In organizations today, every identity—human or machine—is a potential pivot point in an attack.
Most progress in identity security has focused on authenticating people: SSO, MFA, admin lockdowns, automated provisioning. Important steps, but they only address half the identities accessing your systems. The other half—machines like CI/CD pipelines, service accounts, automation tools, AI agents, and ephemeral jobs—is growing even faster. They operate with credentials that don’t expire, access no one owns, and have zero oversight by design.
The problem is simple: access programs built for humans don’t automatically extend to machines. Without deliberate execution, half your environment remains unsecured.
The machines are already inside the perimeter
In modern cloud environments, there’s a second identity surface running in parallel to your people – made up of service accounts, roles, and the infrastructure that uses them: CI/CD pipelines, ephemeral workloads, serverless functions, AI agents, and more.
These identities don’t log in. They don’t use passwords. They don’t file IT tickets or respond to access reviews. They just exist – often with production-level access – and they’re multiplying every day. It’s not uncommon for these non-human identities to outnumber employees by 20:1 or more. But despite that scale, their access is rarely reviewed, almost never expires, and they often aren’t even associated with a known owner.
In practice, that means thousands – or tens of thousands – of credentials floating around your infrastructure with no clear governance. And in the event of a breach, security teams are left scrambling to figure out what they connect to or expose.
Vaults help, but they don’t govern
To try and rein in the chaos, many teams turn to vaults or secrets managers. And to be clear: storing secrets securely is a must.
But vaults only store secrets – they don’t govern access. They don’t enforce expiration. They don’t evaluate privilege scope. They don’t answer questions like:
- Who owns this identity?
- What systems does it touch?
- Why was it created in the first place?
- What entitlements does it have?
- Has it been used in the last 90 days?
And they certainly don’t revoke unused or risky credentials automatically. A static key, even when stored in a vault, still represents standing access. It can enable lateral movement and poses similar risk as if it were in plaintext – arguably more, because teams often assume that the vault makes it safe.
Extending your governance from humans to machines
So what’s the fix?
It’s not a new category of tool. It’s applying the same lifecycle thinking you already apply to humans – and extending it to machines.
Industry experts have mapped this out with a comprehensive framework, covering discovery and inventory, lifecycle processes, credential protection, and monitoring controls. As NHI authority Lalit Choda explains, machine identities follow the same seven-step lifecycle as human ones: provisioning, discovery, classification, hygiene management, credential protection, monitoring, and prevention.
Begin with visibility: map every machine identity, note its origin, its access scope, and its activity status. Then introduce structure: assign clear owners, define precise scopes, anchor credentials to formal policies, and enforce expiration with mandatory reapproval.
When machine access is governed like human access, drift slows, blast radius shrinks, and accountability returns.
From static to ephemeral: What the best teams are doing differently
In organizations that have embraced this shift, non-human access doesn’t happen in the dark. It’s securely orchestrated and governed.
Secrets aren’t static – they’re generated just-in-time. CI/CD pipelines don’t carry permanent access – they assume a scoped role for the duration of a job. Tokens expire by default. Identities are tied to policies that enforce how, when, and what they can access.
Teams shouldn’t need to manually review thousands of service accounts. If clear rules and guardrails are defined up front – automation can handle the rest. The result is scalable machine access that’s ephemeral, contextual, and reversible by design.
Real-world example: Fixing access key sprawl
Take something as common as AWS access keys.
In many orgs, engineers still use long-lived credentials stored in config files. Those keys rarely expire, are shared across teams, and are almost never revoked.
Here’s a more modern approach:
- Audit credential usage via CloudTrail, flag unused keys, and start with cleanup.
- Roll out identity federation – so users assume roles instead of copying keys.
- Next, lock down the ability to create new static credentials with service control policies.
- Finally, shift automation to use short-lived tokens injected at runtime – scoped by environment and ephemeral by design.
None of this is theory. It’s happening right now in teams that are serious about controlling machine access.
Why this matters more than ever
The next time an attacker breaches your perimeter, they’re not going to target a human password. They’re going to look for a forgotten key – one with access, no expiration, and no owner. That’s why ‘least privilege’ for machines isn’t optional anymore. And it’s why governing machines with the same commitment we have for people isn’t just a best practice – it’s a necessity.
Because every identity – human or machine – is a potential pivot point. If you’re only securing one half of your environment, you’re not solving the problem. You’re just hoping the other half doesn’t break first.
What’s next in the series…
In part three of this series, we zoom in on one of the biggest risks tied to machine identities: static credentials.
These long-lived secrets are everywhere – in CI configs, Terraform scripts, even Slack threads – and they create persistent access paths that most security tools ignore. We’ll break down how modern teams are eliminating static keys, moving to ephemeral, scoped credentials, and treating secrets not just as infrastructure, but as privileged access that demands governance.
About the Author: Kelsey Brazill is the Head of Product Marketing at P0 Security.
About the Company:
P0 Security is redefining PAM for multi-cloud and hybrid environments with the most agile way to ensure least-privileged, short-lived and auditable production access for users, NHIs and agents. Centralized governance, just enough privilege and just-in-time controls provide comprehensive access security that keeps pace with development. Every identity. Every system. All the time.
P0’s Access Graph and Identity DNA data layer make up the foundational architecture that powers comprehensive privilege insight and access control across all identities, production resources and environments. With P0, production access is least-privilege, short-lived and auditable by default.
To explore P0 Security further or book a demo, visit p0.dev
