Subscribe to the Non-Human & AI Identity Journal
OAuth scopes don’t equal secure MCP authorization 

This blog is written by Gergely Dányi , CTO at P0 Security

The MCP Authorization Specification relies on OAuth for the scopes that define the set of actions an authorized client is allowed to take on behalf of the user. Scopes are a useful part of securing MCP servers. They define broad capability sets a client is allowed to exercise. But if you rely on scopes alone to enforce authorization for MCP tools, you will run into real limitations when building secure, multi-user, role-aware systems that require fine-grained access controls.

OAuth scopes were designed to signal high-level API privileges, like “read contacts” or “write calendar”. They work well for delegated access where a client needs permission to call an API on a user’s behalf. The challenge is that MCP authorization is a more nuanced control problem than delegation can solve on its own:

  • Scopes control what area of functionality you can touch
  • MCP authorization must control who can run which tool under what conditions

Scopes don’t provide the structure needed to map least-privileged user roles to permitted actions in a dynamic tool ecosystem. This matches general OAuth guidance that scopes are for broad API permission surfaces, not fine-grained role models.

Tokens are static, MCP policies must be dynamic

OAuth tokens are static snapshots of what the client was allowed to do at the time they were issued. Once a token is minted, those permissions don’t change until it expires.

But user roles and organizational policies are constantly evolving. Users get promoted, responsibilities shift, standards are introduced and tool access needs to adapt immediately. Embedding all permissions into a token means:

  • You either issue a multitude of tokens for every variation of policy combinations
  • Or you accept the risk of tokens that are too permissive and too persistent

Neither is ideal. True RBAC systems let the server evaluate user role and permissions at runtime, instead of inherently trusting a pre-issued token.

Scopes quickly take on a life of their own

If you try to model every MCP tool with a distinct OAuth scope, you quickly hit practical limits:

  • OAuth scopes become big and unwieldy
  • Tokens grow large because JWT headers must stay within HTTP size limits
  • Every new tool or operation requires a new scope definition.

This leads to scope sprawl that is hard to manage and consumes token space inefficiently. It’s a common anti-pattern in APIs that start with scopes and then try to extend them to fine-grained permissions.

Scopes lack contextual awareness

Scopes say what, but not when, why, or on whose behalf.

Consider a scenario where:

  • Alice can use the billing:update tool for her own projects.
  • Bob can use the same tool across all projects.

Both might have a scope like mcp.billing.update. Scopes alone cannot distinguish context such as:

  • Which project the user is targeting.
  • Whether the action is allowed for this user on this resource.

True RBAC systems embed this logic either server-side or via richer policy languages. Scopes cannot express it without becoming deeply unwieldy.

Scopes don’t capture intent or sequencing

An MCP server must consider the semantics of multi-step operations. A single scoped call might be valid, but a sequence of calls could exceed what the user should actually be allowed to do (e.g., a low-privilege user chaining several tool calls to achieve a high-impact effect). That kind of sequence-aware authorization is outside the scope (pun intended) of simple OAuth scopes.

Roles are essential

In RBAC, the unit of authorization is the role: a named bundle of permissions aligned with organizational responsibilities. Scopes are not roles, they are just flags on a token. In contrast, RBAC systems typically support:

  • Role hierarchies (admin > editor > viewer)
  • Permission grouping
  • Dynamic reassignment

Scopes do none of this. At best, scopes can mirror roles, but only if you duplicate role logic into scope names which quickly becomes messy and brittle.

Scopes + server-side RBAC: The right balance

OAuth scopes are useful for coarse access boundaries because they help a resource server quickly determine if a client has broad permission to a domain (e.g., “this client is allowed to talk to MCP billing tools”).

But fine-grained, role-aware MCP authorization belongs on the server, where user identity, role context and organizational policy can be enforced at the time of the request.

This hybrid approach combines:

  • Scopes for binding tokens to broad capabilities
  • RBAC/permissions enforced in the MCP server at the tool level

It gets you strong security, manageable tokens and flexible policy enforcement.

Conclusion

OAuth scopes solve an important part of the authorization puzzle: delegated capability. But they are only one piece. MCP access control that relies on scopes alone will struggle with:

  • Dynamic user roles
  • Per-tool permissions
  • Contextual resource access
  • Runtime policy evaluation

To do MCP authorization properly, you need scopes for the big picture and server-side RBAC for least-privilege enforcement.

Get started today with P0 Security, www.P0.dev

Non-Human Identities (NHIs) vs. Machine Identities: Key Differences & Security Best Practices

Non-Human Identities (NHIs) vs. Machine Identities: Key Differences & Security Best Practices – P0 Security

What Are Non-Human Identities (NHIs) & Why Do They Matter?

Identity extends far beyond human users. Non-Human Identities (NHIs) have become an essential component of modern IT ecosystems, facilitating communication between devices, applications, and services. However, there is growing confusion in the market about what NHIs truly encompass, particularly when differentiating them from machine identities. Understanding these distinctions is crucial for organizations aiming to secure their environments effectively.

Defining Non-Human Identities (NHIs)

Non-Human Identities (NHIs) refer to digital identities that are not associated with individual human users. These identities can belong to:

  • Devices – IoT sensors, network routers, laptops, and mobile devices
  • Applications & Software – Cloud services, microservices, APIs
  • Automated Processes – Bots, service accounts, CI/CD pipelines
  • Legal Entities – Organizational identifiers, such as Legal Entity Identifiers (LEIs)
  • Animals – RFID-chipped pets or livestock in agricultural and regulatory settings

While NHIs encompass a broad category, machine identities are a specific subset of NHIs.

Machine Identities vs. NHIs: Key Differences Explained

Although machine identities fall within the broader NHI category, they are distinct in scope, management practices, and security concerns.

FactorMachine IdentitiesOther NHIs (e.g., Legal Entities, Service Accounts)
Scope & ApplicationDevices, workloads, cloud servicesSoftware bots, service accounts, legal entity identifiers
ManagementX.509 certificates, cryptographic keysPasswords, tokens, API keys
Security RisksUnauthorized machine-to-machine communicationUnauthorized API access, leaked credentials
Use CasesCloud infrastructure security, DevOps automationRegulatory compliance, organizational identity management

Understanding these distinctions helps organizations implement appropriate security measures for each type of NHI.

How to Secure NHIs: Best Practices for Identity Management

As NHIs proliferate, organizations face growing security and operational challenges. Here’s how to mitigate risks and improve NHI security:

1. Discover and Inventory All NHIs

  • Implement automated discovery tools to detect all NHIs in cloud and on-premises environments.
  • Maintain an up-to-date inventory of machine identities, service accounts, and automated processes.
  • Learn more about how service account key origins affect NHI security in this guide.

2. Centralize NHI Management

  • Use a unified identity management platform to handle machine and non-human identities in a single interface.
  • Establish governance policies for lifecycle management—ensuring NHIs are provisioned, monitored, and deprovisioned when no longer needed.

3. Enforce Least Privilege Access

  • Assign minimal permissions to NHIs based on their function.
  • Implement role-based access control (RBAC) and attribute-based access control (ABAC) to restrict identity permissions dynamically.
  • Understand how transitive access in GCP impacts privilege escalation risks in this article.

4. Strengthen Authentication & Credential Security

  • Use strong authentication mechanisms like X.509 certificates and OAuth tokens for machine identities.
  • Rotate and securely store API keys, secrets, and service account credentials to prevent unauthorized access.

5. Implement Continuous Monitoring & Threat Detection

  • Set up real-time monitoring for unusual NHI behavior, such as unexpected credential usage.
  • Use Identity Threat Detection and Response (ITDR) solutions to detect and mitigate identity-based threats.

FAQ: Addressing Common NHI Security Questions

Q: What’s the biggest risk with Non-Human Identities?

A: Unmanaged NHIs, like stale service accounts or exposed API keys, can be exploited by attackers for lateral movement.

Q: How should organizations prioritize NHI security?

A: Start with discovery, enforce least privilege, and implement automated monitoring to detect unauthorized NHI usage.

Q: How is a machine identity different from an NHI?

A: All machine identities are NHIs, but not all NHIs are machines. Machine identities specifically apply to workloads, devices, and cloud services, whereas NHIs also include software bots, legal entities, and RFID-tagged animals.

Conclusion

Non-Human Identities (NHIs) are essential to digital ecosystems, but organizations must clearly differentiate between machine identities and other NHIs to implement effective security controls. While machine IAM focuses on securing workloads and devices, broader NHI governance includes service accounts, API keys, and even legal entities.

By following best practices in discovery, management, access control, and monitoring, organizations can reduce security risks and ensure NHIs remain an asset rather than a liability. The key is to implement identity-first security strategies that account for the growing complexity of non-human entities in cloud-driven environments.

Additional Resources & References

Machine, workload, service—it doesn’t matter if it’s unsecured

Machine, workload, service—it doesn’t matter if it’s unsecured – P0 Security

A few weeks ago, Lalit Choda (aka Mr. NHI), founder of the NHI Management Group, hosted a series of discussions on non-human identities (co-located with Identiverse)—an increasingly urgent challenge in the security landscape. 

I had the opportunity to join a panel alongside Kirby Fitch from SailPoint to talk about the risks, terminology confusion and the visibility gaps organizations face in managing NHIs.

One key point we discussed is the lack of consistency across the industry. Whether you call them machine identities, service accounts, or workload principals, the fact remains: NHIs are now everywhere, and they need rigorous governance. We need to draw a clearer line between credentials and identities—and ensure both are treated as first-class security concerns.

In the panel, I emphasized that how we define an identity depends heavily on the system you’re looking at—an IAM role in AWS, a service principal in Azure, or a service account in GCP or in Active Directory. What we’re lacking is not just a naming convention, but a standardized way to reason about access across these constructs. Today, most organizations can’t answer a basic question: “Who—or what—can take what action on which resource?” Without that baseline, governance efforts become reactive and fragmented. It’s not enough to see the sprawl—we need to map entitlements, link them to specific identities (human and non-human), and enforce policies continuously. Otherwise, we’re left chasing shadow identities through logs and spreadsheets.

Beyond our panel, I also appreciated the insights shared by Vincenzo Iozzo from SlashID and Michael Silva from Astrix Security. Both provided real-world context on how NHIs are actively being exploited:

  • Vincenzo highlighted that in modern attacks, adversaries increasingly rely on stolen credentials to simply log in rather than break in. CrowdStrike’s threat intel shows a 6x spike in credential-based attacks, and AWS reported that 66% of customer breaches involved leaked or exposed NHI credentials.
  • Michael walked through a striking demo where an attacker harvested an AWS access key and secret from a non-default GitHub branch. Using those credentials, they were able to authenticate as a CI/CD service account—moving laterally across cloud and SaaS services, persisting without detection, and exfiltrating data at will.

These aren’t theoretical risks—they’re playing out today, quietly and efficiently, through overlooked machine identities.

At P0, we believe identity security must go beyond visibility. The path forward requires posture, as well as governance and orchestration. Every identity, whether human or non-human needs to be governed, and every access needs to be short-lived, least-privileged, and passwordless (orchestrated without static credentials).

Thanks again to Lalit, Kirby, Vincenzo, Michael and all the other presenters for pushing this conversation forward. 

Identity Management Day 2025: Strengthening Security for Human and Non-Human Identities

Identity Management Day 2025: Strengthening Security for Human and Non-Human Identities – P0 Security

Identity Management Day, established in 2021 by the Identity Defined Security Alliance (IDSA) in partnership with the National Cybersecurity Alliance, serves as a pivotal reminder of the necessity of safeguarding our digital identities. Scheduled for April 8, 2025, this annual event aims to educate individuals, businesses, and IT leaders about the importance of robust identity management and the potential risks associated with neglecting it.

Register today: https://www.accelevents.com/e/Identity-Management-Day-2025-Virtual-Conference

The Significance of Identity Management

Identity management encompasses the policies, processes, and technologies that ensure the right individuals and machines access the appropriate resources at the right times for the right reasons. Its significance cannot be overstated, especially when considering the alarming statistics:

  • 79% of organizations experienced an identity-related security breach in the past two years.
  • 99% of those breaches were deemed preventable.
  • 81% of hacking-related breaches leveraged weak, stolen, or otherwise compromised passwords.

These figures underscore the pressing need for comprehensive identity management strategies to protect both personal and organizational data.

Theme for 2025: Existential Identity

The theme for Identity Management Day 2025 is “Existential Identity.” This concept delves into the evolving nature of identity in our digital landscape, where individuals often maintain multiple personas across various platforms, and non-human identities—such as AI-driven agents and machine identities—play increasingly prominent roles. As these identities proliferate, understanding and managing them becomes paramount to ensure security and trust in digital interactions.

Best Practices for Identity Management

To strengthen identity management practices, organizations should consider the following best practices:

  1. Comprehensive Inventory of Identities: Develop and maintain a comprehensive inventory of all identities, including non-human identities (NHIs) and humans, along with their respective human owners.
  2. Risk Assessment: Assess the risks linked to each NHI, including inactive service accounts, outdated keys, and over-privileged access.
  3. Governance and Lifecycle Management: Assign governance responsibilities to service owners, including workflows for secret rotations, onboarding and offboarding of NHIs, and risk remediation.
  4. Adopt Just-in-Time (JIT) Access: Minimize standing privileges by granting permissions only when needed, reducing risk without significantly increasing friction.
  5. Implement Continuous Monitoring: Set up real-time monitoring for unusual NHI behavior, such as unexpected credential usage, to detect and mitigate identity-based threats.

How to Participate and #BeIdentitySmart

Engagement in Identity Management Day offers numerous opportunities to enhance your understanding and practices:

  • Attend the Virtual Conference: On April 8, 2025, identity and security leaders will convene for a virtual conference to discuss current challenges and strategies in identity management. This event is free and open to all interested parties. P0 will be participating in the virtual conference, and attendees can stop by our virtual booth to learn more about how we help organizations strengthen their identity governance. Visit our website to explore our solutions and see how we can support your identity management needs.
  • Become an Identity Management Champion: Organizations that prioritize identity management and security can join the ranks of Identity Management Champions, showcasing their commitment to reducing risk and enabling secure business operations.
  • Access Educational Resources: The IDSA provides a wealth of resources, including best practices, webinars, and case studies, to help individuals and organizations bolster their identity management frameworks.

You don’t have to wait for Identity Management Day to take action. Read our latest insights on identity governance and security to stay ahead of threats. Book a meeting with us to learn how we can help your organization secure both human and non-human identities with a unified approach to access governance.

Trends in cloud security from cloud to workloads

Trends in cloud security from cloud to workloads – P0 Security

Recently, I had the privilege of hosting a roundtable discussion with some of the leading voices in cloud security to explore emerging trends, threats, and solutions in identity management. The full video of the panel discussion is available for viewers to dive deeper into the conversation. Here’s a breakdown of the key insights shared during our conversation.

Full video:https://www.youtube.com/watch?v=T7TroTUMcjw

The Identity Landscape: A Growing Challenge

One of the most striking revelations from our discussion was the sheer scale at which non-human identities (NHIs) are growing. These identities, often associated with service accounts, APIs, or background tasks, are proliferating exponentially. As Kat Traxler, Principal Security Researcher at Vectra AI, pointed out, “For every human identity, there are 50 non-human identities. This velocity increases the risk of misconfigurations and abuse.”

James Berthoty, founder of Latio Tech, highlighted another layer of complexity: the fragmentation of identity systems. From SaaS applications to cloud services and Kubernetes clusters, identities span multiple platforms, each with its own management system. This lack of unification often leaves security teams scrambling to address risks in silos.

Emerging Threats: Transitive Access Abuse

A key focus of our conversation was the issue of transitive access abuse. Kat shared insights from her recent research, which unveiled vulnerabilities in Google Cloud’s Service Agents—non-human identities configured by the cloud provider. “These are billed as benign agents operating in the background, but when manipulated, they can perform privileged tasks like data exfiltration without requiring direct access to the underlying resources,” she explained.

Watch Kat’s explanation of transitive access abuse at 3:01.

James expanded on this, emphasizing how difficult it can be for CISOs to prioritize identity risks when the landscape is so fragmented. “The lack of unified tools across identity systems creates blind spots. Security engineers may focus deeply on Kubernetes, RBAC, or cloud permissions, but CISOs are left navigating a confusing mix of risks,” he noted.

See James discuss fragmented identity risks at 7:03.

The Governance Gap: What CISOs and Security Engineers Need to Know

When discussing solutions, the conversation frequently circled back to governance. As Rami McCarthy, a cloud security expert and advisor, emphasized, “Identities span systems—cloud providers, SaaS applications, legacy infrastructure. Governance frameworks must break down these silos to address risk holistically. However, technology alone cannot solve the problem; collaboration across teams and processes is essential. Organizations must look at the velocity of identity growth and address lifecycle management systematically.”

Listen to Rami’s perspective on governance frameworks at 9:07.

Srajan Gupta, a security engineering leader at Dave, added critical insights into the challenges of managing both human and non-human identities. “The fundamentals of identity management—such as zero trust and least privilege—apply equally to NHIs. However, we often neglect them, failing to perform periodic access reviews or enforce strict lifecycle management for service accounts and API keys,” he said.

Watch Srajan’s perspective on applying human identity principles to NHIs at 12:00.

Key challenges include:

  • Lifecycle Management: Stale or unused service accounts often become low-hanging fruit for attackers.
  • Least Privilege: While widely regarded as a best practice, enforcing least privilege without disrupting workflows remains difficult.
  • Tooling Fragmentation: Vendors typically address only specific slices of the problem, leaving organizations with gaps in their identity management strategy.

Best Practices: Tackling the Identity Problem

Addressing the challenges of identity governance requires a combination of thoughtful strategy, governance, and automation. Here’s what our panelists recommend:

1. Start with Inventory

Begin by creating a comprehensive inventory of all identities—human and non-human—across your ecosystem. As Srajan highlighted, “You can’t secure what you aren’t aware of. Start with understanding the scope of your identities.” Ensure this includes service accounts, API keys, and other non-human identities that often get overlooked.
Watch Srajan’s take on starting with inventory at 14:02.

2. Adopt Just-in-Time (JIT) Access

Minimize standing privileges by granting permissions only when needed. “JIT access should be the default. It reduces risk without significantly increasing friction,” Srajan added.

3. Leverage Permission Boundaries

Define boundaries that restrict what identities can access, preventing lateral movement during a breach. Kat added, “Managing access boundaries can significantly limit the blast radius of an incident, ensuring risks are contained.”
Watch Kat’s insights on managing blast radius at 6:03.

4. Focus on Lifecycle Management

Ensure processes are in place to review and decommission unused or overprivileged accounts regularly. James stressed, “Outdated roles and default permissions can account for the majority of overprivileged identities. Cleaning these up provides quick wins with little effort.”

5. Apply Ratchets and Levers

Rami introduced the concept of ratchets and levers for identity security:

  • Ratchets: “One-way improvements that meaningfully increase your security baseline—like implementing just-in-time access or restricting unused services.”
  • Levers: “Quick wins with high impact and low effort, such as identifying and cleaning up outdated permissions or roles.”

6. Reduce the Blast Radius

Accept that compromise can happen and design systems to limit damage. Rami emphasized that a thoughtful approach is key here: “Reducing the blast radius involves combining segmentation, strong resource boundaries, and just-in-time access to minimize the impact of a breach. Organizations must balance security controls with operational needs to avoid friction while maintaining resilience.”

7. Invest in Programmatic Solutions

Rami emphasized the importance of automation to address identity risks at scale: “Manual processes are no longer sustainable for large environments. Programmatic solutions—such as continuous monitoring and automated remediation—allow organizations to identify risks quickly and respond effectively.”
For organizations at scale, manual processes won’t suffice. Use automation to continuously monitor, detect, and remediate risks.

Check out the full panel discussion on best practices starting at 27:02.

Moving Forward: The Future of Identity Governance

Identity management will remain a critical area of focus as cloud environments grow in complexity. While perfect security may be unattainable, incremental improvements can significantly reduce risk. As Kat succinctly put it, “We can’t least-privilege our way to perfection, but we can manage risk more effectively by addressing the fundamentals.”

Watch Kat’s closing thoughts on reducing risk at 34:02.

For security practitioners and CISOs, the path forward involves not just adopting new tools but fostering collaboration across teams. Empathy, communication, and a willingness to iterate will be key to navigating this evolving landscape.

This conversation underscored the importance of viewing identity governance not as a one-time project, but as an ongoing commitment. Whether you’re just beginning to address NHIs or refining your approach, the lessons from this discussion offer a practical roadmap for tackling one of cloud security’s most pressing challenges.


How a Leading Insurance Provider Secured 40,000+ Service Accounts in GCP

How a Leading Insurance Provider Secured 40,000+ Service Accounts in GCP – P0 Security

Key Takeaways

  • Eliminated 30,000+ static keys and reduced over-privileged access
  • Automated key rotation and permission management across 1,000+ GCP projects
  • Achieved full governance of non-human identities (NHIs) within weeks

Background

A major insurance provider operates over 1,000 projects in Google Cloud Platform (GCP). Over time, developers created thousands of service accounts for various purposes, leading to significant security risks.

For example, the company uses a cloud security platform to scan GCP instances for misconfigurations. To integrate with GCP, the platform requires a service account that can read GCP logs. This service account requires a key or static credential, created by the company’s DevOps team and stored in the security platform by its administrator.

Challenges with Service Account Governance

The company faced significant challenges due to the proliferation of service accounts (40,000+, growing at 5% monthly) and static keys (30,000+).

Security Risks

  • No Ownership or Accountability – Many service accounts lacked assigned owners, making governance impossible.
  • Lack of Visibility – Without clear insights into risk, usage, and ownership, security teams hesitated to take action.
  • Inefficient Remediation – Addressing risks manually across 1,000+ projects required significant personnel effort and custom tooling.

Why Existing Solutions Fell ShortIGA Platforms (e.g., SailPoint)

  • Could govern human identities but lacked capabilities for managing non-human identities like service accounts and static keys.

Native GCP Tools

  • Workload Identity Federation – Recommended by Google, but impractical due to dependencies on static keys for third-party integrations.
  • Policy Analyzer – Paywalled behind Google Security Command Center (SCC) Premium SKU, limiting accessibility.
  • Lack of Centralized Visibility – Identifying unused accounts required manual effort across 1,000+ projects.

Cloud Security Posture Management (CSPM) Tools (e.g., Wiz)

  • No Governance Workflows – Built for visibility but lacked automated remediation capabilities.
  • Limited GCP Support – Most CSPMs prioritize AWS and Azure over GCP.

How P0 HelpedComprehensive Inventory

  • Identified all identities (users and service accounts), owners, and consumers.

Proactive Risk Posture Analysis

  • Detected over-privileged accounts and unused service accounts.
  • Assessed accessible resources for each identity.
  • Categorized identities based on risk level.

Scalable Governance & Automation

  • Enabled bulk remediation of over-provisioned and unused service accounts.
  • Automated key rotation and permission management using P0-managed service accounts.
  • Implemented just-in-time (JIT) permissions for human users.

Results & ROI

P0 was deployed in under an hour by connecting GCP APIs and onboarding all 1,000+ projects via a simple script. No additional infrastructure was required.

Immediate Impact:

  • Full visibility into every GCP identity within minutes.
  • Eliminated all static keys and reduced over-privileged access within weeks.
  • Automated an ongoing governance program to ensure new service accounts are secure from the outset.

Without P0, this effort would have taken months and achieved only 70% risk reduction. Instead, the company now maintains a continuous, automated identity governance framework, securing its cloud environment at scale.

Want to identify and secure overprivileged service accounts and keys in your cloud? Book a demo with P0 today.

Redefining Security with Unified Identity Governance and Access Management

Redefining Security with Unified Identity Governance and Access Management – P0 Security

Identity governance is no longer just an option—it’s a critical pillar of how modern security must be done. As organizations navigate the complexities of cloud and hybrid environments, securing all identities—both human and non-human—is more important than ever to elevate how security is approached and executed. In a recent discussion with Bradley, VP and CISO at Paychex, we explored the challenges of managing identities—both human and non-human—and shared actionable strategies for building a unified, scalable governance program. Here’s what we uncovered.

Watch the Full Conversation: For a deeper dive into this discussion, check out the video:

What Is Identity Security and Why Does It Matter? (00:00:41)

Identity security isn’t just about managing usernames and passwords anymore. As Bradley and I discussed, identity security encompasses everything from:

  • Provisioning and deprovisioning identities effectively.
  • Ensuring entitlements (permissions) align with actual needs.
  • Ongoing monitoring to detect anomalies or malicious activity in real time.

It’s essential to recognize that identity security extends beyond human users. Non-human identities (NHIs) – such as service accounts, bots, and machine credentials – now outnumber human identities in most organizations. If we ignore NHIs, we risk creating massive security blind spots.

The Risks of Poor Identity Governance (00:03:31)

Organizations without a unified identity governance program face three major risks:

  1. Higher Likelihood of Data Breaches: (00:03:39) Excessive privileges or unused accounts, whether human or non-human, create prime opportunities for attackers to gain unauthorized access.
  2. Operational Downtime: (00:03:56) Incorrect permissions or mismanaged identities often result in costly misconfigurations, outages, and disruptions.
  3. Increased Costs: (00:04:19) Disjointed systems for managing human and non-human identities increase administrative overhead, making automation difficult.

As Bradley rightly pointed out:

“You can’t manage or govern only a portion of your identities and achieve positive security outcomes. Your approach has to be comprehensive.”

The Path to Better Identity Security: Modernizing Governance (00:05:00)

Legacy identity governance systems were never designed to handle the cloud or the scale of NHIs. They fail to:

  • Support non-human identities, which now dominate cloud environments.
  • Scale efficiently for modern cloud workloads.

Bradley’s recommendation to organizations is clear:

“Rip off the Band-Aid. Replace or augment legacy systems with a cloud-native identity governance solution that can manage both human and non-human identities across on-premises and cloud environments.”

Best Practices for Scaling an Identity Governance Program (00:05:36)

During our discussion, Bradley shared a practical roadmap for organizations looking to modernize their identity governance programs. Here are his key recommendations:

  1. Start with Visibility: (00:05:50)
    • Identify all identities – human and non-human – across on-premises and cloud environments.
    • Pinpoint risks, such as unused accounts and overprivileged identities.[Watch this section discussed in detail in the video above.]
  2. Automate Provisioning and Deprovisioning: (00:06:01)
    • Implement tools to consistently manage entitlements and automate lifecycle changes.
    • Automation ensures scalability and minimizes manual errors.
  3. Adopt Cloud-Native Solutions: (00:06:15)
    • Invest in solutions designed for both legacy and cloud-native environments that scale with your workloads.
    • Cloud-native platforms are better suited to handle modern identity demands, including NHIs.
  4. Adopt a Zero Trust Model: (00:06:36)
    • Align access permissions with actual needs to minimize risk and enforce least privilege.

Bradley emphasized that these steps build on one another. Start with visibility, then scale into automation and monitoring to ensure long-term success.

As he put it:

Visibility is foundational; without it, you can’t make effective decisions on governance.”

Final Thoughts: Why Modern Identity Governance Matters (00:07:00)

As we shift workloads to the cloud, relying on legacy identity tools isn’t sustainable. A modern, cloud-native approach enables organizations to:

  • Reduce risk by securing both human and non-human identities.
  • Improve efficiency through automation and scalability.
  • Adapt to modern workloads without compromising governance.

In my conversation with Bradley, the takeaway was clear: You can’t govern part of your identities and expect success. A comprehensive, cloud-native approach is no longer optional—it’s essential.

Wrap-Up Video Insight: (00:08:12) Want a quick summary? Watch the video at the beginning of the post to see Bradley and me break it all down.

Learn More: At P0 Security, we help organizations govern and secure access for all identities—human and non-human. Discover how we can help you modernize identity governance, book a customized demo.

Strengthening Access Governance for Human and Machine Identities

Strengthening Access Governance for Human and Machine Identities – P0 Security

$4.9 million. The global average cost of a data breach in 2024 – a 10% increase over last year – and the highest total ever.

With the growing adoption of cloud technologies, it’s crucial to secure sensitive data with more comprehensive security strategies from the outset to avert potentially catastrophic breaches.

In today’s cloud-native landscape, the criticality of access level security – defining what individuals are permitted to access within a system and when – cannot be overstated.

To put it simply, securing identities is the key to preventing breaches – and legacy approaches to governing access to sensitive data and critical infrastructure no longer work due to the explosion of cloud-native technologies. It is now more difficult than ever to control who has access to what since the cloud can be accessed not just by human users, but by non-human identities (NHIs), in many more ways than typical applications.

In honor of Cybersecurity Awareness Month, here are a few best practices organizations can take into consideration this October and beyond:

  • Discovery and Ownership: Develop and maintain a comprehensive inventory of all identities, including NHIs and humans, along with their respective human owners.
  • Risk Posture: Assess the risks linked to each NHI, including inactive service accounts, outdated keys and over privileged access.
  • Governance and Lifecycle Management: Assign governance responsibilities to service owners, including workflows for secret rotations, onboarding and offboarding of NHIs and risk remediation.

By controlling access across human and non-human identities, not only are you boosting productivity and enabling better business outcomes, you’re also safeguarding corporate resources and networks. When access to critical systems is secure, the entire organization’s risk is minimized.

Interested in learning more about P0’s unified platform? Contact us at sales

[email protected] or book a demo

The evolution of Privileged Access Manegement

The evolution of Privileged Access ManegementP0 Security

Privileged Access Management (PAM) has evolved far beyond its original purpose of rotating shared admin passwords. In today’s dynamic IT landscape, filled with cloud-native architectures, microservices, and automated CI/CD pipelines, the traditional model of PAM is no longer enough.

Modern PAM must address a broader and more complex environment, where identities (both human and machine) rapidly scale and require precise, time-bound, and auditable access to sensitive systems. These systems include servers, databases, cloud platforms, Kubernetes clusters, and APIs — each critical to business continuity and security.

At its core, PAM serves two fundamental functions:

  • Authentication – Who is requesting access
  • Authorization – What they are allowed to do

Legacy solutions focused on privileged accounts (e.g., root/admin passwords). But today, PAM must go beyond account-level protection to manage privileged access holistically — covering the full lifecycle of who can access what, when, and how.

Key Goals That Remain Constant

  • Short-lived access – Limit duration to reduce exposure
  • Least privilege – Grant only the necessary permissions
  • Auditability – Track all privileged access for security and compliance

What’s Changed

  • Infrastructure is now ephemeral, dynamic, and distributed.
  • Identities have multiplied across systems and automation layers.
  • Risks have increased due to outdated assumptions about static environments.

Conclusion
PAM is no longer just a compliance tool. It is a modern security layer critical for protecting sensitive systems in hybrid and cloud-native environments. Organizations must adapt their PAM strategies to orchestrate just-in-time, least-privileged access at scale, across both human and non-human identities.

Download full report here

The path to Least Privilege deployment guide

The path to Least Privilege deployment guide – P0 Security

The way most teams handle access today is broken.

Static roles. Standing privileges. Long wait times for approvals. Manual access cleanup that
rarely happens. Security teams are underwater, and engineering teams are stuck waiting on
tickets just to do their jobs.


Meanwhile, identity has become the new perimeter—and the attack surface is exploding.
Cloud environments now hold thousands of identities, most of which are over-permissioned,
under-governed, and invisible until something goes wrong.


Just-in-time (JIT) access is the shift forward. Instead of granting standing access that lingers
indefinitely, JIT lets teams request the access they need, when they need it, and only for as
long as they need it. The result: lower risk, faster approvals, and better visibility—without
slowing anyone down.

Moving to JIT is not as simple as flipping a switch.

Most teams don’t know where to start. They aren’t sure how JIT should be implemented in
their organization, how to create policies, or how to get buy-in. Teams push back on losing
“always-on” access. Ownership is murky. And there’s the fear that security might block
progress rather than unlock it.

This guide cuts through that noise. It lays out a practical path to least privilege through JIT—
starting small, proving value, and scaling up. It’s based on what we’ve seen in the field: what
works, what doesn’t, and how teams go from concept to production.

You don’t have to boil the ocean. You just have to start.

And P0’s solution to JIT gives you a way to get there without slowing teams down or giving
attackers more surface to target.

Download full report here

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.