Non-human identity (NHI)
Definition: A non-human identity is any machine credential — service account, API key, bot, or automated workload — that authenticates to systems without a human operator; CSA research estimates a conservative ratio of 45 NHIs for every human identity (with vendor telemetry from Entro Labs suggesting the figure reaches 144:1 in cloud-heavy environments).
Why the buyer cares: Every NHI that can authenticate is an identity the agency must govern, audit, and rotate credentials for, and at 45-to-1 or higher most agencies are carrying an attack surface they have never fully inventoried.
What to say: "How much visibility do you have today into the machine side of your identity environment — the service accounts, API keys, and automated jobs — versus the human accounts you're already governing?"
Service account
Definition: A service account is a long-lived account assigned to an application, script, or automated process so it can log in to other systems without a human present.
Why the buyer cares: Vendor telemetry indicates that nearly half of enterprise NHIs have gone more than a year without credential rotation, though no independent replication of that figure is publicly available; the CSA/Astrix survey separately found that lack of credential rotation was the most commonly cited cause of NHI-related security incidents, at 45% of respondents.
What to say: "Do you have a process for reviewing whether service accounts still need the access they were originally granted, or do most of them persist until something breaks?"
API key
Definition: An API key is a fixed access code that grants a program entry to a specific service or data source, often embedded directly in code, configuration files, or deployment scripts.
Why the buyer cares: Vendor-sponsored research suggests that 44% of tokens have been found exposed in collaboration tools like messaging platforms and wikis, though no independent study has replicated the figure; the pattern it describes — credentials drifting outside the systems they were issued for — is consistent with the broader governance gaps the CSA survey documented.
What to say: "Have you audited where your API keys actually live today — where they've drifted across repos, wikis, and messaging tools since they were first issued?"
Identity sprawl
Definition: Identity sprawl is the uncontrolled accumulation of machine credentials across an environment — accounts with no owner, no expiration, and no lifecycle policy — that compounds as agencies adopt new services without decommissioning old ones.
Why the buyer cares: Every untracked NHI is a finding an auditor can flag under NIST 800-53 AC-2, and as FISMA reporting cycles expand their Zero Trust metrics into FY 2026, the audit surface for ungoverned machine credentials grows with every service an agency onboards.
What to say: "If your auditor asked tomorrow for a complete inventory of every machine credential in your environment — who owns it, what it accesses, when it was last rotated — how close could you get?"
Least privilege
Definition: Least privilege is the principle, codified in NIST SP 800-53 AC-6, that every identity — human or machine — should hold only the minimum permissions required to perform its assigned function.
Why the buyer cares: FISMA audits evaluate agencies against AC-6 directly, and recent IG reports — including the VA OIG FY 2024 audit and the GSA OIG FY 2025 review — have flagged privileged-access review gaps for service accounts as repeat deficiencies spanning multiple years.
What to say: "When your IG reviews privileged access, does the scope include machine accounts, or is it still scoped primarily to human users?"
Short-lived credentials
Definition: A short-lived credential is an access credential issued with a built-in expiration, typically minutes to hours, so that access is automatically revoked without requiring manual rotation.
Why the buyer cares: Short-lived credentials eliminate the class of risk created by static secrets that sit unrotated for months or years — the exposure pattern that the CSA/Astrix survey identified as the most commonly cited cause of NHI-related security incidents.
What to say: "For the workloads where you've flagged long-lived credentials as a concern, have you started evaluating a move to short-lived or just-in-time authentication?"
Things to follow up on...
-
CSA's 2026 NHI survey: The Cloud Security Alliance's latest survey on non-human identity and AI security found that 51% of organizations have no clear AI identity ownership and 16% do not track new AI-related credential creation at all, which sharpens the sprawl problem beyond what the 2024 data captured.
-
FY 2026 FISMA metric expansion: CISA and OMB are planning to include additional Zero Trust maturity metrics in the FY 2026 FISMA reporting cycle, which would directly increase the audit surface for machine credential governance gaps flagged in this glossary.
-
FDIC privileged access finding: The FDIC's FY 2025 FISMA audit found the agency did not implement privileged access review frequency requirements mandated under OMB M-22-09, adding another data point to the pattern of IG findings on service account oversight that least privilege and identity sprawl entries address.
-
Entro's NHI growth rate: Entro Labs' H1 2025 report, analyzing 27 million NHIs, found the NHI-to-human ratio grew 56% year-over-year from 92:1 to 144:1, which suggests the conservative 45:1 baseline in the anchor entry may already understate cloud-native environments significantly.