Solving the non-human identity (NHI) crisis with Jim Alkove and Garrett Bekker

When was the last time you conducted a headcount of your workforce? You almost surely know exactly how many humans are on payroll. But what about your “shadow workforce”: the service accounts, API keys, bots, and AI agents quietly operating across your infrastructure? 

These non-human identities (NHIs) now outnumber your human employees by as much as 80:1, yet they remain largely invisible, unmanaged, and increasingly under attack. Think about that for a second: For every single employee, there are potentially 80 NHIs — each with its own credentials and access to your organization’s information. 

This was the focus of a recent webinar featuring Garrett Bekker from S&P Global Market Intelligence and Oleria CEO Jim Alkove, who explored how NHIs are fundamentally reshaping the cybersecurity landscape. 

Here are three key insights that emerged from their discussion:

Identity is the key cyber risk entry point

Jim started the talk with an assertion of how drastically the threat landscape has changed in the last few years: “Hackers don’t hack in; they log in.” In other words, today’s bad actors don’t break down digital walls — they walk through the front door with legitimate credentials.

In fact, identity is the initial breach vector for the vast majority of incidents, with estimates as high as 90%. Jim stressed that identity is the biggest vulnerability for even the biggest enterprise organizations, noting that high-profile breaches like the Microsoft Midnight Blizzard incident started with a compromised identity rather than traditional malware.  

This demands a fundamental shift in cyber defense. Where organizations once focused primarily on keeping malware out of their systems, identity management is now the battlefront. 

“What has happened today, is that there has been a shift: Identity now becomes the main entry point and not the malware on the system.”
Jim Alkove

Non-human identities (NHIs) remain a huge blind spot

Identity management is not a new focus — but automation and integration has dramatically changed the nature of identity management challenges. Most critically, while organizations may have a decent handle on their human identities, NHIs have proliferated in the background with minimal governance. These NHIs, as Bekker outlined, encompass everything from machine identities (like servers and devices) and workload identities (applications, containers, VMs) to service accounts and API keys.

“NHI-related security risks are one of the biggest risks organizations face these days,” said S&P analyst Bekker. The sprawling, ungoverned web of NHIs represents cybersecurity's fastest-growing blind spot — and an increasingly popular entry point for attackers. Jim pointed out that half of organizations (46%) have experienced security breaches related to NHIs. Looked at another way, the typical enterprise suffered 3 different NHI-related incidents in the past year alone. 

Jim noted that it’s surprising those NHI breach numbers aren’t even higher, given a recent survey showing 85% of organizations say they’re not confident that they can prevent NHI attacks. In fact, he noted that his conversations with CISOs reveal that many are struggling to answer basic questions about their NHI landscape: Which NHIs exist? What access do they have? Who owns these NHIs?

This blind spot is exacerbated by unique challenges inherent to NHIs: they often lack a single owner and are highly fragmented across systems, leading to significant discovery and governance gaps. For example, they don't change passwords regularly, they don't typically have managers reviewing their access, and they quietly accumulate over-privileged access over time.

“Attackers, in my experience as an operator (Chief Trust Officer at Salesforce), go to places that they know are the softest in your defenses. And NHIs tend to be very long-lived credentials that are often set up once and poorly maintained. There are a lot of challenges with that maintenance.”
Jim Alkove

Agentic AI adds fuel to the NHI fire

The already significant risks associated with NHIs will explode with the rapid advancements of agentic AI. Bekker highlighted the clear consensus that “the risk of agentic AI will be a big driver of non-human identities.” Each AI agent will inherently possess an identity — often with permissions delegated by human users, creating an even more complex web of access and governance. 

But agentic AI also transforms the NHI challenge in a critical way: Unlike traditional NHIs that operate in a deterministic manner — executing predefined actions with predictable outcomes — AI-powered identities function non-deterministically, making autonomous decisions based on learning and context that can vary with each execution.

Jim emphasized the oncoming risk: “AI is going to stress our identity systems in a way that most folks aren’t really considering today.”

Organizations are eager to harness the power of AI, but Jim warned that “collectively, were running with scissors — assuming nothing bad is going to happen.” He stressed the urgent need to learn from past tech transformations where security was relegated to an afterthought. For AI, we need to embed security into the fabric of the technology from the beginning.

Moreover, organizations will need to build security capabilities that can keep pace with (rather than slow down) agentic AI. This means aggressively moving toward intelligently automated approvals and a more adaptive approach to granting and revoking access, so AI agents can get the access and permissions they need to move fast, while still giving the business oversight and control mechanisms.

“The thing that we all need to realize is that underneath this value curve of agentic AI, as it scales, are a set of identity challenges that everyone needs to be aware of and start working on now.”
Jim Alkove 

What now? Accelerating AI starts with solving the NHI access problem 

The escalating complexity presented by NHIs and supercharged by agentic AI means organizations can no longer treat identity security as an IT provisioning function with some security controls bolted on. Old paradigms are insufficient. Moreover, security teams can’t afford to allow NHI blind spots to persist. As Jim bluntly stated, “Conscious ignorance is not a good strategy.” Attackers, he warned, “will have a magic way of finding the things that you don’t know about.”

But Jim also presented a practical solution to the NHI problem, laying out a vision for a new approach to identity management, built on three key pillars:

1. Unified identity discovery & visibility: Connecting siloes into a single inventory of all identities (human, NHI, AI) across all environments (on-premises, SaaS, cloud, and hybrid).
2. Fine-grained insight into access & usage: Visibility needs to go beyond NHI discovery to understand precise access and usage in order to eliminate over-provisioning (especially for agentic AI tools).
3. Automated governance & remediation: Security teams need to fix their NHI problems. So, visibility is the critical starting point. But solutions need to actively enforce least privilege and manage NHI lifecycles.
   

Ultimately, organizations cannot tackle the NHI problem with a narrow lens on today’s challenges. They need to build a secure, agile, foundation that will adapt to tomorrow’s identity challenges — and enable them to confidently adopt agentic AI (and whatever comes next). Proactively building this unified, forward-looking identity program will give businesses strategic advantage — both through cyber resilience and business enablement.

Ready to understand the full scope of the NHI and identity security challenge facing your organization?

Watch the on-demand webinar replay here.