Everyone’s talking about Non-Human Identity like it’s a fresh idea. It’s not.
Most of the posts by peers and betters in the Identity and Access Management (IAM) industry are pretty much aligned on NHI. Yes, it needs focus. No, it’s not new.
If you’ve ever:
Congratulations. You’ve been managing Non-Human Identities your entire career. You just didn’t call them that.
Humans (HI) are awful at being authenticated identities. They forget passwords, click phishing links, complain. They do, however, show up in the audit log and other people generally know who they are, and how to find them. They are in the company directory.
Non-humans (NHI)? They don’t rotate credentials. They don’t raise support tickets. They don’t leave the company. They're immortal and invisible outside of logs or someone’s brain. If you’re really lucky, they exist inside of a design document that you don’t have access to...
It’s messy handling them for a few reasons. There’s zero consistency: One service wants OAuth, another only supports long-lived API keys. One uses SAML assertions; another expects HTTP headers. There’s no ownership. Ask “Who owns this integration?” and watch the Slack thread spiral or experience a variety of tumbleweed gifs. There’s rarely lifecycle. That account you created for a PoC three years ago? Still has admin. Still works. Still has more access than the CTO. There’s no observability. You see the activity. You just have no idea who (or what) it actually is.
So everyone does the same thing. Improvise. Bolt together whatever the IdP, the vendor, the application or what the security policy will tolerate. Usually that also includes an MFA bypass because the client can’t handle it. It works until it doesn’t, and if you are looking at your access risks...this is up there at the top.
It reminds me of the XKCD cartoon about dependency, except replace that library the kid is writing with all the NHIs. Full credit to XKCD/2347 here but I’ve had some help adjusting the cartoon (see right).
Because of AI? That’s an attention grabber to hang it off. Mostly because more systems act without human input and more 'non-humans' are making decisions, writing code, deploying apps and exfiltrating data when compromised! That last point is our focus.
It does need better tools, but that’s not the main change as many NHI requirements are already catered for in standards and protocols. NHI does deserve investment and focus, not just from the security vendors but the SaaS vendors as well. Ultimately that service account is connecting to a business service, not a security service. It has been ignored for too long. If it had feelings like a HI, it would have low self worth and would have seen all the young kids get promoted ahead of it. But no more...it’s time to shine.
The new NHI capability tooling is focusing on the below few points, which allows you to see why it now needs focus. These have been issues forever. Forever:
What is happening is a shared understanding that Non-Human Identity isn’t an edge case — it’s becoming the majority case.