Non-Human Identity Governance: Field Tips for 2026

You locked down your human logins years ago: SSO, MFA, a joiner-mover-leaver process, access reviews every quarter. The machine identities never got that treatment, and they bred. Service accounts, API keys, OAuth tokens, SSH keys, CI jobs, RPA bots, and now AI agents. In cloud-native shops these non-human identities (NHIs) outnumber people 144:1 (Entro Labs, H1 2025); even cautious enterprise-wide counts sit at 45:1. They rarely expire, nobody owns them, and SOC 2, ISO 27001, PCI DSS, and NIST 800-53 mostly leave them in a grey zone. OWASP cared enough to publish a Non-Human Identities Top 10 for 2025, and the headline risks are boring on purpose: improper offboarding, leaked secrets, over-privilege, and long-lived credentials. If someone just handed you "go govern the machine identities," here is what actually moves the needle, in roughly the order I'd do it.

The tips

Build one correlated inventory before you touch a single permission. The thing that kills most NHI programs on day one is partial visibility: secrets in a vault, service accounts in IAM, tokens scattered across SaaS apps, certs in a fourth place. Stop inventorying by storage location and key it by identity instead, joining each credential to an owner, a last-used timestamp, and its permissions. Start with what the cloud APIs hand you for free.