How to Manage Non-Human Identities (Before They Manage You)

May 29, 2025

2 mins

Matt (Co-Founder and CEO)

In our last post, we talked about non-human identities (NHIs) — the bots, APIs, scripts, and agents quietly running your software behind the scenes.

If you’re running any modern SaaS, they already outnumber your human users by orders of magnitude.

But here's the thing: most systems still treat them like an afterthought. Or worse, like users in a bad disguise.

That’s how breaches happen.
That’s how secrets leak.
That’s how you end up with a rogue script still posting to production Slack three years after its creator left the company.

So: let’s talk about how to actually manage non-human identities.

Step 1: Treat Them as First-Class Citizens

Stop shoehorning agents into human login flows or hardcoding keys into environment variables. Create a dedicated identity model for NHIs that answers:

  • What type of entity is this? (Agent, bot, script, service)

  • Who owns it? (Human, team, system)

  • What scope does it need? (Read-only? Limited environment?)

  • What is its lifecycle? (Ephemeral? Permanent? CI/CD-linked?)

Give each NHI a traceable owner, a purpose, and a lifespan.

Step 2: Issue Machine-Native Credentials

Humans use passwords. NHIs use:

  • Client credentials (OAuth2)

  • Signed JWTs

  • Mutual TLS certs

  • API keys with scopes

But these must be:

  • Short-lived (minutes, not months)

  • Rotatable (without downtime)

  • Revocable (with immediate effect)

If you're still using static keys from 2022, you have a security problem — not a convenience feature.

Step 3: Define Access in Code

You can’t manage thousands of agents with point-and-click dashboards. You need to:

  • Codify access rules in a DSL or policy engine

  • Store policies in version control

  • Apply CI/CD to your security decisions

  • Preview access changes before you ship them

Think Terraform for access, not checkboxes in a web UI.

Step 4: Make Them Observable

You should be able to answer:

  • What is this agent doing?

  • When did it last act?

  • Who approved its creation?

  • Is it doing something unusual?

If the answer is “I don’t know” — that’s a gap.

You need:

  • Audit trails for every action

  • Anomalous behavior detection

  • Alerts on orphaned or over-permissioned agents

NHIs don’t have intent. So it’s your job to make sure they’re not silently going rogue.

Step 5: Kill What You Don’t Need

  • Expire credentials automatically

  • Rotate tokens regularly

  • Archive or delete unused identities

  • Add ownership reviews to quarterly ops

The riskiest identity is the one no one remembers still exists.

Final Thought:

You wouldn’t let a junior dev spin up an AWS superadmin account with no oversight.
So why are your scripts, bots, and AI agents running with god mode?

Non-human identity management isn’t a feature.
It’s the foundation of secure software in the automation era.

And if you don’t design for them today, you’ll be cleaning up after them tomorrow.

‹ What Most Companies Get Wrong About Non-Human Identity Management

What Are Non-Human Identities? (And Why You Should Care) ›