Non-Human Identity

Your company has thousands of employees. IT knows who they are, what they can access, and when to revoke their credentials. There is an onboarding process. There is an offboarding process. There are reviews.

Your company also has thousands of non-human identities. Nobody is managing them the same way.

A non-human identity is any account, credential, or token that belongs to a machine rather than a person. Service accounts that run automated processes. API keys that connect one system to another. OAuth tokens that let applications act on behalf of users. Certificates that authenticate servers to each other. The bots, agents, pipelines, and scripts that keep modern infrastructure running all have identities, and most of those identities have privileges.

The problem is simple and severe. When a person leaves a company, someone offboards them. Their accounts are disabled, their credentials revoked, their access removed. When a service account is created for a project that ends, nobody offboards it. It just sits there, active, credentialed, forgotten, sometimes for years. In a typical enterprise, non-human identities outnumber human identities by ten to one. Most organizations have no complete inventory of them. They couldn't tell you how many exist, what they can access, or when they were last used.

Attackers know this. A compromised service account is often more valuable than a compromised human account. It raises fewer alerts. It doesn't take vacations. It rarely gets its password reset. The SolarWinds attackers used service account credentials to move laterally through government networks for nine months. Nobody noticed because the accounts looked like they were just doing their jobs. They were. They just had a new employer.

The rise of AI makes this worse. Every AI agent you deploy is a non-human identity. Every automated workflow, every API integration, every script running in your CI/CD pipeline. The attack surface is growing faster than any organization is managing it.