Non-Human Identity Governance: Field Tips for 2026
You locked down your human logins years ago: SSO, MFA, a joiner-mover-leaver process, access reviews every quarter. The machine identities never got that treatment, and they bred. Service accounts, API keys, OAuth tokens, SSH keys, CI jobs, RPA bots, and now AI agents. In cloud-native shops these non-human identities (NHIs) outnumber people 144:1 (Entro Labs, H1 2025); even cautious enterprise-wide counts sit at 45:1. They rarely expire, nobody owns them, and SOC 2, ISO 27001, PCI DSS, and NIST 800-53 mostly leave them in a grey zone. OWASP cared enough to publish a Non-Human Identities Top 10 for 2025, and the headline risks are boring on purpose: improper offboarding, leaked secrets, over-privilege, and long-lived credentials. If someone just handed you "go govern the machine identities," here is what actually moves the needle, in roughly the order I'd do it. The tips Build one correlated inventory before you touch a single permission. The thing that kills most NHI programs on day one is partial visibility: secrets in a vault, service accounts in IAM, tokens scattered across SaaS apps, certs in a fourth place. Stop inventorying by storage location and key it by identity instead, joining each credential to an owner, a last-used timestamp, and its permissions. Start with what the cloud APIs hand you for free. # AWS: IAM users acting as service accounts + when their keys last worked aws iam list-users --query 'Users[].UserName' --output text \ | xargs -n1 -I {} aws iam list-access-keys --user-name {} \ --query 'AccessKeyMetadata[].[UserName,AccessKeyId,CreateDate]' --output text Replace static cloud keys in CI with OIDC workload identity federation. A long-lived AWS_SECRET_ACCESS_KEY or a GCP JSON key file sitting in CI secrets is the classic NHI breach path, and rotating it is a chore nobody does on schedule. GitHub Actions can trade a short-lived OIDC token for cloud access that expires in about an hour and is scoped to one job, so there's no stored secret to leak