Term · 10. Account Types
Non-Human Identity NHI
A non-human identity (NHI) is any credential that authenticates a machine rather than a person — service accounts, API keys, OAuth client secrets, machine certificates, workload identities (AWS IAM roles, Azure managed identities, GCP service accounts) and AI agents. NHIs outnumber human identities roughly 45:1 and need their own governance, lifecycle and offboarding, codified by the OWASP NHI Top 10 (2025).
Definition
Identities for service accounts, API keys, OAuth client secrets, machine certificates, workload identities (AWS IAM roles, Azure managed identities, GCP service accounts), AI agents, IoT devices — anything without a human employment lifecycle. Outnumber human identities 45:1 in typical enterprises (CyberArk 2024 research). Subject to OWASP NHI Top 10 (2025) risk catalogue.
- Application
- MidPoint: Non-human identity (NHI) is an identity that represents entity that is not human (physical person).
SailPoint: Service Account aggregation + custom Application onboarding for NHI types
- Sources
-
- OWASP Non-Human Identities Top 10 (2025) primary source
Related terms
-
AI Agent Identity
Identity assigned to an autonomous AI agent acting on behalf of a human or workflow. Distinct from human identities (wit …
-
AI Agent Lifecycle Management
Discipline of provisioning, monitoring, updating, and decommissioning AI agents as first-class enterprise identities. Mi …
-
Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB) — intermediary between users and cloud services (SaaS/IaaS) providing visibility, co …
-
Continuous Adaptive Trust
Authentication and authorization paradigm where trust is recomputed continuously throughout a session based on real-time …
-
Identity Recovery (IR)
Ability to restore identities and access entitlements after a destructive event — ransomware, mass account compromise, m …
-
Identity Security
Industry-recognized discipline (Gartner / KuppingerCole / Forrester) treating identity as the new security perimeter. En …
Frequently asked questions
What is a non-human identity (NHI)?
A non-human identity authenticates a machine or workload rather than a person — service accounts, API keys, OAuth secrets, certificates, cloud workload identities and AI agents. Unlike employees, NHIs have no joiner-mover-leaver lifecycle, so they need a separate governance model.
Why are non-human identities a security risk?
NHIs outnumber humans about 45:1, are often over-privileged, and rarely get offboarded when their workload ends — leaving long-lived credentials. The OWASP NHI Top 10 (2025) catalogues the main risks, from secret leakage to improper offboarding.
How do you govern non-human identities?
Inventory every NHI and assign an owner; rotate and vault secrets instead of embedding them in config; apply least privilege; and offboard NHIs when the workload retires. An IGA platform extends joiner-mover-leaver controls to service and workload identities.