CSA: Non-Human Identities Are the Largest Ungoverned Population

The Cloud Security Alliance's research on non-human identity security has tracked a consistent pattern across 2023-2025: NHIs (service accounts, API keys, OAuth grants, machine identities, AI agents) typically outnumber human identities by 1-2 orders of magnitude inside a typical enterprise; most organisations do not maintain a current inventory; the controls applied to NHIs are weaker than the controls applied to human identities by every measurable dimension — rotation cadence, MFA equivalent, audit coverage, anomaly detection, lifecycle.

The CSA work — alongside OWASP's NHI Top 10 (2025) and Cyberark / Sysdig industry research — points to a common architectural failure: NHIs are typically owned by whoever needed them, not by an identity team. The IdP knows about the human population. The NHI population is in cloud IAM, in CI/CD secrets, in code, in vault configurations, and in vendor portals — fragmented across teams that do not see each other's grants.

The defensible response is an NHI architecture that mirrors workforce identity: a single inventory, a defined lifecycle, mandatory rotation, behavioural monitoring, and an owning team. Without it, every NHI breach is a discovery exercise before it is a response exercise.