Managing NHIs in the enterprise

In March 2025, ITPro reported that almost 12,000 passwords and live API keys had been found in a dataset used to train large language models (LLMs). Security experts placed the blame on identity and access management processes that are failing to keep up with the introduction of new technologies. One commentator observed that credential leakage from machine-to-machine authentication is a long-standing and growing risk.

Two weeks after the ITPro article, at our UNITE channel partner conference, I spoke to many consultants, CIOs, and CISOs who expressed deep concerns about the management of non-human identities (NHIs).

NHIs have proliferated as a result of the integration of various products within the enterprise, the introduction of service accounts as part of process automation, IoT, and the advent of robotic process automation. These systems all need to be authenticated to be able to talk to each other. This introduced a slew of non-human identities that have access to enterprise systems and exposure to third parties, and which need to be governed as carefully as human identities.

Identity and access management has certainly become more complex owing to the proliferation of OAuth tokens, API keys, service accounts, and certificates. While employees’ access is managed and revoked via an organization’s joiner, mover, and leaver processes, when it comes to machine-to-machine authentication, many tokens are not revoked for months on end. The lack of visibility and control over orphaned tokens can create an unprotected attack surface for bad actors.

Depending on which report you read, NHIs within the typical enterprise now outnumber employees, customers, and contractors by a factor of 10:1. Some have even calculated this at 92:1 for large enterprises with multiple automated processes.

However, I see more opportunities than obstacles.

The evolution of identity ecosystems presents a clear opportunity for channel partners to add value to their enterprise customers by objectively quantifying the risk and providing visibility of all the NHIs associated with security, authorization, and authentication.

Enterprises need to know what types of NHIs have access, what roles they perform, which tokens have not been rotated, and which are idle.

Channel partners can help their enterprise customers to take that first step by auditing the NHI estate and providing recommendations that enable a structured NHI governance model to be created.

The application of agentic AI within enterprises opens up the potential to use machine learning data in a productive way to enhance IAM for human and machine identities. What’s currently missing is the management and governance of agentic AI in a way that’s comprehensive.

So, the next point of value that channel partners can bring is customized integrations. A lot of the tooling that their enterprise customers have invested in doesn’t integrate out of the box. As an example, Identity, Governance, and Administration (IGA) solutions support centralized policies and automated workflows that help reduce operational costs while ensuring that employees can access the resources they need.

IGA solutions are now using machine learning. Threat detection and response uses AI too. The disaster recovery practice also has its machine learning and AI.

Because all of these agentic AI tools don’t yet interact seamlessly, channel partners could deliver the required customization. This will allow each AI system to accept triggers from the others and provide greater overall visibility of the IAM ecosystem. That’s a huge opportunity for the channel to step in and help enterprises manage the risk from NHIs, while enabling them to deliver analytical insights like never before.