{"id":215869,"date":"2026-05-18T03:51:00","date_gmt":"2026-05-18T07:51:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/18\/the-non-human-identity-crisis-why-your-machine-identities-are-your-biggest-governance-gap\/"},"modified":"2026-05-18T16:05:31","modified_gmt":"2026-05-18T20:05:31","slug":"the-non-human-identity-crisis-why-your-machine-identities-are-your-biggest-governance-gap","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/18\/the-non-human-identity-crisis-why-your-machine-identities-are-your-biggest-governance-gap\/","title":{"rendered":"The Non-Human Identity Crisis: Why Your Machine Identities Are Your Biggest Governance Gap"},"content":{"rendered":"

The Non-Human Identity Crisis: Why Your Machine Identities Are Your Biggest Governance Gap<\/a><\/p>\n

https:\/\/thehackernews.com\/expert-insights\/2026\/05\/the-non-human-identity-crisis-why-your.html<\/a><\/p>\n

Publish Date: 2026-05-18 03:51:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\nIdentity sprawl, agentic AI risk, and the path to NHI governance maturity
\nWhen security leaders talk about identity risk, the conversation almost always centers on humans: Privileged users, compromised accounts, insider threats. But for most enterprises, the greater risk has already shifted.
\nAnd it has nothing to do with your employees.
\nNon-human identities (NHIs) \u2014 service accounts, API keys, OAuth tokens, SSH keys, RPA bots, cloud workload credentials and AI agents \u2014 are the fastest-growing, least-governed attack surface in the modern enterprise. And the industry is beginning to reckon with what that means.
\n$4.88M
\nGlobal average cost of a data breach \u2014 IBM Cost of a Data Breach 2024
\nThe scope of the problem
\nThe numbers are striking. Research from Rubrik Zero Labs puts the NHI-to-human identity ratio at 45:1 in the modern enterprise. For cloud-native and DevOps environments, Entro Labs H1 2025 research puts that figure at 144:1.
\nThese identities are not passive: They authenticate continuously, access sensitive systems and carry permissions that would be flagged immediately if a human account held them.
\nYet most NHIs exist in a governance vacuum:<\/p>\n

8% of enterprise identities have no owner in HR systems \u2014 the creator left, but the account and its full access remain.
\n47% of NHIs are more than one year old with no credential rotation.
\nTwo thirds of enterprises have suffered a breach via a compromised NHI, per recent industry data.<\/p>\n

The threat is not theoretical. A single stolen token from a CI\/CD log, a support export or a partner email can fan out across CRM, storage and production environments, with cloned tokens and background jobs operating invisibly while no alerts fire. Logs split between your SIEM and the provider’s system, and attribution becomes a months-long exercise in shared-responsibility finger-pointing.
\nActionable insights on NHIs: The hidden costs, agentic AI risk under control
\nJoin experts from One Identity and GigaOm to learn how unmanaged non-human identities create security and compliance risks\u2014and how to implement stronger governance with practical steps to improve your program in 90 days.
\nWatch Free Webinar: Actionable insights on NHIs
\n The agentic AI multiplier
\nAgentic AI introduces a qualitatively new dimension to NHI risk. Unlike static service accounts, AI agents are autonomous. They can take sequences of actions, call external APIs, spawn sub-agents, write and execute code and acquire new permissions dynamically at runtime.
\nIn a traditional NHI governance framework, an API key has a defined scope that can be inventoried and audited. An AI agent operating with delegated access may dynamically escalate that scope in ways that no policy document anticipated. The blast radius is substantially higher, and the audit trail substantially thinner.
\nOrganizations deploying AI agents \u2014 and increasingly, that means most organizations \u2014 face an urgent governance gap. Most have no formal framework for NHI lifecycle management at all, let alone for AI agent identities specifically.
\n“History will blame the industry for pretending the bots were out of scope.” \u2014 Chris Ray, Field CTO of Security and Risk, GigaOm
\nThe compliance dimension
\nBeyond breach risk, NHI sprawl creates a compounding compliance problem. Frameworks including SOC 2, ISO 27001, PCI DSS and NIST 800-53 all carry access governance requirements that, in theory, apply to non-human identities as much as human ones. In practice, most audit processes focus on human users and leave NHIs in a grey zone.
\nThat grey zone is shrinking. Regulators and auditors are increasingly asking specific questions about machine identity governance, and the answers “we use a vault” and “we review service accounts periodically” are not holding up to scrutiny. Organizations that cannot demonstrate lifecycle governance, ownership accountability and least-privilege enforcement for NHIs are accumulating compliance exposure alongside security exposure.
\nBeyond the vault: What mature NHI governance looks like
\nThe market response to NHI risk has historically defaulted to credential vaulting. PAM platforms vault secrets, restrict access and record sessions. That is a necessary starting point, but it addresses only the “secure the credential at rest” problem. It does not answer the governance questions:<\/p>\n

Which NHIs exist across my hybrid environment, including platform-managed ones the provider controls?
\nWho is accountable for each one? What is its business justification?
\nIs it overprivileged relative to its actual function?
\nWhen was it last rotated, and what is the rotation policy?
\nWhat happens to it when the owning application or project is decommissioned?<\/p>\n

A mature NHI governance model answers all these questions with policy enforcement, automated lifecycle management and continuous audit capability. GigaOm Research, working with One Identity, has outlined a maturity framework that moves organizations from reactive, siloed NHI management to unified identity governance that covers human and non-human identities in the same policy and audit framework.
\nAbout the writers and contributors
\nRob Kraczek is Global Strategist at One Identity. With more than three decades of identity security experience, he advises customers across major industries and government sectors on identity security strategy and helps shape the future direction of the One Identity portfolio.
\nChris Ray is Field CTO of Security and Risk at GigaOm. He brings extensive experience advising security vendors and enterprises, from small teams to large financial institutions and across healthcare, financial services and technology sectors.
\nOne Identity is a leader in unified identity security, trusted by 80 of the Fortune 100, with more than 500 million identities under active management and more than 20 years of expertise in identity security. Robert Kraczek \u2014 Global strategist One Identity
\nhttps:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj5JiATK0CX28XvUYsGNCfqyJFBaaJTfyZoDAmwKudjIGMVKlYV4JzY3G7MhIgFVgSMkXqAdLgzr_KF0WmBDWKJWolmNt_sWmtf4fAg9IoqEfidh3kH8onkdsjZrqIzLcJ2REhOQJSc9HugN8Zyf4q6unbDj3PxesyhpUjIX9_DAS1uq59ZgUn7upKAwq8\/s1700-e365\/Robert.png <\/p>\n

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter \uf099 and LinkedIn to read more exclusive content we post.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

The Non-Human Identity Crisis: Why Your Machine Identities Are Your Biggest Governance Gap https:\/\/thehackernews.com\/expert-insights\/2026\/05\/the-non-human-identity-crisis-why-your.html Publish…<\/p>\n","protected":false},"author":1,"featured_media":215870,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh9vRnr-ss7cjomgPV_zqMfncBHIIpUAjf88fCxyPcScOiICxWYAkIem3tlSEsoQwTF4RIBEVK-HzSP6oaJ_KFwbDIPMd7_-39YLFYDUS4W8BnZBdJBAI2VjR39t6PDmt3TFwmtQHCedmv81zVFASJ-2pV569lOnUPDa2EvAUxxVObWDAsRbYEyg1n1ahA\/s1700-e365\/oneidentity-5-main.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30],"class_list":["post-215869","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/215869"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=215869"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/215869\/revisions"}],"predecessor-version":[{"id":215871,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/215869\/revisions\/215871"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/215870"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=215869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=215869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=215869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}