What is non-human identity (NHI)?.
Non-human identity (NHI) is any identity that authenticates without a human present: service accounts, API keys, OAuth client credentials, certificates, workload identities (SPIFFE, cloud IAM roles), and increasingly AI agents. In most enterprises NHIs outnumber human identities by 10-to-1 or more, yet they are governed far less rigorously — making them one of the fastest-growing attack surfaces in 2026.
Why NHI is suddenly a category
Cloud-native architecture multiplied non-human identities: every microservice, pipeline, function, and integration needs to authenticate. Then AI agents arrived — autonomous systems acting on behalf of users, each needing its own scoped, short-lived identity. The result is an identity population that is mostly non-human, mostly long-lived, and mostly ungoverned. Secrets sprawl (credentials scattered across repos, CI systems, and config) is the symptom most teams notice first.
The OWASP Non-Human Identity Top 10 (2025-2026) codified the risk classes: improper offboarding, secret leakage, vulnerable third-party NHIs, insecure authentication, over-privileged NHIs, and more. The throughline: the lifecycle controls that are routine for human identities — provisioning, rotation, least privilege, deprovisioning — are rarely applied to NHIs.
Machine identity management — the governance answer
Machine identity management applies the joiner/mover/leaver discipline to non-human identities: every NHI has an owner, a justified scope, a rotation schedule, and a deprovisioning path. Secrets move into a vault (HashiCorp Vault, cloud secret managers) with rotation; workload identities use platform-native attestation (SPIFFE/SPIRE, AWS IRSA, GCP Workload Identity) instead of static credentials; and an inventory tracks what exists, who owns it, and when it was last rotated.
- Inventory every NHI — service accounts, keys, certs, workload identities, agents.
- Assign an owner and a justified scope to each.
- Vault + rotate secrets; prefer attested workload identity over static credentials.
- Deprovision NHIs when their workload is decommissioned (the most-missed control).
- Treat AI agents as a distinct NHI class — short-lived, scoped, delegated, audited.
Common questions.
What counts as a non-human identity?+
Any identity that authenticates without a human: service accounts, API keys, OAuth client credentials, TLS/mTLS certificates, workload identities (SPIFFE, cloud IAM roles), bots, and AI agents. If it has credentials and calls something, it is an NHI.
Why are non-human identities a security risk?+
NHIs outnumber humans 10-to-1 in most estates but are governed far less rigorously — they are often long-lived, over-privileged, and lack a deprovisioning path. Leaked secrets and orphaned service accounts are leading breach vectors. The OWASP NHI Top 10 catalogs the specific risk classes.
What is the difference between NHI and machine identity?+
They are largely synonymous. "Machine identity" historically emphasized certificates and workload credentials; "non-human identity (NHI)" is the broader 2025-2026 term that also covers service accounts, API keys, and AI agents. Machine identity management is the practice of governing them.
The whole picture, in one place.
This explainer is part of our complete guide to IAM — authentication, authorization, governance, privileged access, the standards, and how to run a program.