What Most Companies Get Wrong About Non-Human Identity Management
May 30, 2025
2 mins
Matt (Co-Founder and CEO)
By now, you’ve heard the message: most things logging into your systems aren’t people.
They’re agents, bots, services, scripts — non-human identities (NHIs) that outnumber users and often hold more power than them.
And yet… even companies that know this still get NHI management dangerously wrong.
Let’s break down the 5 most common mistakes we see — and why they leave your systems exposed.
❌ Mistake 1: Treating NHIs Like Users
Many teams create fake “bot users” or service accounts in their auth system and assign them login credentials.
Sounds harmless — but it breaks:
Visibility (you can’t tell humans from agents in your logs)
Ownership (no clear mapping to teams or workflows)
Security (these accounts often skip MFA and rotate nothing)
Fix: Treat NHIs as their own identity type with their own controls.
❌ Mistake 2: Static Credentials, Forever
Hardcoded API keys. Secrets in .env files. Long-lived tokens shared across environments.
These are time bombs. One leaked key gives permanent access until someone finds and revokes it — which might take months (or never happen at all).
Fix: Issue short-lived, scoped credentials that rotate automatically. Expire what isn’t used. Lock credentials to their runtime environment.
❌ Mistake 3: No Audit, No Accountability
If an agent pushes to production at 3AM, who approved that? What did it change? What else can it access?
Most orgs can’t answer these questions — because most agent actions are unaudited and unauthenticated beyond the first hop.
Fix: Attach agents to specific humans or teams. Log every action. Flag anomalies like “new agent calling production DB.”
❌ Mistake 4: Manual Access Configs
Giving an agent access to a service often means hand-writing a YAML file, clicking through IAM settings, or pasting secrets into a config file.
This doesn’t scale. And worse — it creates drift, inconsistent permissions, and brittle dependencies.
Fix: Manage agent access as code. Use policies, not point-and-click. Run tests, previews, and CI checks just like you do with infrastructure.
❌ Mistake 5: Ignoring the Lifecycle
You onboarded the bot, but who owns it now? When does it expire? What if its creator left the company last quarter?
Without lifecycle management, NHIs become zombie processes — still running, still privileged, and completely unaccounted for.
Fix: Set clear ownership. Add expiry and review dates. Kill unused identities by default.
The Bottom Line
You can’t secure modern infrastructure with yesterday’s assumptions.
And you definitely can’t scale automation if you’re duct-taping bot accounts to human auth systems.
Non-human identities are exploding — and they need their own layer of identity, access, and governance.
If you’re serious about AI agents, automation, and cloud-native systems, this isn’t a nice-to-have. It’s table stakes.