Join IDSA
Join IDSA
Go Back

Non-Human Identities: The unseen workforce driving AI-era security

By Miguel Furtado

Best Practices

August 19th, 2025

This blog was originally published by iDMig here.

Non-human identities (NHIs) are front and center

Throughout the conferences I’ve attended, and those I had the privilege to present in 2024 and 2025, one key takeaway from all is the explosive growth of non-human identities. These identities have been around for decades to be sure, primarily as part of enterprise infrastructure and most predominantly as service accounts, but their role has quietly been evolving into something much more central. Especially in AI driven enterprises, NHIs are not merely background actors but connective tissue enabling complex AI workflows, orchestrations, and ultimately autonomy. 

Microsoft recently described this as the “expanding identity perimeter” in its Microsoft Defender xdr blog 1 stating that “not only do NHI greatly outnumber their human counterparts but they are also often highly privileged, eliminating the need for the attacker to elevate this status themselves. AI agents are expected to drive even faster growth machine identities”. 

This means that in the age of AI, non-human identities are not secondary, but a key and critical component to scalable, and secure operations. 

NHI Strategic Role and its security concerns

Historically, NHIs lived in the shadows of IT and IAM programs, and as such even current practices and environment’s “tech debt” include challenges such as lack of ownership, rotation policies, or basic inventory tracking. 

According to Cloud Security Alliance’s State of Non-Human Identity Security Survey2, anxiety, and concern are high, and many still struggle with the fundamentals NHI security practices:

  • 32% of organizations highlight service accounts as a particularly significant challenge,

 

  • Only 20% have formal processes for offboarding and revoking of API keys, and even fewer rotate them

These security concerns become particularly important when you consider, as of this writing, NHIs vastly outnumber human identities by a factor of 20 to 1. These numbers are not theoretical, it points to an increasing security exposure that dwarfs that of human identity and access management. 

Beyond the security concerns that come with NHIs and maturity of the environments and organizations that manage them, it is undeniable that NHIs are strategically important by enabling DevOps, cloud automation, and SaaS integration, not to mention powering business applications and processes with direct access to production and customer data.

NHI Risk and AI Governance

Microsoft’s Azure AI Foundry blog entry “Zero-trust Agents: Adding Identity and Access to Multi-Agent Workflows”3 is a great example of how AI doesn’t operate in isolation, it fetches and writes data across systems, each of those actions requiring an identity. 

Microsoft’s example, implementing agent zero-trust agent workflow is a model still emerging, and maturing. In practice many AI implementations operate with broad permanent access. The Replit incident 4 as a recent example of an AI agent overstepping its scope. This incident highlights questions about sandboxing, privilege limits, and how identities are really managed for autonomous systems. 

Gartner’s Hype Cycle for Artificial Intelligence 2025 5 points to a growing prominence of multi agent systems, these collections of agents working together to accomplish complex tasks. Each of those agents require authentication, authorization, and specific governance such as AI TRiSM in order to properly govern and prevent another incident like Replits. 

Without proper governance these NHIs, powering AI agents will:

  • Be overprivileged and never reviewed,

 

  • Persist long after the system or integration it serves is retired, 

 

  • Provide a lateral movement or data exfiltration vector, 

Practical path forward:

Looking at the above risks and complexities inherent in NHI and its use of AI, I’ve listed below some key fundamental practices that should be included in a governance strategy:

  • Comprehensive inventory of NHIs; ensure that you have the means to discover, and most importantly associate consumers, and owners of the NHIs detected across cloud, on-prem, and SaaS. This should include a hard requirement to link NHIs to applications or systems within your CMDB.

 

  • Scoped Access; Apply least-privilege wherever possible, especially AI agents. 


  • Short-Lived credentials and access: Use just-in-time access and secrets, and automatic rotation. 


  • Comprehensive and continuous monitoring; ensure you are logging and analysing your NHI activities for anomalies. 


  • Lifecycle and policy enforcement; Manage NHI identities with well documented, and automated provisioning and deprovisioning processes as well as automated policy enforcement (e.g. stale secret, inactivity).

 

Most of these approaches are not new, and differ in complexity of deploying, and operationalizing at scale; however, these when deployed properly, will greatly reduce your overall risk, and help you stay ahead of threats, and NHI abuse. 

The foundation we can’t ignore

Today, many AI deployments happen inside of a single vendor’s ecosystem (e.g. Microsoft Copilot, and others) Governance, and risk management is easier when everything lives in one platform. 

But AI implementations will rarely stay confined to one platform, maturing enterprises will likely adopt a best of breed approach, different AI agents, sourced from different providers will specialize in their own domain and each will expand your NHI footprint. 

This is where NHIs firmly settled into a strategic foundation, one where identity, and AI  governance becomes a cross-platform requirement where policies must be consistent, and observability is something baked into the solution. 

What will you be focusing on as your IAM strategy adapts? I’d love to hear other perspectives. 

Reach me at Linkedin!

References

  1. https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/expanding-the-identity-perimeter-the-rise-of-non-human-identities/4418953 
  2. https://cloudsecurityalliance.org/artifacts/state-of-non-human-identity-security-survey-report 
  3. https://techcommunity.microsoft.com/blog/azure-ai-foundry-blog/zero-trust-agents-adding-identity-and-access-to-multi-agent-workflows/4427790 
  4. https://www.theregister.com/2025/07/21/replit_saastr_vibe_coding_incident/
  5. https://www.gartner.com/en/newsroom/press-releases/2025-08-05-gartner-hype-cycle-identifies-top-ai-innovations-in-2025\ 

About the Author: Miguel Furtado is a senior leader in Identity and Access Management with over 20 years of experience shaping identity security strategies across healthcare, finance, and technology sectors. Passionate about identity-centric security, Miguel has led enterprise-scale identity transformations, driving innovation in IAM engineering, governance, and modern authentication frameworks. With deep expertise in identity integration for mergers and acquisitions, Miguel has played a key role in ensuring seamless identity consolidation, reducing security risks, and enabling scalable, secure access strategies during organizational transitions. A frequent contributor to industry discussions, research, and conferences, Miguel is recognized for bridging technical excellence with business strategy to help organizations build secure, scalable, and user-friendly identity ecosystems.

Related Articles

August 6th, 2025
Why You Should Say Goodbye to Manual Identity Processes
By The Cerby Team
August 5th, 2025
How to Prevent $4M Breaches with Unified IAM and PAM Defense
By Bryan Christ
July 31st, 2025
Compliance and Unified Identity Security in Financial Services
By John White
Background

READY TO MAKE AN IMPACT?

Let's work together to help everyone become more secure.
Join the IDSA