Skip to main content

      By 2026, organisations will be faced with an exponentially growing number of so-called non-human identities (NHIs). These may be service accounts or API keys, but also workload identities – digital identities for agents, services, containers or scripts, enabling them to authenticate and authorise themselves securely. 

      Control, governance and transparency are insufficient when it comes to non-human identities

      This development brings with it not only technological complexity, but also significant security and compliance risks, as many organisations lack transparency, control and governance. Regulatory requirements such as the Digital Operational Resilience Act (DORA) or the Network and Information Security Directive (NIS2) are increasing the pressure to ensure holistic and audit-proof management of all identities. 

      Key challenges in the management of non-human identities

      The following article examines the three key challenges in the management of non-human identities and highlights the resulting strategic areas for action.

      auto_stories

      Background information, analysis and practical tips: Find out now what companies need to do to ensure they can use AI agents and NHIs in a technologically secure, responsible and transparent manner.

      1. An overabundance of identities and a lack of transparency

      Challenges

      Cloud technologies, DevOps models and modern application architectures mean that more and more NHIs are being created automatically and at a high frequency – for example, in granular, dynamic service architectures (microservices) or automated processes in software development, known as build and deployment pipelines. During integrations, agents and workloads independently create service accounts, API keys or tokens – so-called ‘shadow identities’ – for which there is no central onboarding or control process within Identity and Access Management (IAM). Governance processes and re-certifications are too slow.

      The result: blind spots emerge – many companies lack a complete overview of their machine identities.

      Risks

      The invisible permissions assigned to shadow identities and orphaned accounts pose numerous risks – such as undetected access paths that attackers can exploit for years, as well as an increased likelihood of lateral movement within the infrastructure. Furthermore, these invisible permissions can cause compliance issues due to incomplete evidence and complicate forensic investigations and damage containment following a cyber incident.

      Last but not least, they undermine zero-trust principles – because what cannot be seen cannot be protected.

      Strategic Areas of Action

      Transparency lays the foundation for resilience, regulatory compliance and a functioning zero-trust architecture. Organisations should therefore implement the following measures. Inventory management and automatic detection enable the establishment of a central, automatically maintained NHI database, including classification by risk and criticality. Through a Target Operating Model (TOM), NHIs can be integrated into IAM governance as equivalent identities – with clear responsibilities and lifecycle processes. Monitoring and analytics ensure continuous oversight through anomaly detection procedures.


      2. Security vulnerabilities caused by inadequate safeguards

      Challenges

      Many organisations still treat machine identities (MHIs) as ‘second-class identities’. Whilst human access is comprehensively secured, there are often significant shortcomings when it comes to machine identities. For example, JSON files frequently contain hard-coded API keys, static client IDs or access credentials that are rarely rotated. Furthermore, there is a lack of authentication mechanisms that identify workloads via cryptographic attestation of the underlying execution or computing environment.

      Similarly, access rights for workloads based on the principle of least privilege and time-bound authorisations – on a per-minute or, at most, per-hour basis – are scarcely established. Furthermore, there is often no complete record of call chains – that is, the ability to trace which human identity initiated an agent identity. Only this level of transparency makes it possible to detect over-privileged workload accounts and reliably identify anomalies in behavioural profiles. It is also a prerequisite for implementing effective controls for the segregation of duties (SoD).

      Risks

      Security vulnerabilities make NHIs easy targets for cyberattacks: compromised login credentials allow direct access to critical systems; excessive permissions increase the potential for damage; and undetected activity delays the response to incidents and results in breaches of regulatory requirements and security standards. Case studies show that misconfigurations of machine identities can lead to massive data losses and heavy fines.

      Strategic Areas of Action

      These measures enable organisations to reduce their attack surface, improve their security posture and meet regulatory requirements: a centralised secrets management system, utilising secure vault solutions, provides encryption, rotation and policy enforcement. By establishing least-privilege authorisations and just-in-time access, permissions can be reduced to a minimum and access policies can be time-limited. A monitoring and response system enables continuous, real-time analysis of activities and automated responses to suspicious events.


      3. Lack of integration of governance and compliance

      Challenges

      In many organisations, NHIs have not yet been integrated into a consistent governance structure. There is often a lack of clear ownership models, standardised guidelines and consistent processes for the lifecycle and access. At the same time, regulatory requirements demand that human and machine identities be treated equally.

      Risks

      The failure to integrate NHIs into governance, risk and compliance processes leads to a lack of transparency and unclear responsibilities (‘ownerless risk’). This complicates audits, makes it impossible to reliably demonstrate compliance with regulatory requirements, and often means that business-critical dependencies are overlooked. This increases the risk of compliance breaches, control weaknesses and poor decision-making when dealing with security-relevant machine identities.

      Strategic Areas of Action

      To improve audit readiness, scalability and the sustainable integration of NHIs into corporate governance, governance, risk and compliance processes should be further developed in a targeted manner. This includes expanding the governance framework by introducing company-wide NHI policies with clearly defined responsibilities and attribution rules. Furthermore, NHIs should be taken into account in risk management and internal control systems. In addition, it is advisable to define a target operating model, including a roadmap, in order to establish a target vision for NHI management across the organisation, processes and technology.


      Conclusion: NHIs as a key component of modern IAM strategies

      Non-human identities are a key component of digital enterprise architecture. The challenges – transparency, security and governance – are closely interlinked and require an integrated approach. 

      Organisations that embed NHIs into their IAM strategy at an early stage and in a systematic manner benefit from increased cyber resilience, improve their compliance and enable the secure use of modern technologies such as the cloud and AI.

      The future of Identity and Access Management lies in managing machine identities with the same rigour as human ones – a prerequisite for a trustworthy digital transformation. 

      More KPMG Insights

      Your contact

      Dr. Florian Kohlar

      Partner, Consulting - Cyber Security & Resilience

      KPMG AG Wirtschaftsprüfungsgesellschaft