Uncategorized

At some point in the last few years, most of us made a series of very smart decisions. We automated everything we could. Onboarding, offboarding, role changes, cross-system integrations, data pipelines — if it was repetitive, we scripted it, connected it, or orchestrated it. And honestly? It was glorious. Our teams got faster, our error rates dropped, and we stopped doing the digital equivalent of manually carrying buckets between buildings.

What we didn’t fully reckon with is that every automation we built came with an identity attached.

Service accounts. API keys. OAuth tokens. Machine-to-machine credentials. Workflow runner credentials. Integration platform secrets. Every one of these is a non-human identity (NHI) — an entity that authenticates to your systems and performs actions, just like a user does, except it never gets locked out for too many failed attempts, never takes a security awareness training, and never gets offboarded when a project ends.

And here’s the uncomfortable math: in most organizations today, machine identities outnumber human identities by roughly 100 to 1. The even more uncomfortable part? Most security programs were designed for the 1%, not the 99.