Not every identity has a badge or a browser. Today, more and more access is being granted to systems, services, software, and AI agents, not just people. These non-human identities (NHIs) are multiplying fast. And in 2025, they’ve become a primary concern for security teams racing to govern the invisible.
According to ConductorOne’s 2025 Future of Identity Security Report, NHIs are no longer a niche issue or a future problem. They’re everywhere, and they’re growing faster than most teams can keep up with, especially with the addition of agentic AI.
With machines now acting on behalf of humans, generating access requests, executing tasks, and making decisions, the line between user and agent is blurring. That’s forcing a major shift in identity priorities. And the data shows that security leaders are taking notice.
Urgent, widely acknowledged risk
A staggering 93% of respondents in the report said the risks associated with NHIs are urgent, with 24% calling them “extremely” urgent and in need of immediate action. Only 2% said NHIs don’t pose a current risk, an indication that awareness is high, even if action isn’t always keeping pace.
Respondents from high-risk, cloud-heavy sectors like financial services and technology were the most likely to express extreme urgency, underscoring the reality that machine identity sprawl is hardest to manage in complex, distributed environments.
Agentic AI is only exacerbating this trend. As organizations automate more processes and embed AI agents across systems, the number of NHIs balloons, each carrying credentials, access rights, and the potential for misuse.
More important than humans? For some, yes
Perhaps the most striking finding from the report: 42% of respondents say NHI security is now a higher priority than securing human users. Another 51% said NHIs are equally important as human accounts.
That’s a major mindset shift. It signals just how far the conversation around identity has evolved. For many organizations, it’s no longer just about locking down user credentials. It’s about managing machine access at scale: the tokens, service accounts, secrets, and APIs that power every cloud-native business.
This shift may also reflect a growing confidence in human identity controls. Security teams have invested years in MFA, SSO, and user lifecycle management. But when it comes to NHIs, many of those controls don’t apply or don’t go far enough.
Visibility is high but challenges persist
At first glance, the visibility story looks promising. 78% of respondents said they have “high” or “full” visibility into NHIs across their environment, and 30% say they already have total visibility.
But dig a little deeper, and a more complicated picture emerges.
Despite these high visibility claims, the second most-cited challenge for managing NHIs was… visibility. That contradiction suggests two things: first, that some teams may be overestimating their understanding of their NHI footprint; and second, that visibility alone isn’t enough to drive action.
The top challenge, by a significant margin, was ensuring NHIs have the right privilege levels. Many machine identities are over-provisioned by default and rarely reviewed after deployment, creating a ticking time bomb of unmonitored access. And unlike human users, NHIs don’t change jobs, leave the company, or file IT tickets, so their access often remains indefinitely.
What’s getting in the way of NHI governance?
While nearly every team recognizes the risk, the path to proper governance isn’t clear-cut. The report reveals several challenges standing in the way of strong machine identity controls:
- Over-provisioning by default: Most NHIs are granted broad access from the start to avoid breaking systems—introducing excessive privilege that rarely gets reevaluated.
- Credential rotation: Particularly difficult for larger orgs, this challenge stems from the complexity of updating tokens and secrets without disrupting workflows.
Third-party risk: In financial services in particular, concern is growing around NHIs tied to external vendors or cloud services. - Sheer volume: In large enterprises, the scale of machine identities makes even basic tracking a monumental task.
Notably, organizations that experienced multiple identity compromises last year were more likely to name NHI governance as their top identity challenge. That correlation mirrors a trend seen throughout the report: firsthand exposure to risk drives faster, more decisive action.
The need for proactive controls
The report doesn’t paint NHIs as inherently dangerous, but it does frame them as under-governed. Without human oversight, NHIs can persist long after their usefulness ends. And without consistent reviews, they can accumulate access to sensitive systems that no one’s watching.
Getting ahead of that risk means operationalizing identity governance for machines, just like we’ve done for people. That includes:
- Automated access reviews for NHIs
- Scoped permissions and access policies
- Credential lifecycle management and rotation
- Audit trails and usage monitoring
And with agentic AI becoming a new class of NHI, these fundamentals matter even more. An AI agent with the ability to take actions on your behalf must be governed with the same precision as any privileged user—or perhaps even more.
NHIs are at the foundation of the identity story
It’s tempting to think of non-human identities as an edge case. But in 2025, they’re central to the identity equation. From service accounts to AI agents, the number of credentials in use far exceeds the number of employees at most companies—and each one represents a potential entry point.
Security leaders understand the urgency. They’re investing in visibility, privilege control, and long-term governance. But as the report makes clear, the complexity is growing—and machine identity management will only become more important as organizations scale automation and adopt AI more broadly.
If identity is the new perimeter, NHIs are its most elusive and critical layer. Getting them under control is no longer optional. It’s table stakes for secure growth.
