Identity Is the New Perimeter — and Non-Human Identity Is the Hole in It
Executive Summary
For more than a decade, the security industry has repeated a phrase until it became conventional wisdom: identity is the new perimeter. As workloads moved to the cloud, as remote work dissolved the office boundary, and as the network edge stopped being a meaningful line of defense, it became true that the most reliable way to control access was to control identity. Organizations responded by investing — in multi-factor authentication, single sign-on, privileged access management, joiner-mover-leaver processes, and access certification. Human identity governance, in most mature organizations, is now a genuine capability.
There is just one problem. While security teams were maturing how they govern human identities, the population of identities in the enterprise was shifting underneath them. Non-human identities — the service accounts, API keys, tokens, certificates, workload identities and, increasingly, autonomous agents that machines use to authenticate to one another — quietly became the majority. In most cloud-heavy environments, non-human identities now significantly outnumber human ones, and the gap is widening as automation and AI agents proliferate.
Almost none of the governance built for human identity has been extended to them. That is the hole in the new perimeter — and it is one of the most consequential, under-addressed risks in the enterprise today.
Why This Matters Now
The numbers alone make the case. The ratio of non-human to human identities has tilted decisively toward machines, and AI agents — each of which needs credentials to act — are accelerating the trend faster than most identity programs have planned for. An environment that had a manageable number of service accounts a few years ago may now have an order of magnitude more machine identities, most of them created by automation and few of them ever formally reviewed.
The risk profile of these identities is also worse than that of human ones. Non-human identities tend to hold standing, long-lived privileges that rarely change. Their credentials — keys, tokens, secrets — are frequently embedded in code, configuration files, pipelines and scripts, where they leak. They have no human to notice anomalous behavior, no natural lifecycle event like a termination that triggers de-provisioning, and often no clear owner at all. An attacker who obtains a powerful machine credential inherits broad, persistent access that may go unnoticed for a long time, because nothing in the environment is watching for a service account to misbehave.
The arrival of autonomous agents sharpens this further. An AI agent is, from an identity standpoint, a non-human identity that can take actions and make decisions across systems. Governing what it can authenticate to, and what it is permitted to do once authenticated, is rapidly becoming one of the defining problems of enterprise security.
CISO2CISO Insight
We spent ten years learning to govern the identities that belong to people. In that same decade, the identities that belong to machines became the majority — and we governed almost none of them. The perimeter moved to identity, and then most of identity moved out of view.
Why Non-Human Identity Is Harder
The gap is not simply a matter of effort that has not yet been applied. Non-human identities are structurally harder to govern than human ones, and the controls built for people do not transfer cleanly.
There is no natural lifecycle. Human identity governance is anchored to events — someone is hired, changes role, or leaves. Those events trigger provisioning, adjustment and de-provisioning. Machine identities have no equivalent. They are created when a system needs them and frequently persist long after the need is gone, because nothing forces a review.
Ownership is ambiguous. A human identity belongs, unambiguously, to a person. A service account often belongs to no one in particular — created by a team that has since reorganized, used by a system whose purpose has drifted, maintained by whoever inherited it. Without a clear owner, no one is accountable for whether its access is still appropriate.
Credentials are everywhere. Human authentication has moved toward strong, phishing-resistant methods. Machine authentication still relies heavily on secrets — keys and tokens that get hard-coded, committed to repositories, passed between systems, and copied into configuration. Secrets sprawl is the non-human equivalent of password reuse, at far greater scale.
Standing privilege is the norm. Where human privileged access has moved toward just-in-time elevation, machine identities are typically granted broad, permanent permissions at creation and never narrowed, because doing so risks breaking the automation that depends on them.
Executive Framework
| Dimension | Human identity (mature) | Non-human identity (typically immature) |
|---|---|---|
| Population trend | Stable, well understood | Majority and growing rapidly |
| Lifecycle | Tied to HR events | None — persists indefinitely |
| Ownership | Clear (the individual) | Often ambiguous or absent |
| Authentication | MFA, phishing-resistant | Secrets, keys, tokens — frequently leaked |
| Privilege model | Moving to just-in-time | Standing, broad, rarely reviewed |
| Monitoring | Anomaly detection on users | Rarely watched for misbehavior |
What CISOs Should Do Next
- Inventory non-human identities first — most organizations cannot say how many they have, who owns them, or what they can access. Discovery is the precondition for everything else.
- Assign ownership to every machine identity above a trivial risk threshold, so that someone is accountable for whether its access remains appropriate.
- Attack secrets sprawl directly — find embedded and leaked credentials, move to managed secrets with rotation, and eliminate hard-coded keys from code and configuration.
- Drive machine privilege toward least privilege and, where feasible, toward short-lived credentials and just-in-time access, narrowing the standing permissions that make a compromised machine identity so dangerous.
- Extend monitoring and anomaly detection to non-human identities, so that a service account or agent behaving unexpectedly is something the organization can actually detect.
- Bring agent identity into the program deliberately — as AI agents proliferate, the governance of what they can authenticate to and do must be designed in, not retrofitted after they are already operating.
Board-Level Questions
- Do we know how many non-human identities exist in our environment, who owns them, and what they are permitted to access?
- Are the machine identities that hold powerful access governed and reviewed to the same standard we apply to privileged human access?
- How exposed are we to leaked or embedded credentials, and what are we doing to eliminate secrets sprawl?
- As we deploy AI agents, are we governing their identities and permissions deliberately — or are they accumulating access faster than we are tracking it?
Final Executive Takeaway
The phrase "identity is the new perimeter" has been true for years, but it has been only half-implemented. Organizations heard it and built governance for the identities they could see — the ones belonging to people. The identities belonging to machines, which became the majority over the same period, were left largely ungoverned: no lifecycle, no clear ownership, credentials scattered through code, privileges granted broadly and never narrowed, behavior unwatched.
That is the hole in the perimeter. And it is not a small or peripheral one — it is, in most environments, where the largest population of powerful, persistent, poorly governed access now lives. Closing it is among the highest-return identity investments available to a security program today.
Identity is the new perimeter. The work that remains is to govern all of it — including the vast and growing population of identities that do not belong to anyone, that no one is watching, and that an attacker would very much like to use.
*To be continued...*
