What Is a Non-Human Identity (NHI)?

A non-human identity (NHI) is any identity that is not a person: service accounts, API keys, OAuth tokens, certificates, workloads, bots, and increasingly AI agents. In most organizations, NHIs now outnumber human identities many times over, and they are widely under-governed.

Why NHIs are a growing risk

NHIs often have broad, standing privileges, no MFA, and credentials that rarely rotate. Leaked keys and over-permissioned service accounts are a leading cause of cloud breaches. See our secrets sprawl data for the scale of leaked credentials.

The new wave: AI agents

AI agents act on behalf of users, call APIs, and chain tools together. They need identities that are scoped, delegated, auditable, and revocable, which traditional service accounts do not provide. This is the focus of the emerging agentic and AI identity category and protocols like MCP authorization.

How to manage them

Discover every NHI, remove standing privileges, rotate and vault secrets, and govern lifecycle like you would human accounts. Machine and workload identity and PKI tools handle the cryptographic side.

Where to start

Read our blog on agentic AI identity, and the machine identity guide.