The expanding scope of non-human identities in the age of AI

Key takeaways

Agentic AI is a new category of Non-Human Identities (NHI). The massive incoming wave puts NHIs under the spotlight, reshaping risks and reframing how they are managed and secured
The priority is to map and understand your NHI landscape, apply a risk-based approach to secure the most critical use cases rapidly and avoid dispersion.
Adopt a global cyber posture towards AI agents and legacy NHI

The rise of non-human identities:
from technical complexity to strategic risk

By 2026, the number of non-human identities (NHI) will surpass those of traditional human identities by a ratio of 82:1¹. Nearly 20% of organizations have already had incidents linked to NHIs².

Today, the category is broadening even further to include AI-driven agents, highlighting the increasing diversity and scale of NHIs across modern environments.

An NHI is a digital identity linked to a system, application, service or device (e.g. service accounts or IoT devices), not a person. NHIs have evolved significantly. 15 years ago, NHIs were primarily limited to service accounts for on-prem applications, scheduled batch jobs or database connections. As organizations adopted cloud and integration-driven architectures, NHIs expanded to include API keys, application credentials and service principals used in cloud platforms. More recently, they encompass a wide variety of identities such as microservices and IoT devices.

The rise of agentic artificial intelligence (AI) is forcing identity teams to transform how NHIs are managed. Agentic AI systems can act with full autonomy to exert decisions and actions. NHIs were ‘representational’ identities of tools and systems, agentic AI heralds a new era where identities are functional in a digital enterprise. AI becomes an actor, interacting with other identities and systems outside of predefined patterns.

NHIs security challenges: Over-privileged and under-secured

82:1 is the ratio (NHI) will surpass those of traditional human identities
20% of organizations that have had incidents linked to NHIs

Common NHI — Diagram showing a central AI system surrounded by four risk factors of NHIs: lack of governance or ownership, evolution from a simple script into an uncontrolled AI agent, use of outdated passwords and exposed credentials, and excessive access privileges without clear oversight.

A fragmented landscape:
why current identity models fall short for NHIs

Historically, organizations have found it difficult to deal with NHIs in a structured manner, resulting in the following issues and risks:

Out of control identity sprawl

The rapid growth in the number of NHIs across an organization’s environment highlights several challenges:

Tracking dynamically their existence, relevance and usage across multiple platforms
Managing potentially complex lifecycles, depending on the asset represented by the NHI (e.g. infrastructure, application and AI assistant)
Expanding greatly the attack surface

Lack of least privilege principle implementation

NHIs can hold sensitive data and information on critical systems or be considered privileged accounts, thereby posing as a desirable attack surface for malicious actors. NHIs are frequently granted more permissions than necessary to perform their functions. This increases risk, as compromised identities can provide broad or unintended entry points into systems and data.

Weak security credential

NHIs often access privileged information through static credentials like hardcoded secrets that are poorly rotated and managed.

Limited governance and compliance

Historically, NHIs have lacked clear ownership and accountability, which creates issues around regulatory compliance and governance of such identities. If there is no accountable owner or audit trail, it can lead to control failure, non-compliance with regulation or operational shutdown.

Security knowledge gap

Due to NHIs having lacked ownership, they have historically been seen as sidelined technical accounts, rather than identities with agency. This has sometimes hindered organizations ability to prioritize investment for NHI discovery and risk mediation.

NHIs in action:
what’s happening across sectors?

Across sectors including insurance, energy and luxury, we see organization with mature IAM processes for human workforce identities now turn their attention to the NHIs. Most have processes and tooling to harness some types of NHI, but miss others. Organizations have the correct lifecycle and permissions management for API clients in place, but it’s unclear for non-human accounts across Active Directories regarding ownerships, permissions, credential management.

Furthermore, organizations are not effectively monitoring the behavior of NHIs to detect any anomalous and suspicious activity, which is an indication of a compromised account.

Our experience has shown that due to the variety of NHI types and various technological environments in which they exist, combined with historical reasons and different approaches taken over time, even drawing the landscape of current NHI use at any organization is in itself a real challenge.

Bertrand Carlier, Associate Partner, Wavestone

A risk based approach:
Why traditional IAM models break down for NHIs

Today, there is no single global regulation specifically for NHIs, but implicitly in scope within existing frameworks such as GDPR, the NIS2 Directive and standards like ISO/IEC 27001, through IAM controls or application of least privilege. A risk based approach helps organizations to prioritize the most sensitive use cases that need to be secured immediately rather than a uniform approach across all. It can be identified by:

Blast radius: types of systems and information they interact with
Level of privilege: high admin or cross system accesses
Level of behavior & unpredictability: predefined processes, reliance on human direction or full autonomy
Ownership: used by specific teams or unknown
Environment they exist in: cloud, on-prem, SaaS

This approach provides an initial high-level view of NHI types in your organization. It ensures processes like identity lifecycle, credential management, authentication methods, monitoring, and supervision are known before diving deeper into specific cases.

From this initial standpoint, security teams can assess the immediate risks to their organization, apply the principle of least privilege by only giving NHIs the permissions they require to fulfil a certain task, improve access policies, and bolster overall IAM governance.

From automation to autonomy:
how agentic AI changes the identity paradigm

Now enters ‘Agentic AI’, which is described in our Agentic AI Playbook as an AI system that can “plan, orchestrate, decide and act autonomously and adaptively within complex and dynamic environments”. The use of agentic AI is becoming a growing trend among organizations, with Gartner predicting that 33% of all software applications will include agentic AI by 2028, and that 15% of day-to-day work decisions will be made autonomously³.

Agentic AI has redefined a new reality: a ‘virtual collaborator’ now sits alongside actual human users, with just as much autonomy in decision-making. Equally, inadequate risk controls are hampering investment in agentic AI.

Agentic AI deeply challenges the existing frameworks and processes and urgently calls for a rapid updates. They must cope with the dramatic rise in uses of NHIs as well as the unpredictability in AI agent behavior. If an AI agent has more privilege than required initially, it will make use of them.

We explore this topic in our Risk Insights blogpost ‘Securing AI Agents: Why IAM becomes Central’ (Opens in a new tab).

Strengthening of the overall IAM:
Building a future-ready identity model for non-human actors

As usage grows, organizations need a global & coherent cyber posture for both legacy NHI & new AI agent identities. This comes with a strengthening of the overall IAM with specific attention to the 5 pillars described below: inventory management, clear governance, robust authentication, strict permissions & tailor-made supervision.

From our experience, the real shift begins after initial discovery. The first practical step is to establish clear ownership for the highest risk NHIs and enforce minimum viable controls: credential rotation, least privilege access, and baseline monitoring.

In the first 90 days, “good” looks like a defined NHI governance model, a prioritised remediation roadmap for critical identities, and early integration of NHIs into existing IAM processes such as access reviews and incident response. Organizations that achieve this foundation are better positioned to scale safely as agentic AI adoption accelerates.

Finally, for the newest AI agents type, discovery across agentic platforms and centralized view of the numbers, purpose, and associated permissions is the key to keep things under control as Agentic AI inevitably rises.

The era of agentic AI deployments is just starting; now is the right time to ensure best practices are followed by leveraging state-of-the-art processes and tools and enforcing their usage.

Bertrand Carlier, Associate Partner, Wavestone

Key trends shaping the future of digital identity

Discover how to manage access in a way that empowers your people, protects your assets, and supports innovation? Start your journey to secure, scalable, and intelligent identity.

View the full series Contact our experts

Sources:

Total Assure Top 3 cybersecurity predictions (Opens in a new tab) – 2026
Astrix Security The state of non human identity security (Opens in a anew tab) 2026
Gartner: Press Release Agentic AI projects cancelled (Opens in a anew tab) 2025

This article is a collective effort. At Wavestone, we give passion a central place and strongly believe in the power of sharing ideas.

Special thanks to Mrudula Hirmagalur, Euan Briggs, Nathalie Balabhadra, Bertrand Carlier, Vincent Exposito, Nicolas Guichard, Pascal Vidal.

The expanding scope of non-human identities in the age of AI

Key takeaways

The rise of non-human identities:
from technical complexity to strategic risk

NHIs security challenges: Over-privileged and under-secured