I recently took the time on an international flight to read Lalit Choda's 70 page “The Ultimate Guide to Non-Human Identities" as published by his NHI Management Group. I have read a lot about NHIs and machine identities over the past couple of months and it got me wondering - is 2025 going to be the year of the NHI?
So, is it non-human identities, machine identities, or silicon identities (as opposed to carbon)? Or should we be talking about non-human accounts rather than identities?
Author:
Paul Dawson
Chief Services Officer at CyberIAM
I personally can't get too excited about nomenclature (although I accept its importance). I was more inclined to use the term machine identities, and I think the different approaches that one can take to controlling service accounts passwords vs, for example, an SSH Key, means that there may be value in distinctions within the category. However, for the purposes of this blog post, let’s go with NHI.
NHIs are certainly something that identity security specialists should care about - there are a lot more of them than us humans, they tend to be poorly managed, and they often have highly privileged access. That all makes them sound pretty important, right? The challenges and risks associated with NHIs are being discussed in great detail on various forums across the industry, so I won’t waste time going over them here. What I'd like to do is give my opinion on why NHI's are so hot in 2025.
I think a number of things have come to a head in the last 12 months. It is the combination of these things that lead me to think that this year will be the year of the non-human identity.
In no particular order, here are seven reasons why I think NHIs have come to the fore and require our attention and focus in 2025.
NHIs at the Core of Highly Publicised Breaches
I have always said that almost every breach involves an endpoint and an identity. Well, those identities/accounts don’t have to be carbon based! I read that 80% of breaches involve an NHI, including high profile ones like the BeyondTrust API breach that led to US Treasury access being compromised!
Scale of Cloud Prevalence in Modern Enterprise
The use of multiple cloud security platforms and SAAS by the vast majority of organisations has led to an exponential increase in the number of secrets, and NHIs by association, in our environments. This isn’t new, and the challenges around Cloud Identity Entitlement Management (CIEM) and secrets have been on the radar for some time. However, I feel that we’ve reached a tipping point, such that CISOs and identity leaders are recognising that the scale of the NHI issue in cloud environments is greater than they perhaps were in traditional on-premises environments, are out of control, and must be addressed.
Artificial Intelligence
(What’s this, a 2025 list that doesn’t have AI at number 1?!)
The constant reference to AI in the IT world and beyond, has in my opinion, increased the visibility and practitioner’s propensity to think about "the machines". There is an appreciation that GenAl will see a massive increase in the use of NHIs, but also that the risk of breach associated with those NHIs would be very serious. Lalit’s paper which we mentioned earlier speaks of a noteworthy example of the Permiso Security AI LLM Hijack breach.
The Internet of Things and Operational Technologies
The explosion in the number of devices associated with IOT/OT sees a direct and related increase in NHIs and an obvious awareness of their prevalence and risk exposure from the general IT industry in addition to IAM specialists.
Other Elements of 'Modern' Cloud Computing
CI/CD pipelines, microservices, containers, and other constructs see a further increase and awareness of items such as the secrets and API keys associated with them. A realisation that these elements can be grouped (and hopefully brought under control) under the NHI banner is, I think, a relatively recent phenomenon.
General Industry Noise
Gartner’s Identity and Access Management Summit in December 2024 included NHIs as one of ten trends for 2025. Other analysts like The Cyber Hut have been including NHIs in their models and write-ups for 12 months, and of course we have the efforts of the Non-Human Identity Management Group bringing it to the attention of IAM practitioners.
Vendor Noise
Software start-ups focusing solely on NHI management have started to appear, but in addition to this, the large traditional identity security vendors are bringing offerings that pertain to machine identity. Amongst CyberIAM’s partners, SailPoint, Saviynt and CyberArk have all announced offerings of different forms associated with machine identity security. The increased focus in the industry of ISPM and ITDR and their ability to provide visibility of, and reduce risk associated with machine identities, is also very relevant.
Some of the above overlap, and the list is not exhaustive. I could have included the fact that regulators and associated auditors are starting to pick up on the importance of NHIs and providing more focus. That will undoubtedly come but I haven’t seen a great deal of it just yet, albeit that PCI DSS 4.0 specifically calls out required controls around NHIs.
Perhaps some of the more mature organisations in the regulated industries believe that they have nailed human identity security management and are now ready to give some attention to non-human, but this is generally contrary to my experience, and it seems a weak ‘reason’.
Besides, I like the number seven!
I think 2025 will be the year that NHIs go mainstream in our industry for the reasons provided above.
Have I missed anything significant? Let me know your thoughts!
I would encourage you, on your next flight or otherwise, to read the excellent ‘Ultimate Guide to Non-Human Identities’ and broaden your understanding. The outlook and predictions in section 10 may help you form your own opinions on what we may see in 2025 with NHIs.
The year of the NHI has begun!
Get in Touch
If you would like more information about CyberIAM’s Services offering, contact us here and a member of our specialised team will be in touch as soon as possible
Current State Assessment guide
Access our comprehensive current state assessment guide to discover how we initiate our end-to-end analysis, setting the foundation for providing you with the best possible advice.