How to Govern the Massive Explosion of Non-Human Identities (NHIs)

Written by Anjali Krishna on July 17, 2026

Connect

Non-human identities now outnumber human users in 83% of organizations. That figure climbs to 86% in the U.S. and 81% in the U.K. Even more telling, one-third of organizations report a 6-to-1 ratio of non-human identities to people, up from just 23% only six months earlier.

So the machines have taken over your directory. The real problem is what comes next. Only 21% of organizations have formal governance controls for these identities. This gap between access and accountability is a risk.

If you want the full picture, our IT Trends Report breaks down the data and the strategies top teams are using right now. But stick with us here first for a quick overview of the problem and how to solve it.

What Are Non-Human Identities (and Why Are There So Many)?

Non-human identities, or NHIs, are the credentials that let your systems talk to each other without a person involved. These include AI agents, API keys, OAuth tokens, service accounts, and cryptographic certificates. They authenticate, request access, and move data all on their own.

You did not add thousands of these overnight by accident. A few big shifts drove the explosion. Multi-cloud architectures multiply the number of credentials you manage. CI/CD pipelines generate tokens with every build and deployment. Containerized microservices each need their own identity to function. And now autonomous AI agents are joining production workflows at speed.

The result is a fast-growing population of autonomous systems that most teams cannot fully see. Every one of them holds access to something, and each one is a door someone could walk through.

The Tactical Nightmare of Managing Machine Credentials

Here is why NHIs are so hard to control. Machine identities behave nothing like your users. They run 24/7 and never log out. They cannot use multi-factor authentication (MFA) or biometrics. And a single compromised credential can quietly expose your entire environment for as long as it stays active.

Now add tool sprawl to the mix. According to our trends report, organizations use an average of 6.9 separate tools to manage core IT functions, and 7.6 in hybrid environments. That means your machine credentials are scattered across disconnected consoles with no single owner and no consistent review.

Many teams try to fix this with scheduled credential rotation. Clutch calls this the “Rotation Illusion,” and for good reason. Calendar-based rotations on a 30, 60, or 90-day cycle move far too slowly. Automated scanners can exploit a leaked AWS key in as little as 40 seconds. Rigid rotation policies also frustrate developers, who then cache or hardcode plaintext tokens to keep things running. That makes the problem worse.

Real Breaches Show the Stakes

This is not theoretical. WTW points to the Salesloft-Drift AI Supply Chain Attack in August 2025. Threat group UNC6395 exploited Drift’s OAuth token infrastructure to steal customer tokens. With those tokens in hand, they bypassed MFA and reached into Salesforce, Google Workspace, and Slack to exfiltrate sensitive data and hunt for deeper cloud credentials.

A May 2026 NSA warning informed that the Model Context Protocol, which many AI agents rely on, lacks basic security controls. It suffers from inverted trust boundaries and undefined access controls. When you connect probabilistic AI agents to your systems without guardrails, unpredictable behavior becomes a security event waiting to happen.

A Four-Step Framework to Govern NHIs

Closing the governance gap is achievable. The IT Trends Report lays out four foundational steps that take you from basic adoption to secure scale. Each one builds on the last.

Step 1: Discover

You cannot govern what you cannot see. Start by identifying which agents and non-human identities exist, what systems they can access, and which workflows they influence. This is the step most teams skip, and it is why sprawl gets out of hand. A complete inventory turns invisible credentials into managed assets.

Step 2: Register

Next, place each agent inside a formal identity system. Define its purpose, map its access, and assign a human owner. This last part matters most. When every machine identity has a person accountable for it, you close the ownership gap that lets rogue credentials linger unnoticed.

Step 3: Manage

Now set the rules. Define access levels, approval workflows, and least privilege for every identity. Give yourself an emergency shutdown option too. This step keeps agents from accumulating more power than they need, which limits the blast radius if one gets compromised.

Step 4: Govern

Finally, keep watching. Use logs, audit trails, access reviews, and post-action monitoring to check whether each agent’s permissions and behaviors still make sense. Governance is an ongoing practice that keeps your controls aligned with reality as your environment grows.

Bring Your Machine Identities Under Control

Non-human identities outnumber people in most organizations, they run around the clock, and only one in five companies has formal controls in place. The access has expanded far faster than the accountability. Real breaches show what happens when that gap goes unaddressed.

Your next steps are pretty straightforward. Discover what you have, register it with a human owner, manage access tightly, and govern it continuously. You have the framework to reclaim control.

Don’t let rogue agents compromise your perimeter! Download the IT Trends Report Q3 2026 to see the full data and how top-performing IT teams are bringing non-human identities under formal IAM control.

Your future self will thank you for closing the gap before someone else finds it.

Anjali Krishna

With six years of experience as a content marketer, Anjali enjoys creating content that's worth reading. Backed by her background in IT engineering, she specializes in translating technical topics into clear and concise copy.

Continue Learning with our Newsletter