Strategic Module ยท Identity Security ยท NHI

The Non-Human Identity
Explosion & How to
Take Back Control

Modern IT environments have crossed a tipping point โ€” non-human identities now vastly outnumber the humans they serve. Understanding why they're harder to manage, and how Delinea addresses them, is critical to any modern PAM strategy.

0
machine identities for every
1 human identity in the average enterprise
๐Ÿ“ˆ
Fastest-growing attack surface
Machine identity volumes are doubling every 2 years as organizations scale microservices, DevOps, and multi-cloud adoption.
๐Ÿ”’
Least governed identity class
Despite outnumbering humans 45:1, NHIs remain largely outside formal PAM programs โ€” no rotation policies, no ownership records, no offboarding triggers.
๐Ÿ“‹
Source
CyberArk Identity Security Threat Landscape Report, 2024 โ€” survey of 2,400 security decision-makers across 18 countries.
Module 01 โ€” What Are NHIs

The Six Categories of
Non-Human Identities

Non-human identities (NHIs) are any digital entity that authenticates and accesses resources without direct human operation. They span a wide spectrum โ€” from a simple API key to a fully autonomous cloud workload.

โš™๏ธ ~200โ€“400
Service Accounts
Local or AD accounts used by applications, services, and scheduled tasks to run processes.
๐Ÿ”‘ ~5,000โ€“20k
API Keys
Static credentials issued to applications to access third-party APIs and internal services.
๐Ÿช™ ~10kโ€“50k
Application Tokens
OAuth tokens, JWTs, and session tokens granted to software for short- or long-lived access.
๐Ÿค– ~50โ€“500
Bot Accounts
Automated accounts in SaaS platforms (Slack bots, Jira automation, RPA user accounts).
๐Ÿš€ ~1,000+
CI/CD Credentials
Secrets embedded in pipelines (GitHub Actions, Jenkins, GitLab) to deploy code and access infra.
โ˜๏ธ ~5,000โ€“100k
Cloud Workload Identities
IAM roles, managed identities, service principals assigned to VMs, containers, and functions.
45ร—
The ratio has inverted.
For every human identity in a modern enterprise, there are an estimated 45 non-human identities โ€” a ratio that continues growing as organizations adopt microservices, DevOps, and multi-cloud architectures.
Module 02 โ€” The Management Gap

Why Non-Human Identities
Are Harder to Manage

Human identity management has decades of process refinement โ€” joiner/mover/leaver workflows, HR-driven provisioning, regular access reviews. Non-human identities operate outside all of these guardrails.

Dimension Human Identities Non-Human Identities
Offboarding Trigger ๐ŸŸข HR termination event ๐Ÿ”ด None โ€” persists until manually removed
Ownership Clarity ๐ŸŸข Named employee, manager chain ๐Ÿ”ด Often undocumented or orphaned
Privilege Level ๐ŸŸก Regularly reviewed, right-sized ๐Ÿ”ด Frequently over-privileged for convenience
Credential Rotation ๐ŸŸก Password policies enforce change ๐Ÿ”ด Rarely rotated โ€” risk of application breakage
MFA Capable ๐ŸŸข Standard requirement ๐Ÿ”ด Architecturally incompatible with most MFA
Audit Visibility ๐ŸŸข Activity tied to a named person ๐Ÿ”ด Shared credentials obscure accountability
Discovery ๐ŸŸข HR system is authoritative source ๐Ÿ”ด Scattered across AD, vaults, code repos, YAML files

Drill into the three root causes of NHI risk:

๐Ÿ”„
No Natural Offboarding Trigger
Orphaned accounts accumulate silently over years
โ–ผ

When a developer leaves, their human account is deprovisioned. But the service account they created for a legacy integration, the API key they generated in a SaaS portal, and the pipeline secret they committed to a config file โ€” those live on indefinitely.

Without an equivalent to an HR departure trigger, NHIs accumulate. A five-year-old organization may have thousands of service accounts that haven't been used in years, still holding broad permissions to production systems.

40%
of service accounts in a typical enterprise are estimated to be orphaned or abandoned with no known owner โ€” yet they retain full system access.
๐Ÿ‘‘
Over-Privileged by Design (and Habit)
Convenience beats least privilege when developers own the keys
โ–ผ

When a developer needs a service account for an integration, the path of least resistance is Domain Admin or a broad IAM policy. Scope creep is real โ€” it's easier to grant too much access upfront than to iterate permissions until they break. The application ships, the account is forgotten.

Cloud environments compound this. IAM roles attached to Lambda functions or ECS tasks are often granted wildcard permissions like s3:* or iam:* during development and never tightened before reaching production.

70%
of cloud identities, including workloads, are granted permissions they never use. The effective privilege gap between granted and needed is measured in thousands of actions.
โฐ
Credentials Rarely Rotated
The fear of application breakage freezes rotation in place
โ–ผ

Rotating a service account password or API key sounds simple โ€” but in practice it requires knowing every application that uses that credential, coordinating updates across multiple systems, and accepting downtime risk. The result: credentials are set once and never touched.

Secrets hard-coded in application code, configuration files, or CI/CD pipelines are virtually never rotated because the rotation would require a code change, a build, and a deployment. Many organizations have production secrets that haven't changed in yearsA 2023 GitGuardian survey found that 50% of secrets detected in source code had been there for over a year, and 35% for more than 3 years..

82%
of organizations report they have no automated rotation of service account passwords โ€” relying entirely on manual processes that rarely happen in practice.
Module 03 โ€” Identity Lifecycle

The NHI Lifecycle:
Where Problems Concentrate

Each stage of a non-human identity's lifecycle presents distinct security gaps. Click any node to understand the risk โ€” and Delinea's response.

๐Ÿ”
Discovery
Unknown inventory
๐Ÿ“
Provisioning
Over-privilege
๐Ÿƒ
Runtime
Static secrets
๐Ÿ”„
Rotation
Rarely occurs
๐Ÿ“Š
Audit
No attribution
๐Ÿ—‘๏ธ
Decommission
Never triggered
Module 04 โ€” Delinea's Answer

How Delinea Brings NHIs
Under Control

Delinea addresses non-human identity risk through two integrated pillars: Service Account Management within Secret Server and Secrets Management via the DevOps Secrets Vault (DSV) and integrated platform capabilities.

๐Ÿ” Core Capability

Secret Server โ€” Service Account Management

Secret Server provides a centralized, privileged repository for all service account credentials โ€” passwords, tokens, and SSH keys. Rather than trusting developers to manage credentials in config files, it becomes the authoritative vault with policy-enforced rotation and access controls.

  • Discovery & Onboarding โ€” automated scanning of Active Directory, local accounts, and integrated systems to surface all service accounts, even unknown ones
  • Automated Password Rotation โ€” configurable rotation schedules with built-in connectors that update dependent applications simultaneously, eliminating breakage fear
  • Account Ownership Assignment โ€” every secret tied to an owner, cost center, and expiry โ€” eliminating orphaned accounts
  • Just-in-Time Access โ€” service accounts can be provisioned temporarily for specific tasks and deprovisioned automatically, enforcing least-privilege by design
  • Session Monitoring โ€” all sessions initiated via service account credentials are recorded and attributable, restoring auditability
โšก DevOps Secrets Vault

Secrets Management for Applications & Pipelines

DSV replaces hard-coded secrets in code and CI/CD pipelines with dynamic secret retrieval at runtime โ€” secrets never reside in source control or config files.

  • CLI, SDK, and REST API access for applications and pipelines
  • Native integrations with GitHub Actions, GitLab CI, Jenkins, and Kubernetes
  • Short-lived dynamic secrets with automatic expiry
  • Role-based policies tied to workload identity, not individual accounts
โ˜๏ธ Cloud Identity

Cloud Workload Identity Governance

Delinea extends PAM to cloud-native environments โ€” managing IAM roles, Azure Managed Identities, and GCP service accounts with the same governance applied to traditional service accounts.

  • Continuous entitlement analysis across AWS, Azure, GCP
  • Automated right-sizing recommendations based on observed usage
  • Policy enforcement preventing wildcard permission assignments
  • Cross-cloud unified audit trail for compliance reporting
Secret Rotation Workflow
โฐ
TRIGGER
Rotation schedule
or policy event
โ†’
๐Ÿ”
GENERATE
Secret Server
creates new credential
โ†’
๐Ÿ”„
PROPAGATE
Updates all dependent
apps simultaneously
โ†’
โœ…
VERIFY
Validates connectivity
post-rotation
โ†’
๐Ÿ“‹
AUDIT
Full audit log of
rotation event
Module 05 โ€” Key Takeaways

What Every Seller Must Know

These are the critical points to internalize and communicate when discussing NHI risks with customers and prospects.

01

NHIs outnumber humans 45:1 โ€” any customer who says "we don't have that many privileged accounts" almost certainly hasn't looked at their NHI population.

02

No offboarding trigger = endless accumulation. Unlike humans, NHIs require an affirmative decision to remove. Without governance, they grow forever.

03

Fear of breakage paralyzes rotation. Delinea's dependent application mapping and simultaneous propagation is the specific answer to this specific objection.

04

Hard-coded secrets are the leading cause of cloud breach. DSV removes the temptation entirely by making secrets dynamically retrievable at runtime.

05

Audit trails break without identity attribution. Shared service account credentials mean you can't tell which application โ€” or person โ€” performed a privileged action.

06

JIT access applies to NHIs too. Service accounts don't need to exist permanently โ€” Delinea can provision and deprovision them scoped to specific tasks or time windows.

Module 06 โ€” Knowledge Check

Test Your Understanding

Answer these questions to confirm your grasp of the NHI landscape and Delinea's approach. You need 4 of 5 to pass.

NHI Strategy โ€” Knowledge Check

Question 1 of 5
0
/5