. |
Map NHI accounts to access policies, then continuously review entitlements and revocation paths.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
