A non-human identity (NHI) is any digital identity that represents a system, service, or automated process—rather than a person—and uses credentials to authenticate and access resources.

‍

Main takeaways

• NHIs include service accounts, API keys, OAuth tokens, machine certificates, and AI agents—each representing a distinct, often persistent access pathway into organizational systems.
• NHIs typically outnumber human identities in modern organizations, yet most identity governance programs were designed around human users and don't account for them well.
• Unlike human identities, NHIs don't go through standard offboarding, don't reset their own credentials, and don't trigger behavioral anomaly alerts—making compromised NHI credentials difficult to detect and contain.
• Over-permissioned NHIs are a common lateral movement pathway in breaches: an attacker who compromises one service account inherits whatever access that account holds across connected systems.
• Every AI agent, automation workflow, and SaaS integration creates at least one NHI. As agentic AI proliferates, the NHI inventory grows faster than most teams can track.

What is a non-human identity?

Human identity governance has a long history—provisioning, deprovisioning, MFA, role-based access control, access reviews. NHIs exist largely outside that history. They weren't designed for the same lifecycle. An API key doesn't go through onboarding. A service account doesn't trigger an HR offboarding workflow when the team that created it disbands. An OAuth token granted three years ago for an integration that's no longer in use doesn't expire on its own. The governance tooling and processes built for human identities simply don't extend to NHIs by default.

‍

The scale of the problem compounds the governance challenge. In most organizations, NHIs significantly outnumber human users—sometimes by an order of magnitude. Each integration between SaaS applications, each automation workflow, each CI/CD pipeline, each AI agent creates one or more NHIs that need credentials to function. Those credentials accumulate faster than anyone inventories them.

‍

Types of non-human identities

The NHI landscape is diverse:

• Service accounts—User-like accounts created for applications or systems to authenticate to other services. Often granted broad permissions and rarely reviewed.
• API keys—Shared secrets used to authenticate programmatic access to services. Frequently over-permissioned, rarely rotated, and often stored insecurely in code repositories.
• OAuth tokens—Access grants created when a user authorizes one application to access another on their behalf. Persist after the user forgets about them or leaves the organization.
• Machine certificates—Cryptographic credentials used by servers, containers, and devices to authenticate to each other in zero-trust architectures.
• AI agents—Autonomous AI systems that operate with their own credentials, permissions, and access grants across tools and data sources.

Governing NHIs in SaaS environments

The governance principles that apply to NHIs are the same as those for human identities—least-privilege access, lifecycle management, regular access reviews—but the implementation is different.

‍

Discovery is the first requirement. Most organizations don't have a complete inventory of their NHIs, particularly the OAuth tokens and API keys created informally through SaaS integrations. You can't review access you don't know exists.

‍

From discovery, the key governance actions are: right-sizing permissions to the minimum required for each NHI's function, establishing credential rotation policies for API keys and service account passwords, and ensuring that when a human identity is offboarded, the NHIs that depended on it are also reviewed and decommissioned.

‍

See how Nudge Security discovers and governs non-human identities across your SaaS environment →