Identity sprawl, agentic AI risk, and the path to NHI governance maturity
When security leaders talk about identity risk, the conversation almost always centers on humans: Privileged users, compromised accounts, insider threats. But for most enterprises, the greater risk has already shifted.
And it has nothing to do with your employees.
Non-human identities (NHIs) — service accounts, API keys, OAuth tokens, SSH keys, RPA bots, cloud workload credentials and AI agents — are the fastest-growing, least-governed attack surface in the modern enterprise. And the industry is beginning to reckon with what that means.
$4.88M
Global average cost of a data breach — IBM Cost of a Data Breach 2024
The scope of the problem
The numbers are striking. Research from Rubrik Zero Labs puts the NHI-to-human identity ratio at 45:1 in the modern enterprise. For cloud-native and DevOps environments, Entro Labs H1 2025 research puts that figure at 144:1.
These identities are not passive: They authenticate continuously, access sensitive systems and carry permissions that would be flagged immediately if a human account held them.
Yet most NHIs exist in a governance vacuum:
- 8% of enterprise identities have no owner in HR systems — the creator left, but the account and its full access remain.
- 47% of NHIs are more than one year old with no credential rotation.
- Two thirds of enterprises have suffered a breach via a compromised NHI, per recent industry data.
The threat is not theoretical. A single stolen token from a CI/CD log, a support export or a partner email can fan out across CRM, storage and production environments, with cloned tokens and background jobs operating invisibly while no alerts fire. Logs split between your SIEM and the provider's system, and attribution becomes a months-long exercise in shared-responsibility finger-pointing.
Actionable insights on NHIs: The hidden costs, agentic AI risk under control
Join experts from One Identity and GigaOm to learn how unmanaged non-human identities create security and compliance risks—and how to implement stronger governance with practical steps to improve your program in 90 days.
Watch Free Webinar: Actionable insights on NHIs
The agentic AI multiplier
Agentic AI introduces a qualitatively new dimension to NHI risk. Unlike static service accounts, AI agents are autonomous. They can take sequences of actions, call external APIs, spawn sub-agents, write and execute code and acquire new permissions dynamically at runtime.
In a traditional NHI governance framework, an API key has a defined scope that can be inventoried and audited. An AI agent operating with delegated access may dynamically escalate that scope in ways that no policy document anticipated. The blast radius is substantially higher, and the audit trail substantially thinner.
Organizations deploying AI agents — and increasingly, that means most organizations — face an urgent governance gap. Most have no formal framework for NHI lifecycle management at all, let alone for AI agent identities specifically.
"History will blame the industry for pretending the bots were out of scope." — Chris Ray, Field CTO of Security and Risk, GigaOm
The compliance dimension
Beyond breach risk, NHI sprawl creates a compounding compliance problem. Frameworks including SOC 2, ISO 27001, PCI DSS and NIST 800-53 all carry access governance requirements that, in theory, apply to non-human identities as much as human ones. In practice, most audit processes focus on human users and leave NHIs in a grey zone.
That grey zone is shrinking. Regulators and auditors are increasingly asking specific questions about machine identity governance, and the answers "we use a vault" and "we review service accounts periodically" are not holding up to scrutiny. Organizations that cannot demonstrate lifecycle governance, ownership accountability and least-privilege enforcement for NHIs are accumulating compliance exposure alongside security exposure.
Beyond the vault: What mature NHI governance looks like
The market response to NHI risk has historically defaulted to credential vaulting. PAM platforms vault secrets, restrict access and record sessions. That is a necessary starting point, but it addresses only the "secure the credential at rest" problem. It does not answer the governance questions:
- Which NHIs exist across my hybrid environment, including platform-managed ones the provider controls?
- Who is accountable for each one? What is its business justification?
- Is it overprivileged relative to its actual function?
- When was it last rotated, and what is the rotation policy?
- What happens to it when the owning application or project is decommissioned?
A mature NHI governance model answers all these questions with policy enforcement, automated lifecycle management and continuous audit capability. GigaOm Research, working with One Identity, has outlined a maturity framework that moves organizations from reactive, siloed NHI management to unified identity governance that covers human and non-human identities in the same policy and audit framework.
About the writers and contributors
Rob Kraczek is Global Strategist at One Identity. With more than three decades of identity security experience, he advises customers across major industries and government sectors on identity security strategy and helps shape the future direction of the One Identity portfolio.
Chris Ray is Field CTO of Security and Risk at GigaOm. He brings extensive experience advising security vendors and enterprises, from small teams to large financial institutions and across healthcare, financial services and technology sectors.
One Identity is a leader in unified identity security, trusted by 80 of the Fortune 100, with more than 500 million identities under active management and more than 20 years of expertise in identity security.
Robert Kraczek — Global strategist One Identity https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5JiATK0CX28XvUYsGNCfqyJFBaaJTfyZoDAmwKudjIGMVKlYV4JzY3G7MhIgFVgSMkXqAdLgzr_KF0WmBDWKJWolmNt_sWmtf4fAg9IoqEfidh3kH8onkdsjZrqIzLcJ2REhOQJSc9HugN8Zyf4q6unbDj3PxesyhpUjIX9_DAS1uq59ZgUn7upKAwq8/s1600/Robert.png
