Most organisations have spent years locking down human accounts — enforcing MFA, tightening password policies, reviewing access rights. But there's a parallel identity population growing silently in the background: service accounts, API keys, OAuth tokens, CI/CD credentials, container workloads, and AI agents. These non-human identities (NHIs) now outnumber human identities by 25 to 1 in a typical enterprise, and 80% of identity-related breaches involve them.

The problem isn't that organisations don't know NHIs exist. It's that nobody owns them.

Why NHIs Are So Hard to Govern

Human identities are tied to an HR process. A person joins, gets provisioned; a person leaves, gets deprovisioned. NHIs follow no such lifecycle. They are created by automated pipelines, developers, and cloud provisioning tools — often with no approval workflow, no expiry date, and no record of who created them or why.

The result:

  • 97% of NHIs carry excessive privileges — permissions granted for convenience that were never reviewed or tightened
  • Half of enterprises have experienced a breach traced to an unmanaged NHI
  • 68% of IT security incidents involve machine identities in some capacity
  • Just 0.01% of machine identities control 80% of cloud resources — one compromised credential and an attacker effectively owns the environment

Real Breaches That Started with a Machine Credential

These aren't theoretical risks. Several major incidents in the past 18 months trace directly back to unmanaged NHIs:

tj-actions supply chain attack (March 2025): Attackers compromised a bot account used to maintain a popular GitHub Actions library. They pushed a malicious update that injected a memory scraper into thousands of CI/CD pipelines, exposing AWS keys, GitHub tokens, and RSA private keys across all dependent projects.

BeyondTrust (December 2024): A static, overprivileged API key with no rotation policy allowed attackers to reset local account passwords. Combined with a critical command injection vulnerability, this led to full remote code execution. The key had been sitting in place, unchanged, waiting to be exploited.

New York Times GitHub credential: A single developer token accidentally embedded in code gave attackers access to private repositories. They exfiltrated 270GB of source code — and found more embedded secrets inside, compounding the breach.

The pattern is consistent: static credentials, excessive permissions, no rotation, no monitoring.

The AI Agent Problem Is Making This Worse

In 2026, AI agents represent the fastest-growing NHI category — and the least governed. Agents that autonomously query databases, trigger cloud workflows, and call external APIs are being deployed by engineering teams who are identity experts in neither tradition. They grant agents broad permissions because it's easier. They don't set expiry on agent tokens because nobody thought to.

CyberArk has described a "runaway agent" as a near-certain cause of the next major identity-based breach. The structural problem is what security researchers call the "confused deputy" — an agent acting on behalf of a user, but with permissions that exceed what that user actually has. One compromised agent with cloud write access is a catastrophic credential.

What Good Looks Like

Fixing NHI security isn't a single product purchase — it's a shift in how machine credentials are treated:

  1. Inventory first — You cannot govern what you cannot see. Automated NHI discovery across cloud, SaaS, and on-premises environments is the non-negotiable starting point. Most organisations find two to three times more NHIs than they expected.

  2. Centralise secrets management — Tools like HashiCorp Vault, AWS Secrets Manager, and Akeyless provide secure storage, fine-grained access policies, and audit trails. Secrets in source code or environment variables are not managed secrets — they're waiting to be leaked.

  3. Automate rotation — Static credentials are the enemy. Dynamic secrets — generated on demand, scoped to a single task, automatically expired — eliminate the long shelf life that makes stolen keys so valuable to attackers.

  4. Apply Zero Standing Privilege (ZSP) to machines — The same JIT (just-in-time) principles that apply to human privileged access should apply to NHIs. Credentials minted at runtime, tied to a specific task, automatically revoked when done.

  5. Monitor NHI behaviour — Unusual API call patterns, unexpected geographic origins, privilege escalation, and access to out-of-scope resources are all detectable. Apply the same behavioural analytics you use for human accounts to machine identities.

  6. Scan CI/CD pipelines — Integrate secrets detection (GitGuardian, Gitleaks) into pre-commit hooks and pipeline stages. Stop secrets reaching source control in the first place.

The IAM perimeter has expanded well beyond the employee directory. Every API key, every service account, every AI agent is an identity — and an attacker doesn't care whether the credential belonged to a person or a pipeline.

AccessSphere Managed specialises in identity governance across both human and machine identities. If you're unsure how many NHIs your organisation has — or what permissions they're carrying — that's the right place to start.