Recognize the Signal
You're in an existing account. The CISO or IT security lead isn't talking about AI strategy. They're venting about operational debt. These are the phrases that tell you this is the right card:
- "We have hundreds of service accounts and honestly we don't know who owns half of them."
- "Every time we deploy a new integration it creates credentials we lose track of."
- "Our RPA environment has spun up accounts we can't even inventory properly."
- "The last time we did a compliance review, pulling the service account list was a manual nightmare."
- "We had an offboarding situation and realized some of those tool accounts were still active months later."
If you're hearing complaint language about automation sprawl, credential proliferation, or audit pain around non-human accounts — that's your signal. You don't need to hear the words "non-human identity" from them. They won't use them.
The Translation You Need Before You Open Your Mouth
Don't reframe this out loud yet. First, make sure you've made this shift internally.
| Operational complaint | Identity governance gap |
|---|---|
| "We can't account for all our service accounts." | They have non-human identities with no lifecycle management. These accounts don't offboard when a project ends, a contractor rolls off, or a tool gets decommissioned. |
| "Every new integration creates credentials we lose track of." | Every untracked credential is a standing access path — no rotation policy, no access review, no deprovisioning trigger. An open door with no audit trail. |
| "The service account audit took weeks and was all manual." | Their compliance posture for non-human identities is entirely opaque. They're managing human identity governance with tooling, and managing non-human identity governance with spreadsheets. |
Hold this translation. Your job in discovery is to help them arrive at it themselves, not to hand it to them.
Discovery Questions
Ask these in roughly this order. Scope first, then governance gaps, then urgency. The audit question is where urgency lives — don't skip it.
-
"When you say you can't fully account for them — do you have a rough count of how many service accounts you're dealing with, or is the number itself part of the problem?" Opens scope without assuming. Lets them tell you how bad it is.
-
"When a project wraps up or a contractor rolls off, what's the process for decommissioning the accounts the tools they were using created?" The lifecycle question. Most of the time, there is no process. Let them say it.
-
"If one of those service accounts were compromised today — do you have visibility into what it could access, and would you know within 24 hours what it touched?" Blast radius. The security risk framing arrives without you having to force the pivot.
-
"The last time you went through a FISMA review or an IG audit, how did you handle the service account inventory? Was that a manual pull?" (For SLED accounts: substitute the relevant audit framework — StateRAMP, CJIS, SOC 2, whatever applies.) Urgency lives here. If the answer involves a spreadsheet and a week of someone's time, you've found your opening.
-
"When your RPA platform or integration tools spin up new connections, does that go through any kind of identity governance workflow — or does it land outside your IAM stack entirely?" You're finding out whether the gap is known and unaddressed, or genuinely invisible to them.
-
"Has anything pushed this up the priority list recently — an incident, a finding, something from leadership?" If there's a forcing function, you'll hear it. If there isn't one yet, you've just reminded them there should be.
Positioning Language
Connect what they described to Okta's story. Start with the problem they just confirmed, not the feature list.
For federal accounts: "Zero Trust Architecture under OMB M-22-09 requires continuous validation of all identities accessing federal systems — and that mandate doesn't carve out service accounts or API credentials. The non-human identity surface is where a lot of agencies have a gap between their ZTA documentation and their actual posture."
For SLED accounts: "Every unmanaged service account is an audit finding you haven't received yet. The question is whether you find it first or the auditor does."
On Okta's position: "Organizations with strong human identity governance — MFA, lifecycle management, access reviews — often have a parallel universe of non-human identities running completely outside that governance layer. Okta's NHI capabilities are designed to bring those into the same governance model you already have for your workforce."
Credibility proof point: The Cloud Security Alliance's 2025 Non-Human Identity Management Survey found that service accounts represent the largest unmanaged identity population in over 60% of organizations surveyed, yet fewer than a quarter had formal lifecycle policies covering them. (Flag for production team: this figure is illustrative — verify against current CSA or equivalent research before use.)
Handoff Triggers
Stop here and bring in your SE when:
- They ask how Okta discovers existing service accounts in their environment. That's a technical architecture conversation about agent deployment, directory scanning, and integration coverage. Not your call to make.
- They name specific platforms — ServiceNow, MuleSoft, Workato, Ansible — and ask whether Okta has connectors or coverage for them. Connector specifics need SE validation.
- The conversation shifts toward vaulting, credential rotation, or privileged access management. That's a different product conversation. Acknowledge it, don't develop it.
- They ask to see a demo or want to talk deployment timelines. You've done your job. Hand it off clean.
You've done your job when the buyer has articulated their own governance gap in identity terms. That's the moment. Don't keep selling past it.