The NHIMG 2025 report documents a 144:1 ratio of machine identities to human identities across enterprise environments. Not a rounding error. Not a measurement artifact from a cloud-native outlier. A 144:1 structural condition that exists right now, inside the perimeter you are paying to defend — and which your IGA dashboard is not reflecting, because IGA dashboards were built to count humans. This is the gap LENS™ surfaces in nearly every enterprise posture diagnostic: not that machine identities are unprotected, but that they are uncounted, which means the denominator in every access review, every certification campaign, every risk report you have delivered to the board is wrong. Systematically. Predictably. At scale.
Your human identities have password policies. They have MFA enforcement. They have joiner-mover-leaver workflows, periodic access certifications, and at least the organizational fiction of a review process. Your machine identities — the service accounts, API keys, OAuth tokens, pipeline credentials, workload identities, and bot accounts accumulating across your cloud control planes and SaaS directories — have none of that. They provision themselves. They are never reviewed. And when the engineer who created them leaves, they do not leave with them.
This is not a gap in your tools. It is a gap in what your program has agreed to govern.
The NHI Blindspot That's Bankrupting Your Security Posture
The CyberArk 2024 Identity Security Threat Landscape report, drawn from 2,400 enterprise security respondents, found that machine identities already outnumber human identities in the majority of surveyed organizations — and that the growth rate is accelerating, not stabilizing. The NHIMG 2025 State of Non-Human Identity report sharpens the exposure: 97% of NHIs carry excessive privileges relative to their actual operational function. Not a minority of legacy accounts. Not the ones flagged in last quarter's audit. Ninety-seven percent.
The GitGuardian State of Secrets Sprawl 2024 report adds a commit-level dimension that changes the scope of the problem entirely. Hardcoded secrets — API keys, service account credentials, OAuth client secrets — appear in source code repositories at a rate that has compounded year over year, with the median time-to-detection measured in months, not hours. The credential has already been committed. It has already been pushed. If the repository is internal, it has already been accessible to every developer with clone rights. If it was ever public, even briefly, the window of exposure is permanent — secrets scraped from public repositories do not expire when the repository goes private.
SailPoint IdentityNow's certification campaign architecture illustrates the structural problem precisely: the platform assumes a human reviewer has operational context on what a service account is actually doing in production. That assumption is false for the overwhelming majority of machine identity governance programs. A reviewer looking at a service account named svc-etl-prod-07 with permissions across three cloud environments and two SaaS APIs cannot certify that access — they can only click approve or escalate, and the escalation path leads to a queue that nobody owns. The review happens. The governance theater is complete. The risk is unchanged.
MITRE ATT&CK technique T1552 — Unsecured Credentials — and T1078 — Valid Accounts — are the two techniques that appear most consistently in post-breach forensic timelines involving machine identity abuse. They are not exotic. They do not require zero-days. They require a threat actor who finds a credential that was never rotated, attached to an account that was never reviewed, with permissions that were never scoped. The CISA Known Exploited Vulnerabilities catalog contains multiple entries for identity-adjacent libraries and authentication products that were weaponized specifically because the machine identity surface area gave attackers a stable, long-lived foothold to exploit.
The diagram above illustrates the NHI GOVERNANCE COVERAGE DEFICIT MODEL framework — mapping the key governance layers, dependency chains, and risk vectors discussed in this analysis.
How Attackers Weaponize Service Accounts, API Keys, and Bot Credentials Before Breakfast
The attack path is not sophisticated. That is the point.
A threat actor identifies a publicly exposed API key — via a GitHub repository, a misconfigured S3 bucket, or a CI/CD pipeline artifact — and validates it against the target API. The key is active. It was created eighteen months ago by an engineer who has since left the organization. The offboarding workflow terminated the engineer's directory account and revoked their SSO sessions. It did not touch the API key, because the API key was provisioned outside the IdP and was never linked to the engineer's human identity in any system of record.
The key carries read and write permissions on a cloud storage bucket. The threat actor uses it. The SIEM generates no alert, because the API key has been making calls to that bucket continuously for eighteen months, and the behavioral baseline treats the activity as normal. T1078 Valid Accounts is not a noisy technique. Valid credentials, used at normal hours, against systems they have always accessed, produce almost no signal. The audit log shows the key. It does not show the person using it.
CyberArk Privileged Access Manager addresses the human privileged account layer with session recording, just-in-time access provisioning, and credential vaulting. Those controls are mature, well-understood, and correctly deployed in most enterprises that have a PAM program. The machine identity layer is a different architectural problem. PAM was not designed to manage the lifecycle of 144 machine identities for every one human — and the vault integration patterns that work for human privileged sessions do not translate cleanly to the high-velocity, ephemeral credential patterns of cloud workloads, containerized services, and CI/CD pipelines.
Orphaned service accounts compound the problem in a specific way that practitioners understand but organizations refuse to address directly: nobody will disable them, because nobody can confirm they are safe to disable. The account has been running for three years. It touches production. The engineer who built it is gone. The team that inherited the system has tribal knowledge that it "does something important" but cannot specify what. Disabling it creates an incident risk. Leaving it creates a breach risk. Organizations consistently choose the breach risk, because the incident risk is immediate and attributable, while the breach risk is deferred and diffuse.
That is not a technical problem. That is an accountability vacuum — and it is the condition LENS™ is specifically designed to surface before a threat actor surfaces it first. The accountability vacuum has a precise organizational shape. It sits at the intersection of three teams that each believe the problem belongs to someone else: IAM owns provisioning, not operations; platform engineering owns infrastructure, not identity governance; application teams own their services, not their credentials. No single team has the mandate, the visibility, or the tooling to govern the full lifecycle of a machine identity from creation to rotation to decommission. The credential outlives the system. The system outlives the team. The team outlives the policy. This is not dysfunction — it is the predictable output of an IAM architecture designed around human provisioning workflows applied to a deployment pattern that was never part of the original design.
The framework diagram that maps this gap plots two axes: identity provisioning velocity on the horizontal, and governance coverage depth on the vertical. Human identities cluster in the upper-left quadrant — low provisioning velocity, high governance coverage. Joiner-mover-leaver workflows, certification campaigns, access reviews — the full IGA apparatus was built for this quadrant. Machine identities cluster in the lower-right: provisioned at pipeline speed, governed at almost zero depth. The gap between those two clusters is not a feature gap. It is a structural design failure. The governance apparatus was never extended to the quadrant where the majority of identities now live. Every organization that has deployed SailPoint IdentityIQ or SailPoint IdentityNow for human IGA and assumed the same certification campaign logic applies to service accounts is operating with a governance model that covers the smaller half of its identity population by count, and a smaller fraction still by risk surface.
The specific failure mode inside SailPoint's certification architecture is worth naming precisely. Certification campaigns in IdentityNow are built around the assumption that a human manager or application owner has operational context on what an identity is doing — who it serves, whether the access is still needed, whether the entitlement set is appropriate. For a human identity, that assumption holds imperfectly but often adequately. For a service account, it fails structurally. The certifier reviewing a service account entitlement has no runtime visibility into what that account has actually called, what APIs it has touched, or whether any of its permissions have been exercised in the last 90 days. They are certifying based on documentation that is frequently stale, ownership that is frequently nominal, and a business justification that was written at provisioning time and never updated. The certification passes. The excessive privilege persists. The account remains a valid lateral movement vector.
CyberArk's Identity Security Landscape report, drawing on responses from 2,600 enterprise security professionals, documents that machine identities outnumber human identities by ratios that average well above 40:1 across respondent organizations — and in cloud-native environments, the NHIMG 2025 State of NHI report places that ratio at 144:1. CyberArk's Conjur and Secrets Manager products address the credential storage and rotation layer of this problem, and they do it well at the infrastructure tier. But credential rotation is a subset of machine identity governance — it solves the secret management problem without solving the entitlement review problem, the ownership attribution problem, or the decommission lifecycle problem. An organization running CyberArk for secrets management and SailPoint for human IGA has addressed two separate layers of the problem and left the connective tissue — the governance layer that maps machine identities to their entitlements, their owners, and their lifecycle state — entirely unaddressed.
The OWASP NHI Top-10 formalizes this gap in risk terms. NHI-6 (Insecure Authentication) and NHI-8 (Lack of Non-Human Identity Governance) map directly to the structural failure described above: authentication credentials that persist beyond their operational need, and governance programs that have no inventory of the identities they are supposed to be governing. MITRE ATT&CK T1078 (Valid Accounts) remains the dominant initial access technique in enterprise breaches precisely because valid service account credentials require no exploit — they authenticate successfully against every control that was designed to stop invalid credentials. The credential is legitimate. The governance that should have rotated, scoped, or decommissioned it never ran.
This is the layer where the modern deployment pattern multiplies the structural failure in a way that manual processes cannot absorb. GitHub Actions workflows provisioned with OIDC tokens that carry cloud permissions defined at workflow creation and never reviewed represent exactly the same accountability vacuum as the orphaned service account — but provisioned at a velocity that makes individual review impossible. A single platform engineering team operating a moderately active CI/CD environment can provision hundreds of workflow identities in a quarter. Each carries permissions. Each has a scope that was defined at creation time based on what the developer needed that day. None of them are being reviewed in a certification campaign. None of them have a named owner who receives a quarterly entitlement attestation. The GitHub Actions identity is architecturally identical to the orphaned service account in every governance-relevant dimension — except it was provisioned this sprint instead of three years ago.
The same pattern appears in LangGraph-based agent chains where an AI agent calling an external API inherits the OAuth token of the initiating user session with no per-tool authorization step. The audit trail records the human operator who initiated the session. It does not record what the agent called, what data it read, or what permissions it exercised during execution. The agent's identity is invisible to the governance layer. Its actions are attributed to a human who did not take them. The entitlement review, if it runs at all, certifies access that a human held nominally and an agent exercised materially. Manual governance at quarterly review cadence is structurally incapable of closing this gap when agent deployments provision new identity contexts at the velocity of a sprint cycle.
Actionable Knowledge Gap
The specific gap LENS™ surfaces in this domain is not whether your organization has a machine identity policy — most do, on paper. It is whether your governance program has runtime inventory of every non-human identity, with ownership attribution and last-used telemetry attached, across cloud control planes, CI/CD pipelines, and SaaS OAuth grants simultaneously.
Can you produce, right now, a complete inventory of every non-human identity in your environment — with a named human owner, a last-authenticated timestamp, and a documented rotation status — for every service account, pipeline credential, and OAuth grant currently active in production?
Take the Free IAM Posture Assessment — Find Out Where Your NHI Governance Actually Stands
Three years ago, I was sitting in a board prep session with a CISO at a 12,000-person financial services firm. She had spent six weeks preparing an identity risk report. Certification campaign completion: 98%. Access review coverage: enterprise-wide. The board was satisfied. Two months later, a threat actor walked in through a service account that hadn't been reviewed in 26 months — because it had never appeared in a single certification campaign. It wasn't in SailPoint. It wasn't in the PAM vault. It existed in a cloud control plane that no IGA workflow had ever touched. The breach cost more than the entire identity program budget for that year.
That experience is not an outlier. The NHIMG 2025 report documents a 144:1 ratio of machine identities to human identities across enterprise environments. Not a rounding error. Not a measurement artifact from a cloud-native outlier. A 144:1 structural condition that exists right now, inside the perimeter you are paying to defend — and which your IGA dashboard is not reflecting, because IGA dashboards were built to count humans. This is the gap LENS™ surfaces in nearly every enterprise posture diagnostic: not that machine identities are unprotected, but that they are uncounted, which means the denominator in every access review, every certification campaign, every risk report you have delivered to the board is wrong. Systematically. Predictably. At scale.
In that same environment routinely number in the tens of thousands — and in cloud-native organizations running distributed microservices, the ratio climbs toward fifty-to-one or beyond. Yet the governance investment, the tooling budget, and the policy maturity applied to NHI consistently lags its human-identity counterpart by years.
This is not a technology failure. The telemetry exists. The APIs are available. The credential vaults are deployed. The failure is architectural — governance programs built around the assumption that identity is something a person holds, reviewed in a provisioning workflow, and revoked through an HR offboarding trigger. Non-human identities don't offboard. They accumulate. They persist across system migrations, vendor transitions, and organizational restructures, carrying entitlements that were provisioned for a specific context that no longer exists, owned by a team that has been dissolved, and authenticated last by a pipeline that hasn't run in eight months — or one that runs every thirty seconds in a production workload no one has mapped to a business owner.
The organizations that will navigate the agentic AI transition without a credential-based catastrophe are not necessarily the ones with the most sophisticated tooling. They are the ones that treated non-human identity governance as a first-order security program — not an IT hygiene task — before the pressure arrived. That means continuous runtime inventory, not quarterly attestation cycles. It means ownership attribution enforced at provisioning, not reconstructed after an incident. It means rotation as an operational default, not a remediation action. And it means extending every one of those disciplines into the agent layer before the agent layer extends beyond your ability to govern it.
The window for proactive posture work in this domain is narrowing. Every sprint cycle that ships a new agentic workflow without a corresponding NHI governance checkpoint is a sprint cycle that adds unreviewed identity surface to an environment that is already under-inventoried. The compounding effect is not linear — each ungoverned credential is a potential pivot point, and pivot points multiply attack path options in ways that don't become visible until an adversary is already moving laterally.
Actionable Knowledge Gap
Strategic Audit: Upgrade to Enterprise for NHI & Governance Controls
Fayaz Mulla Syed is an IAM and Cybersecurity leader and practitioner who has spent 13+ years at the forefront of enterprise identity — architecting, delivering, and evolving IAM programs across Life Sciences, Healthcare, Automotive, and Telecom. He brings rare depth across the full identity stack: from privileged access and identity governance to zero trust architecture and cloud identity — having worked hands-on in some of the most complex, regulated environments in the industry. He is the founder of IAM Posture™ — a vendor-neutral scoring platform built to cut through vendor noise and give organizations a clear, architectural view of where their identity program actually stands.