Feb 12 2026
Security

How SMBs Can Understand IAM With Nonhuman Identities

With more businesses relying on AI agents, they’ll need to adapt their security strategies to include the management of nonhuman identities.
Teta Alim
by

Teta Alim is the managing editor of HealthTech. Teta previously worked as a digital journalist in Washington, D.C.

As artificial intelligence continues to transform business operations across industries, the rise of AI agents increases concerns about identity and access management

According to a 2025 Okta survey, 91% of organizations are using AI agents, usually for task automation, and 85% of business leaders believe that IAM is crucial to the successful adoption and integration of AI. 

Where there are AI agents, there are nonhuman identities (NHIs) that IT teams need to account for. These are digital identities that are assigned to applications, automated processes and machines, similar to how human users are assigned identities that are authenticated within a system.

Click the banner below to learn more about identity access solutions.

xs_iam_animated_q424_getit_desktop xs_iam_animated_q424_getit_mobile.

 

“Every company adopts software solutions to be successful and to be more agile. With the proliferation of AI agents, NHIs are just going to scale,” says Vijay Pitchumani, director of product management at Okta

As more businesses, including small businesses, rely on NHIs in automated workflows, the AI agents represent a potential security risk that malicious actors can exploit. Here’s how IT leaders can reconsider their IAM strategy to include NHIs, not separate from human identities but as part of a holistic approach

READ MORE: Data governance is not just a tech issue, it’s a human challenge.

The Differences Between Managing Human Identities and NHIs 

Previously, human users generally have had constrained levels of access to certain applications and resources, Pitchumani notes. Now, however, NHIs are having elevated levels of access and are being set up at a large scale. 

Some reports have found that NHIs outnumber human users by 45 to 1, with larger enterprises likely having fleets of NHIs that number in the tens of thousands

“NHIs as a whole have a significantly higher level of access to enterprise resources than human identities,” Pitchumani says. “The volume of NHIs — or the amount of service accounts, API keys and credentials — that exist is exponentially higher than the volume of human identities to manage. When you think about the scale and the level of access they have, it just becomes increasingly complex to manage more NHIs as opposed to human identities.” 

Part of that complexity is that NHIs don’t behave the way human identities so. For example, when human users try to access a system, they may use a smartphone for multifactor authentication beforehand, for instance. NHIs, however, often don’t have to go through MFA to log in to a system — a fundamental difference, Pitchumani says.

DISCOVER: Follow these AI data governance strategies for success.

Adapting IAM to Include NHIs 

How can businesses discover NHIs across their systems, including in Software as a Service applications and on-premises locations? This is a major question for IT teams because they cannot control or govern what they cannot see.

“Discovery is a foundational piece in first bringing into management all of these NHIs,” Pitchumani says. “An AI agent might try to authorize and get access to an NHI at any point, so how do you dynamically discover all of these identities and bring them under management?” 

One way is through credential rotation, to ensure that any NHI that's created automatically has its access regularly changed in a set interval so that it’s more secure. 

Another is to implement the principle of least privilege: NHIs should only have the appropriate permissions to complete the specific tasks they’re made for instead of super-administrative access across an entire environment. Reducing the privileged access these NHIs have can significantly reduce a business’s threat exposure. 

Vijay Pitchumani at Okta
We really have to move toward a continuous, dynamic governance process.”

Vijay Pitchumani Director of Product Management, Okta

Pitchumani stresses that businesses need to have the right governance in place to clean up NHIs to prevent the proliferation of unknown identities. 

“When a person leaves a company, that kicks off a lifecycle management process and de-provisions that user’s access. But we never think of deprovisioning all of the NHIs that a user might have created,” he adds. “From a governance perspective, it's extremely important to understand the relationship between a human identity and the potential NHIs that they might have created or own, and then effectively make sure NHIs that do not need to exist or that might have been created by users who have left the company no longer exist in your environment.” 

Toward a Unified Platform for Any Identity Use Case 

Many businesses may be surprised by the sheer number of NHIs that exist within their environments, underestimating just how many they have. That’s why they should consider a unified platform approach to understanding the relationships between human identities and NHIs that exist within their ecosystem. 

“We really have to move toward a continuous, dynamic governance process,” Pitchumani says. “We need to detect and ensure that not only the human access is rightsized if a potential security risk is detected, but that the access for the NHIs that they own or manage is rightsized as well. The more silos you create, the more difficult it is to get the best security outcome.”

akinbostanci/Getty Images

More On

Related Articles

Close

New Workspace Modernization Research from CDW

See how IT leaders are tackling workspace modernization opportunities and challenges.

Click Here to Read the Report