Non-Human Identity Governance: A Problem That Didn't Exist at Scale Before
Identity Security · Field Guide

Non-Human Identity Governance: a problem that didn't exist at scale before.

Service accounts, AI agents, workload identities, and API tokens now outnumber your employees ten-to-one. Active Directory was never built for them. This is the field guide for fixing that — with commands you can run today, flowcharts that show the decisions, and procedures your auditors will actually accept.

10:1
NHIs vs. human users in the typical 2026 enterprise
18.1M
API keys & tokens recaptured by SpyCloud in 2025
6.2M
AI tool credentials leaked via infostealer malware
~70%
of enterprise NHIs run with permissions exceeding actual usage

The shift, in one diagram

If you ran an Active Directory audit ten years ago, you were mostly counting people. Run that same audit today and the math has flipped. Service accounts, workload identities, API tokens, CI/CD runners, OAuth apps, RPA bots, and now AI agents — they outnumber humans by an order of magnitude, and almost none of them go through the joiner-mover-leaver process that governs human accounts.

FIG 01 — The 10:1 Identity Shift
2016 — IDENTITIES MOSTLY HUMAN HUMANS NHIs ~5,000 ~800 10 YEARS 2026 — IDENTITIES MOSTLY NON-HUMAN HUMANS NHIs ~5,500 ~55,000 ↳ NHI BREAKDOWN Service accounts~12,000 Workload identities~18,000 API keys & tokens~15,000 CI/CD & bots~7,500 AI agents~2,500 ↑ REPRESENTATIVE MID-MARKET ENTERPRISE
Composition typical of a 5,000-employee enterprise with cloud-native architecture and active DevOps adoption. AI agent counts reflect 2026 acceleration.

The risk profile is also different. Human identities go through onboarding and offboarding. NHIs frequently get created during a project, granted broad permissions to make the application work, and then quietly persist after the project ends, the owner leaves, and the documentation rots. The result is overprivilege at industrial scale — a standing attack surface that grows every quarter and almost never shrinks on its own.

The failure loop you're trying to break

Almost every NHI breach we see in the field follows the same six-step pattern. The pattern is so predictable that the entire governance program can be designed around interrupting specific steps.

FIG 02 — The NHI Failure Loop & Where Governance Breaks It
1. Identity created to solve immediate need 2. Granted broad rights "so the app doesn't break" 3. Credential goes stale never rotated, fear of outage 4. Owner leaves project ends, no handoff 5. Identity persists forgotten, still privileged 6. Compromised stolen, reused, exploited R S O L M INTERVENTIONS R — RBAC / least privilege S — Secrets automated rotation O — Ownership escalation L — Lifecycle auto-decommission M — Monitoring & behavioral
The five governance pillars each break a specific step in the failure loop. A program missing any one pillar leaves the loop intact at that step.

Step 1 — Discover what you actually have

Every mature NHI program starts with the same painful realization: nobody knows how many non-human identities the organization actually has. The first deliverable isn't a policy. It's a certifiable inventory — a continuously updated source of truth covering every machine identity across AD, Entra ID, your clouds, your secrets vault, your CI/CD platform, and your SaaS apps.

1.1 Find every AD service account with a non-expiring password ~30 sec

Non-expiring passwords are the most common static-credential risk in AD. This single command will surface them all.

PowerShell · Active Directory 
Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} `
  -Properties PasswordNeverExpires, PasswordLastSet, LastLogonDate, ServicePrincipalName |
  Where-Object { $_.ServicePrincipalName -or $_.SamAccountName -like "svc_*" } |
  Select-Object SamAccountName, PasswordLastSet, LastLogonDate, `
    @{N="DaysSinceRotation";E={(New-TimeSpan -Start $_.PasswordLastSet -End (Get-Date)).Days}} |
  Sort-Object DaysSinceRotation -Descending |
  Format-Table -AutoSize
→ Expected output
A table of every enabled service-flagged account with PasswordNeverExpires set, sorted by oldest credential first. Anything over 365 days is your priority list.
1.2 Find dormant NHIs — no auth in 90+ days ~45 sec

Dormant identities are either decommissioned-in-spirit (good — disable them) or compromised-and-not-yet-used (bad — investigate them). Either way, they shouldn't stay enabled.

PowerShell · Active Directory 
$cutoff = (Get-Date).AddDays(-90)
Get-ADUser -Filter {Enabled -eq $true} `
  -Properties LastLogonDate, ServicePrincipalName, Description |
  Where-Object { ($_.ServicePrincipalName -or $_.SamAccountName -like "svc_*") `
    -and ($_.LastLogonDate -lt $cutoff -or $null -eq $_.LastLogonDate) } |
  Select-Object SamAccountName, LastLogonDate, Description |
  Export-Csv -Path "dormant-nhis.csv" -NoTypeInformation
→ Expected output
CSV of every NHI with no logon in 90+ days. Do not bulk-disable. Pipe through the decision tree below first — some legitimate identities run on quarterly cadences.
1.3 List Entra ID service principals with admin consent ~1 min

Cloud-side, the equivalent of an over-privileged service account is an OAuth app or service principal that was granted admin consent for tenant-wide permissions. These are the highest-value targets for token theft.

Microsoft Graph PowerShell · Entra ID 
Connect-MgGraph -Scopes "Application.Read.All","Directory.Read.All"

Get-MgServicePrincipal -All | ForEach-Object {
    $sp = $_
    $perms = Get-MgServicePrincipalAppRoleAssignment `
        -ServicePrincipalId $sp.Id -ErrorAction SilentlyContinue
    if ($perms) {
        [PSCustomObject]@{
            DisplayName = $sp.DisplayName
            AppId = $sp.AppId
            PermissionCount = $perms.Count
        }
    }
} | Where-Object { $_.PermissionCount -gt 0 } |
    Sort-Object PermissionCount -Descending
→ Expected output
Ranked list of service principals with admin-consented permissions. Anything in the top 20 with more than 5 permissions deserves a manual review this week.
1.4 Audit Domain Admins for service accounts (the "fix this Friday" check) ~15 sec

Service accounts in Domain Admins is the #1 finding in every IR engagement we see. Run this and act on the result the same day.

PowerShell · Active Directory 
Get-ADGroupMember -Identity "Domain Admins" -Recursive |
  Get-ADUser -Properties ServicePrincipalName, Description, LastLogonDate |
  Where-Object { $_.ServicePrincipalName -or $_.SamAccountName -like "svc_*" `
    -or $_.Description -match "service|app|automation|backup|sql" } |
  Select-Object SamAccountName, Description, LastLogonDate |
  Format-Table -AutoSize
→ Expected output
If this returns any rows, you have urgent remediation work. The correct answer is zero. Service accounts that genuinely need elevated rights should hold scoped delegations or live in PAM-vaulted Tier 0 groups, not Domain Admins.

The first 30 days of an NHI program are about making the unknown known. Until you have a complete inventory, every governance control you build sits on top of guesswork.

What the inventory needs to capture for each non-human identity:

  • Identity type and credential type — what it is and how it authenticates
  • Named human owner — a specific person, with a documented backup
  • Business purpose — what would break if this identity were disabled
  • Privilege level — what it can access today
  • Last activity — when it last did something
  • Rotation status — when its credential was last refreshed

The inventory is never "done." It's a continuously running pipeline, not a one-time audit project. Most organizations underestimate this and end up with a snapshot that's stale within weeks.

★ Risk to flag at the next steering committee
Most enterprises we work with discover, during inventory, that 15–30% of their service accounts have no identifiable owner. This is the orphaned identity population, and it's the cleanest set of attacker-friendly assets in the environment.

Decision tree: is this NHI safe to disable?

The single most useful tool for the cleanup phase. Click through the questions for any candidate identity and the tree returns a concrete action.

Is this NHI safe to disable?
Click an option to walk the tree. The path stays visible at the bottom.
When did this identity last authenticate?
Does it have an identified, currently-employed owner?
Does its known business purpose still exist?
Does it hold any privileged group memberships or Tier 0 access?
Was it created in the last 30 days?
→ KEEP — but recertify now
Active identity with an identified owner. Trigger out-of-cycle recertification to confirm permissions match current usage. Add to the next quarterly review batch.
⚠ INVESTIGATE — possible orphaned but active
Active credential without an owner is a high-priority anomaly. Don't disable yet — first identify what system is using it (check authentication source IPs and target resources). Then assign an owner or schedule controlled decommission.
→ KEEP — schedule rotation
Legitimate but underused. Rotate credentials on the next maintenance window, force into the standard lifecycle, and document the low usage so the next reviewer doesn't repeat the analysis.
✓ DECOMMISSION
Disable the account, monitor for 14 days for downstream alerts, then delete. Archive credential rotation history and audit logs per retention policy.
⚠ QUARANTINE — controlled disable
Don't delete. Disable with a 14-day quarantine: revoke active sessions, log all attempted authentications. If something breaks, you'll know exactly what depended on it. If nothing breaks, decommission permanently.
⚠ HIGH RISK — disable today
Dormant + privileged is the worst combination in the inventory. Disable immediately, force credential rotation, and audit recent privilege use for the past 12 months. If the account has been used in the last year despite "dormant" status, treat as a potential compromise indicator.
✓ DISABLE — standard cleanup
Disable, monitor 14 days, delete. Low-privilege dormant accounts are the cleanest decommission candidates — high volume, low risk, fast progress on inventory reduction.
→ HOLD — likely in deployment
Recently provisioned identities often haven't authenticated yet. Confirm with the requester. If creation is older than 14 days with still no auth, treat as never-old (next branch).
⚠ DELETE — provisioned and abandoned
An identity created and never used is almost always a deployment failure or a half-finished project. Disable, then delete after 14 days. Update intake process to require activation within 14 days or auto-cleanup.

Ownership: the organizational fix

Inventory alone doesn't solve governance. NHI ownership does. Every non-human identity needs a named human owner who is accountable for it. Not "IT." Not "the application team." A specific person.

Without explicit ownership, two things happen. First, access certifications become rubber-stamping, because nobody wants to be the person who disabled the account that broke production. Second, when something does go wrong, there's no one to call.

Primary Owner Named individual, Employee ID
Backup Owner Acts when primary unavailable
Accountable Team Routes team-level transitions
Escalation Path HR-triggered when owner exits
★ The escalation-path hack that actually works
Wire the NHI registry into the HR offboarding workflow. When an employee is offboarded, the system automatically flags every NHI they own and routes ownership reassignment to their manager before the AD account is disabled. This single integration eliminates ~80% of orphaned-identity creation at the source.

RBAC for machine identities

Once you know what you have and who owns it, the next question is what each identity is allowed to do. Role-Based Access Control is the structural mechanism that enforces least privilege at scale. Machine identities have far more predictable access requirements than humans, which is the structural advantage RBAC exploits — a backup service knows exactly which file shares it needs; a deployment runner knows exactly which environments it touches.

The four-step RBAC pattern

  1. Define roles based on function, not identity. role-backup-reader, role-deployment-runner-prod.
  2. Scope each role to the minimum permission set required, on the minimum resource set required.
  3. Assign identities to roles. Never grant permissions directly to the identity.
  4. Review role definitions quarterly and prune permissions unexercised in 90+ days.

Find permission drift in your existing roles

Azure CLI · Cloud RBAC drift 
az role assignment list --all `
  --query "[?principalType=='ServicePrincipal']" -o json |
jq -r ".[] | [.principalName, .roleDefinitionName, .scope] | @tsv" |
sort | uniq -c | sort -rn | head -50
→ Expected output
The 50 most-assigned role/scope combinations across your service principals. The top of this list is where overprivilege lives — service principals with Contributor or Owner at subscription scope are the first targets for scope reduction.

Secrets management

Non-human identities authenticate with secrets — passwords, API keys, certificates, OAuth tokens. The 18.1 million tokens SpyCloud recaptured didn't escape from vaults. They escaped from source code, config files, shared spreadsheets, and Slack messages. A real secrets program has four pillars:

FIG 03 — The Secrets Management Stack
PILLAR 01 Centralized vaulting Vault · Secrets Manager Key Vault · CyberArk Apps fetch at runtime. No secrets in code. Hardcoded = incident. PILLAR 02 Auto-rotation Short-lived > static OAuth, certs, managed IDs Manual quarterly rotation across thousands of NHIs is a fantasy. PILLAR 03 Zero-downtime rotation Dual-credential pattern Provision new → verify auth → revoke old. PILLAR 04 Pipeline scanning Pre-commit · CI/CD scan Repo-level detection Catch leaks before they reach prod. CI/CD = NHI source. FOUNDATION · NO SECRETS IN SOURCE CONTROL · NO SECRETS IN CONFIG FILES · NO SECRETS IN SLACK

Detect committed secrets in your repos right now

CLI · gitleaks (open source) 
# Scan current repo for committed secrets, full history
gitleaks detect --source . `
  --report-format json `
  --report-path leak-report.json `
  --verbose
→ Expected output
JSON report listing every detected secret by file, line, commit, and type. Run this against every repo in your org. Rotate every detected secret immediately — finding one in git history means it's been in every clone since the commit landed.

Lifecycle management

The operational backbone. Every NHI moves through four stages, and weakness in any one of them undermines the others.

FIG 04 — The NHI Lifecycle
01 PROVISION owner · purpose scope · rotation policy → before identity created 02 CERTIFY evidence-based recertification → quarterly · usage data 03 MODIFY owner request + approval + audit → no silent grants 04 DEPROVISION revoke · remove archive · update inventory → skipping = orphan RECURRING CYCLE — CREDENTIAL ROTATION EMBEDDED IN EACH PASS

A mature lifecycle program directly prevents the accumulation of orphaned and stale identities — they exist precisely because deprovisioning gets skipped. It also embeds credential rotation as a recurring lifecycle event rather than a special project, which is the only way rotation actually happens at scale.

Continuous monitoring & behavioral analytics

Governance controls established at provisioning time aren't enough on their own. RBAC, secrets management, and lifecycle workflows define what should happen. They don't tell you what is happening right now.

For each NHI, establish a behavioral baseline (expected source IPs, auth times, target resources, privilege use, data volumes), then alert on meaningful deviations. The matrix below maps the four observed patterns to concrete responses.

Normal source
Abnormal source
Normal behavior
✓ Baseline
Service account authenticating from its known application server, accessing its expected resources at expected times.
→ No action. This is your steady state.
⚠ Anomalous source
Backup account authenticating from a new build server. Same operations, different origin.
→ Verify recent infra change. Could be planned migration or stolen credential.
Abnormal behavior
⚠ Scope creep
Monitoring agent suddenly calling admin APIs it never touched before, from its usual host.
→ Possible permission drift or compromised process on the host. Investigate.
⚠ High confidence breach
CI/CD credential authenticating from residential IP in a country you don't operate in, enumerating buckets it never accessed.
→ Treat as active incident. Revoke credential. Rotate. Hunt.

Find authentication from unusual source IPs (Sentinel/KQL)

KQL · Microsoft Sentinel / Defender 
SigninLogs
| where TimeGenerated > ago(7d)
| where ServicePrincipalName != "" or AppDisplayName != ""
| summarize SourceIPs = make_set(IPAddress),
            AuthCount = count() by ServicePrincipalName, AppDisplayName
| extend IPCount = array_length(SourceIPs)
| where IPCount > 3
| sort by IPCount desc
→ Expected output
Service principals authenticating from more than 3 distinct IPs in the last week. Most service identities should authenticate from a small, stable set of sources. Outliers warrant investigation.

The hardest case: governing AI agents

AI agents break assumptions that even modern NHI programs rely on. A traditional service account does one thing. An AI agent, by design, decides what to do next, calls APIs, queries databases, writes to systems, and chains tools together based on a prompt. The traditional notion of "expected behavior" gets fuzzy.

01

Scoped identity per agent

Never share service accounts between agents. One distinct agent instance = one distinct identity.

02

Tool-level authorization

"Read CRM" is not the same as "Send email as user". Force permissions to be scoped at the tool/function level below the identity.

03

Action-level audit logging

Agent identity + original prompt + specific tool used + target resource + outcome. Log every single invocation.

When something goes wrong with an AI agent, you need to be able to answer: which agent did this, on whose behalf, under what policy? A shared identity makes all three questions unanswerable. Tool-level scoping is what prevents the prompt-injection pattern where an attacker convinces the agent to use a capability it technically has but shouldn't be using in this context.

Mapping NHI controls to regulatory frameworks

Most regulatory frameworks don't say "non-human identity" by name. The requirements absolutely apply — they're just phrased generically. A practical mapping:

Framework NHI-Relevant Requirement Governance Control
GDPR (Art. 32) Appropriate technical and organizational measures to secure personal data NHI inventory, RBAC, audit trails for any NHI accessing personal data
NIS2 Access control, incident detection, supply chain security Lifecycle management, continuous monitoring, third-party NHI governance
DORA ICT risk management, identity and access management for financial entities Full lifecycle, evidence-based recertification, secrets management
SOC 2 (CC6) Logical access controls, least privilege, periodic access review RBAC, access certification, NHI ownership
ISO 27001 (A.9) Access control policy, user access management, system access All of the above, plus documented policy

The pattern: every framework asks for access control, audit evidence, periodic review, and incident response. A mature NHI program built on lifecycle management, RBAC, secrets management, and continuous monitoring produces this evidence automatically and continuously, instead of as a fire drill before the audit.

The 9-month roadmap

Most organizations cannot do all of this at once, and they shouldn't try. Here's the sequence that works.

PHASE 01
Months 1–2
Discover
Build inventory across AD, Entra, clouds, vault, CI/CD. Accept incompleteness; iterate.
PHASE 02
Months 2–3
Classify & own
Group by type and privilege. Assign named owners. Identify the orphaned population.
PHASE 03
Months 3–4
Reduce risk
Disable orphans (carefully). Strip unused admin rights. Rotate stale credentials.
PHASE 04
Months 4–6
Lifecycle
Stand up the provisioning intake. Make it the only supported path. Build recertification.
PHASE 05
Months 6–9
Behavioral monitoring
Baseline high-privilege NHIs first. Tune alerting. Extend coverage.
PHASE 06
Ongoing
Continuous improvement
Move from annual audits to continuous evidence-based controls. Extend to AI agents.

The 15-minute weekly NHI hygiene checklist

Once the program is running, this is what keeps it healthy. Block 15 minutes on a calendar every Friday afternoon and run through it.

If the count goes up week-over-week, your provisioning intake is leaking. Either the intake isn't being used, or the auto-decommission rule isn't firing. Investigate before next Friday.

Anything that appeared this week was added by someone, somehow, without going through normal approvals. Find out who and why before close of business.

Your vault should expose a metric for "secrets overdue for rotation." If it's non-zero, the auto-rotation pipeline is broken or the application is rejecting rotated credentials. Either way, fix it this week.

Tune false positives aggressively. An alert system the team has learned to ignore is worse than no alerting at all. Every alert should result in an action: confirm baseline, tune threshold, or investigate.

For every employee who left this week, verify their NHIs were either reassigned or queued for decommission. This is the single highest-leverage step for preventing orphan accumulation.

The bottom line

The directory is no longer a roster of people. It's a control plane for an automated enterprise. Govern it accordingly.

Non-human identity governance is the most significant structural shift in identity security right now, and it didn't exist at this scale even three years ago. AI agents are accelerating the curve, not creating it — service accounts and workload identities were already outpacing humans before LLMs showed up. Agents are just making the gap impossible to ignore.

For sysadmins: the mental model has to shift. Service accounts are not plumbing. They are identities, and they need ownership, least privilege, lifecycle control, credential protection, and behavioral monitoring — the same controls human identities have had for two decades.

For CTOs and COOs: this is a control-plane investment, not a tool purchase. The organizations that build a real NHI governance discipline in 2026 will have cleaner directories, faster audits, fewer breaches, and the ability to deploy AI agents in production without wondering what they're actually doing in there. The ones that don't will keep finding out the hard way, one infostealer report at a time.