Non-Human Identity (NHI)

Non-Human Identities (NHIs) are digital credentials assigned to software workloads — services, bots, automation scripts, and AI agents — rather than to human users. In agentic AI, NHIs encompass every API key, service account, certificate, OAuth token, and JWT issued to an agent so it can authenticate to internal or external systems. The AI Agent Identity Architecture defines the governance model; the RA Identity plane is the implementation surface, and the CMM D2 deep dive measures maturity.

On this page

Aliases and variants

  • Machine identity — broader term covering all software principals
  • Workload identity — often used specifically for cloud-native, certificate-based identity (e.g., SPIFFE SVIDs)
  • Service account — legacy term for IAM principals bound to a software service
  • NHI — preferred shorthand in recent vendor and analyst discourse

NHI taxonomy

The wiki enumerates twelve types, each with a distinct rotation, ownership, and detection profile (per What Are Non-Human Identities? (Oasis Security), which lists eleven — the wiki splits Oasis’s combined “tokens and certificates” row into OAuth tokens and TLS/mTLS certificates):

TypeAuthentication mechanismRotation profile
Service AccountUsername/password or service-account secretDecoupled (secret separate from principal)
Service PrincipalClient secret or certificateDecoupled
System AccountOS-issued, typically high privilegeDecoupled
IAM Role (AWS-style)Temporary STS session credentialsDecoupled, short-lived
API KeyStatic keyDecoupled
Machine Identity (VM / container / serverless)Cloud-issued cert / SVIDDecoupled
OAuth TokenTime-limited bearerDecoupled
TLS / mTLS CertificateAsymmetric keyDecoupled
Storage Access KeyLong-lived, broad-permissionCoupled (see Identity-Credential Coupling)
SAS Token (Azure)Time-limited, granularCoupled
Personal Access Token (PAT)Developer-generatedOften coupled (the token IS the access)
Database UserApplication-levelDecoupled

The coupled rows are where the credential string IS the identity — rotation is identity rotation. See Identity-Credential Coupling for implications.

Why NHI matters for agentic AI

AI agent deployments amplify the NHI problem in three ways:

  1. Scale. Each agent — often each agent task — may require one or more credentials. Large multi-agent systems generate thousands of identities quickly.
  2. Ephemerality. Agents are spun up and torn down dynamically; their credentials may not be systematically revoked.
  3. Autonomy. Unlike a human who can be asked to justify an action, an agent may exercise credentials in ways that are opaque without purpose-built tracing.

The combined effect is a rapidly growing NHI estate that is poorly inventoried and a high-value attack surface.

OWASP’s State of Agentic AI Security and Governance separates two layers the industry conflates. NHI is an authentication primitive that answers “is this credential valid?” and gates identity at session start. Agent Identity is a governance layer above it that attests provenance, intent, and authority continuously, governing behavior at the moment of each action rather than only at login. NHI is the principal a per-agent credential names; Agent Identity is what makes that principal accountable across a multi-step task. The threat both layers answer is Identity Spoofing and Impersonation (T9) in OWASP Agentic AI Threats and Mitigations — impersonation of agents, users, or services, and theft of a persistent agent identity.

Scale evidence (triangulated)

SourceMetricYearType
CyberArk82:1 machine-to-human identity ratio2025Vendor (Vanson Bourne survey, n=2,600)
Rubrik Zero Labs45:1 average; up to 100:1 in some orgs2025Vendor
arXiv 2503.1825550K → 250K machine identities per enterprise (400% growth)2021–2025Academic preprint
SailPoint Horizons of Identity Security69% of orgs have more machine than human identities; ~half deploy 10× more2025–2026Vendor (n=375 IAM decision-makers, methodology disclosed)
Verizon DBIR 2025Third-party breach involvement doubled YoY (15% → 30%), driven by ungoverned machine accounts2025Industry survey (annual, methodology disclosed)
GitGuardian / Verizon 2025441,780 exposed secrets in public repos; 39% web-app infra (66% JWTs)2025Industry-data quantitative
IBM 2025 Cost of a Data Breach$4.44M global / $10.22M US average; explicit recommendation for NHI controls2025Industry survey (Ponemon methodology)
ENISA Threat Landscape 2025Confirms identity- and credential-themed risk acceleration2025EU government

Sources differ on the exact ratio (45:1 vs 82:1; SailPoint reports 69% of orgs have more machine than human, ~half 10×) but agree on the structural point: NHIs outnumber humans by an order of magnitude or more, and growth is fast. The exact 82:1 figure is single-vendor (CyberArk-specific); the directional claim is well-corroborated. The per-figure provenance, vendor-conflict labels, and independent corroboration live in the Source Triangulation Audit §Claim 1, which is the citation home for the vendor rows that carry no public deep link (CyberArk, Rubrik, SailPoint, GitGuardian).

Why human-identity controls fail for NHIs

Eight structural differences make HR-driven IAM and credential-storage-focused PAM unsuitable (per What Are Non-Human Identities? (Oasis Security)):

PropertyHumanNHI
CentralizationIT-managed, single source of truthDecentralized; created by developers / IT / IaC
OwnershipTied to individualOften unowned; shared across teams / apps
ScaleLinear with headcount10–100× human count, growing exponentially
Rate of changeHR-driven (joiner/mover/leaver)Code-pace (per commit / per deploy)
ProvisioningIT-mediatedDeveloper-driven, often invisible to IT
Secret expirationFrequent password rotationOften never rotated; sometimes no expiration
Operational risk of rotationLowHigh (rotation breaks production workflows)
Authentication factor diversityThree-factor + MFA + SSOSingle-factor (the secret); no MFA equivalent

Legacy IAM/PAM cannot be retrofitted for NHIs at scale; purpose-built tooling is required (per Oasis Security).

Real-world incident anchors

IncidentVectorNHI lesson
Microsoft AI Storage BreachMisconfigured SAS token38TB internal data exposed (passwords + private keys); coupled identity-credential — see Identity-Credential Coupling
CircleCI BreachOAuth token compromiseMass-rotation across thousands of customer environments — rotation infrastructure must be tested
Mercedes-Benz BreachService accounts with excessive privilegesLong-lived, over-permissioned NHIs are persistent attacker access

Relationship to DSPM

Insight Partners draw an analogy: NHI vendors are to agent credentials what DSPM (Data Security Posture Management) vendors were to data sprawl. Just as DSPM helped enterprises discover and govern data that had proliferated across cloud stores without oversight, NHI tooling helps discover, classify, and govern the machine credentials agents accumulate.

Framing from source

“Improper management of credentials related to NHIs is a people and process problem, not so much a technology problem.” — Insight Partners, 2025

Governance capabilities and the platform-native landscape

NHI governance solutions cover: discovery (machine identity inventory across cloud, SaaS, and on-prem); lifecycle management (rotation, expiry, revocation); scoped permissions (least privilege per identity, extending into Identity Security Posture Management / ISPM); and OAuth / API scope governance.

The market shifted during 2026. Per-agent identity is no longer the preserve of specialist vendors: it is GA platform-native on all three hyperscalersMicrosoft Entra Agent ID, AWS Bedrock AgentCore identities, and GCP Agent Identity — with Okta for AI Agents in Early Access. What remains a developing COTS layer is the NHI governance posture above bare identity: discovery of unenrolled agents, lifecycle, and least-privilege review, where Oasis Security, Aembit, Astrix, and CyberArk Conjur compete. Conditional Access for Agent Identities (Entra) adds risk-based step-up where the platform supports it.

Shadow-agent discovery — the Agent 365 Registry, Okta Agent Discovery — surfaces agents created at developer pace outside the enrollment process, addressing the shadow automation (Microsoft’s “agent sprawl”) problem.

The Microsoft ZT4AI framework extends the Zero Trust principles — verify explicitly, least privilege, assume breach — to these machine identities, with Entra Agent ID as the per-agent identity anchor (see the 2026-Q2 ZT4AI review).

The per-task authority frontier

A verified NHI still carries ambient authority: its workload’s full standing permissions on every call, far wider than any one task needs (see Ambient vs Derived Authority). Workload identity is task-blind. The frontier control is capability-based authorization — a task-scoped, signed, attenuating artifact that carries its own policy, so a compromised agent cannot exceed the scope minted for its task. The Tenuo Warrant is the leading vendor-neutral implementation (monotonic attenuation: a delegated child grant can only shrink). No hyperscaler ships per-task holder-bound tokens; platform products issue per-resource tokens, which is why this sits at the top of the D2 ladder (L5+).

Credential Zero problem

The Credential Zero problem is the bootstrap step: an agent must authenticate to a secrets vault or IdP before it can retrieve working credentials. Solutions include SPIRE certificates baked into the workload at deploy time, which avoid storing static secrets entirely, and platform credential-less identity models (Azure Managed Identities, AgentCore token vault, GCP auth-manager).

Where this sits in the RA and CMM

  • Architecture. AI Agent Identity Architecture frames the layers; the RA Identity plane implements them (workload identity, agent/NHI lifecycle governance, credential proxy, action-to-identity tracing).
  • Practice. NHI Governance for AI Agents is the operational discipline.
  • Maturity. The CMM D2 ladder grades it: per-agent identity + owner + deploy-pipeline lifecycle + coupled/decoupled inventory at L3, zero-credentials-in-context + automated rotation at L4, a unified governance program with shadow-agent discovery at L5, per-task capability tokens at L5+.
  • Monitoring. Agent Observability — action-to-identity tracing requires knowing which NHI took which action.

Sources