For years, cybersecurity strategies have focused on people. From employees and contractors to partners and insiders, that familiar ‘humans are the weakest link’ rhetoric has defined the industry for decades. The tools and strategies developed to defend against threats, like access management and identity governance, were largely designed with humans in mind. But as artificial intelligence (AI), automation, and cloud-native architectures accelerate, a more dominant kind of workforce has quietly emerged.
Non-Human Identities (NHIs), the digital identities assigned to machines, applications, and automated processes, now vastly outnumber employees in most enterprises, reshaping the security landscape in ways many organisations have yet to fully grasp. Recent research estimates that NHIs outpace human accounts by 144:1. In practical terms, a business with 10,000 employees may be relying on more than 1.4 million non-human identities, each representing a potential access pathway into the organisation. Many of these identities lack a clearly defined owner, a documented purpose, and ongoing oversight, creating governance gaps that scale faster than traditional security controls can adapt.
Addressing the ‘Boom’
NHIs have existed for decades, enabling applications to communicate, automate tasks, and scale operations. Service accounts, bots, APIs, machine agents, and AI-driven processes all fall under the scope of NHIs. Their volume, autonomy, and operational importance, however, have increased exponentially in recent years. Unlike human users, non-human identities operate continuously, authenticate silently, and execute predefined functions at machine speed, rendering many people-centric identity controls ineffective by design. Each of these capabilities requires credentials, tokens, keys, or secrets. Collectively, they form an immense, largely invisible attack surface.
History shows the cost of ignoring that attack surface. Some of the most significant breaches in recent memory, like the SolarWinds incident in 2020, were not the result of phishing emails or stolen employee passwords. They began with compromised non-human credentials: poorly secured service accounts, exposed tokens or long-lived secrets embedded in pipelines. Once inside, attackers moved laterally and remained undetected because the hijacked identities were never designed to be closely monitored. The impact was seismic and even prompted a decisive shift in US cybersecurity policy, with identity explicitly recognised as a foundational control rather than a supporting function.
NHIs: A Secondary Concern?
Despite the warnings and the notable policy shift, many organisations, while acknowledging identity as a critical security perimeter, stopped short of applying that lesson consistently to non-human identities. The risk is understood, but it is often deprioritised in favour of more visible initiatives like endpoint protection or employee awareness training. That imbalance is becoming unsustainable as the presence of NHI’s in organisations grows. NHIs will be increasingly targeted given the ever-widening ratio. Organisations must ensure that they have the visibility and control required to detect misuse before damage is done. In many cases, the obstacle is not technical capability but accountability. Responsibility for NHIs is fragmented across security, DevOps, and application teams, while executive ownership is often implicit rather than explicit.
Visibility – or lack thereof – is a critical issue. In sprawling cloud and hybrid environments, non-human credentials are created by development teams, CI/CD pipelines, SaaS integrations, and AI tools, often without centralised oversight. Secrets are hard-coded into scripts, duplicated across environments, and forgotten as applications evolve. Security teams can’t protect what they can’t see, and without a clear inventory of existing identities, what they can access, and how they are used, governance becomes more theoretical than practical. For regulated organisations, this lack of visibility is not just a security concern but a compliance risk, undermining auditability, accountability, and confidence in incident response.
Resilient security programs today recognise the integral importance of secrets governance for every NHI. That means real-time insight into credentials and their behaviour, not periodic snapshots or manual audits. Without that foundation, policy enforcement, automation and even zero trust initiatives lose credibility.
Extending Identity Principles
The path forward is not to invent entirely new controls, but to extend proven identity principles to machines. Least privilege remains just as relevant for a service account as it is for an administrator. Most NHIs are granted more access than is required, often retaining broad permissions long after their original purpose has evolved. Non-human identities must be automatically reviewed and decommissioned when applications change or workloads are retired, preventing obsolete credentials from becoming permanent attack vectors.
Automation is equally critical. Unlike human passwords, which can be rotated quarterly or annually, non-human secrets should be rotated frequently and without downtime. Manual processes cannot scale to thousands (or millions) of credentials. Automated rotation, backed by centralised secrets management, ensures that even if a secret is exposed, its usefulness to an attacker is short-lived.
Continuous auditing and behavioral monitoring add another layer of resilience. NHIs tend to have predictable patterns: specific APIs, specific times, and specific workloads. Deviations from those patterns can signal misuse or compromise. Treating machine behavior as something to be observed and not assumed allows security teams to detect threats earlier, before they move through connected systems.
This is where modern privileged access management (PAM) and secrets management capabilities converge. Historically, PAM focused on human administrators and “break glass” scenarios. At enterprise scale, this convergence is no longer optional; managing machine identities through privileged access and secrets controls has become a prerequisite for operating securely in cloud and automated environments. When combined with zero-trust principles, these tools move from being “best practice” to operational necessities.
The Future of Identity Management – Human or Otherwise
The goal is not to add friction, but to restore predictability. When identities are managed with precision, security becomes more proactive. Supply chain risks shrink, insider-style attacks lose their stealth, and incident response becomes faster because the scope of exposure is clearer.
Identity has become the deciding factor in modern security. Firewalls, detection tools, and AI-driven analytics all depend on trustworthy access controls beneath the surface. As NHIs continue to multiply, organisations that manage them with the same rigor as employee accounts will avoid repeating the costly lessons of the past.
When implemented correctly, disciplined governance of non-human identities does more than reduce risk: it enables organisations to adopt automation and AI with confidence, without sacrificing control or accountability. The silent workforce isn’t going away. But with visibility, least privilege principles, and disciplined secrets management, it doesn’t have to remain the weakest link.
Shane Barney joined Keeper Security as Chief Information Security Officer (CISO) in May 2025, bringing with him more than two decades of cybersecurity leadership in both the public and private sectors. Prior to joining Keeper, Barney dedicated 20 years to the Department of Homeland Security (DHS), serving within the U.S. Citizenship and Immigration Services (USCIS) as both a contractor and federal employee. He began his career at USCIS in the Office of Security and Integrity (OSI), where he played a pivotal role standing up the agency’s national operations center and building DHS’s first classified system. He also collaborated closely with the intelligence and law enforcement communities to strengthen national security efforts.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.