What Is a Non-Human Identity (NHI)? The AI Agent Security Guide

A non-human identity (NHI) is any digital credential, API key, service account, or authentication token that allows software — not a person — to access systems, data, and services. In the age of AI agents, NHIs have exploded: enterprises now manage 144 machine identities for every human one, and that ratio is growing 44% year over year.

Published March 2026

Why Non-Human Identities Matter Now

Every AI agent that reads your CRM, processes loan documents, or sends emails on behalf of your team operates under a non-human identity. Every API integration, every automated workflow, every microservice-to-microservice connection uses machine credentials. NHIs are the invisible infrastructure that makes enterprise automation work.

The problem is scale. CyberArk's 2025 State of Machine Identity Security Report found that the average enterprise manages 82 machine identities per employee — up from a 92:1 ratio in early 2024 to 144:1 by end of 2025. In cloud-native environments, the ratio reaches 40,000 machine identities per human.

Most organizations have no governance over these identities. Nearly 50% of NHI credentials are over one year old. Permissions classified as safe dropped from 70% to 55% in a single year. Ungoverned permissions rose from 5% to 28%. The attack surface is growing faster than security teams can monitor it.

NHI Growth: The Numbers

Types of Non-Human Identities

NHIs come in several forms, each with different risk profiles and management requirements:

• Service accounts: Long-lived credentials that applications use to authenticate to databases, APIs, and cloud services. Often created once and forgotten — the most common source of NHI-related breaches.
• API keys and tokens: Credentials that allow software to call external services. OAuth tokens, JWT tokens, and API keys proliferate as enterprises integrate more tools.
• AI agent identities: The newest and fastest-growing category. Every AI agent that accesses enterprise systems — reading emails, querying databases, executing transactions — operates under an NHI with specific permissions and access scopes.
• Machine-to-machine certificates: TLS certificates and mutual authentication credentials that secure communication between microservices, containers, and infrastructure components.
• Bot and automation credentials: RPA bots, scheduled jobs, CI/CD pipelines, and workflow automations that authenticate to perform automated tasks.

The AI Agent Identity Problem

AI agents introduce a fundamentally new NHI challenge. Unlike traditional service accounts that perform a fixed set of operations, AI agents are autonomous — they reason about what actions to take, adapt their behavior based on context, and may access different systems depending on the task.

This means an AI agent's identity needs dynamic scoping. An agent processing loan draw requests needs read access to document storage, write access to the loan management system, and query access to compliance databases — but only during active processing, and only for the specific loan it's working on.

Static credentials with broad permissions — the norm for most enterprise NHIs — are dangerous for AI agents. An over-permissioned agent that hallucinates or is manipulated through prompt injection could take actions far beyond its intended scope.

NHI Governance for Regulated Industries

Financial services faces the strictest requirements for NHI governance. The OWASP NHI Top 10 — released June 2025 by the Cloud Security Alliance — standardized the security framework for non-human identities. PCI DSS 4.0 compliance requirements for NHI best practices became mandatory in March 2025.

Effective NHI governance for AI agents in regulated industries requires four capabilities:

1. Least-privilege access: Every AI agent identity should have the minimum permissions needed for its specific task, scoped to the specific data and systems required. Broad service account permissions are unacceptable for autonomous agents.
2. Credential rotation and ephemerality: Agent credentials should be short-lived and automatically rotated. Long-lived API keys — currently 50% of enterprise NHI credentials — create persistent attack surfaces.
3. Action-level audit trails: Every action an AI agent takes must be logged with the identity that performed it, the permissions it used, and the reasoning behind the action. This is essential for regulatory compliance and incident investigation.
4. Policy-based access control: Access decisions should be governed by executable policies that enforce business rules, compliance requirements, and risk thresholds — not just static role assignments.

How MightyBot Approaches Agent Identity

MightyBot's policy-driven architecture treats agent identity as a first-class concern. Every agent operates under a scoped identity with permissions defined by the specific workflow it's executing. The policy layer enforces what the agent can and cannot do — not just at the API level, but at the business logic level.

In production financial services deployments, this means an agent processing a construction loan draw can read the draw package and update the loan record, but cannot access unrelated customer data, modify approved budgets, or bypass required human review checkpoints. Every action is logged, attributed, and auditable.

This approach delivers 99%+ accuracy not just because the agent is capable, but because its identity and permissions are precisely scoped to prevent the kinds of errors that ungoverned NHIs enable.

Related Reading

• What Is Policy-Driven AI? The Missing Layer in Enterprise Agent Deployment
• What Are AI Agent Guardrails?
• How AI Agents Transformed Construction Lending

Frequently Asked Questions

What is a non-human identity?

A non-human identity (NHI) is any digital credential — API key, service account, token, or certificate — that allows software to access systems and data. Enterprises now manage 144 machine identities for every human one, and the ratio is growing 44% annually as AI agents and automation proliferate.

Why are non-human identities a security risk?

NHIs are a security risk because most are ungoverned. Nearly 50% of NHI credentials are over a year old, ungoverned permissions rose from 5% to 28% in 2025, and over 50 NHI-related breaches occurred in the first half of 2025 alone. Over-permissioned, long-lived credentials create persistent attack surfaces.

How are AI agent identities different from traditional service accounts?

Traditional service accounts perform fixed operations with static permissions. AI agents are autonomous — they reason about what actions to take and may access different systems depending on context. This requires dynamic permission scoping, short-lived credentials, and policy-based access control rather than static role assignments.

What regulations govern non-human identities in financial services?

The OWASP NHI Top 10 (released June 2025) standardizes NHI security. PCI DSS 4.0 mandated NHI best practices from March 2025. The EU AI Act requires human oversight and auditability for AI systems. The US Treasury's Financial Services AI Risk Management Framework includes 230 control objectives covering agent identity and access governance.

How should enterprises manage AI agent identities?

Implement least-privilege access scoped to specific tasks, use short-lived and automatically rotated credentials, maintain action-level audit trails for every agent decision, and enforce policy-based access control that governs agent behavior at the business logic level — not just the API level.