Situation Card: Service Account Sprawl — The NHI Conversation Starter

Card type: Signal-to-play | Sector: Federal civilian + SLED | Verified: May 26, 2026

Recognition Cues

You're in the right card if you heard any of these in a QBR, Zero Trust review, or hallway aside:

"We have no idea how many service accounts are running in our environment."
"Every automation team is spinning up API keys and nobody's tracking them."
"Our AI pilots are creating credentials faster than we can inventory."
An RPA owner admitting bots have standing access to production data with no human on record.
A CISO calling "shadow AI" their new shadow IT problem.
Anyone describing technical debt compounding as AI moves from pilot to production.

What connects all of these: non-human identities (NHIs), meaning service accounts, API keys, tokens, automation credentials, AI agent identities, are multiplying faster than governance can follow.

Numbers You Can Use on a Call

NHI-to-human ratio: Published research puts this between 17:1 (Research and Markets, Feb 2026) and 82:1 (CyberArk/Censuswide, 2025, n=1,201). The spread depends on cloud maturity and automation density. Say "anywhere from 17-to-1 to over 80-to-1, depending on the environment." That range is honest and hits harder than a single inflated number. The 82:1 is CyberArk's research. Attribute it as third-party data, not ours.

The governance gap: The CSA 2026 survey found fewer than 25% of organizations have documented policies for creating or removing AI identities. Only 12% reported high confidence in preventing NHI-based attacks. Okta's AI at Work survey found 91% deploying AI agents but just 10% with a developed NHI governance strategy. Lead with CSA data; disclose the Okta stat as vendor research.

Discovery Questions

Ask in sequence. Each builds on the last.

"How are you tracking the creation of new service accounts and API keys today, manual process or automated?"
"When an automation project wraps up or someone leaves, what happens to the credentials they provisioned?"
"Do you have visibility into which AI tools your teams have granted OAuth access to corporate data?"
"If your CISO asked right now how many non-human identities exist in your environment, could you produce that number?"
"Is anyone specifically responsible for NHI lifecycle (creation, rotation, deprovisioning), or does it fall between groups?"

If the buyer leans in after these, you've opened the deal. If they describe a formal NHI program with tooling already in place, shift to understanding their current stack and where gaps live. That's your fork.

Federal AEs — Compliance Context

NIST's NCCoE has published a concept paper on identity standards for AI agents, signaling that federal guidance on autonomous system authentication is in development. Still emerging guidance, no mandate yet. Mentioning it shows you're tracking where compliance is heading and gives the buyer air cover to prioritize NHI governance before a directive forces their hand.

What You Can Position

Okta for AI Agents (GA April 30, 2026) gives buyers browser-integrated discovery of AI agents granted OAuth access to corporate data, including agents their security team never approved. It surfaces the relationship between the agent, the user who authorized it, and the data it can reach.

You can say: "We can show you which AI agents have been granted access to your data, who authorized them, and what they can reach, including ones your security team never approved. That's the exposure map most organizations don't have today."

Identity Security Posture Management (ISPM) brings NHIs and human identities into a single risk-prioritized inventory. As of this card's date, ISPM remains in Early Access. Verify against current release notes before your call.

Do Not Say. Do Not Claim.

Do not claim Okta for AI Agents discovers all service accounts and API keys regardless of origin. GA discovery works through OAuth consent telemetry in managed Chrome browsers. Agent-focused, not a general credential scanner.
Do not position ISPM as GA without checking current status. See note above.
Do not assert FedRAMP authorization for the AI Agents product. No confirmed coverage as of this card's date.
Do not claim Okta solves the full NHI lifecycle end-to-end today. Privileged Credential Management (vaulting, rotation, audit trail) was announced in EA. Confirm GA status before positioning it.
Do not use "comprehensive" or "end-to-end" for our NHI story. We cover discovery and posture visibility well. The full lifecycle has real gaps. Your credibility depends on knowing where the story runs out.

Bring In Your SE When

The buyer asks how discovery works across identity providers or cloud platforms beyond Okta-managed environments.
The conversation turns to integration with existing PAM, SIEM, or SOAR tooling.
They ask about ISPM capabilities, EA/GA boundaries, or roadmap timelines.
A federal buyer asks about FedRAMP authorization for any AI-related capability.
They want to discuss NHI policy enforcement: rotation schedules, least-privilege automation, deprovisioning workflows.

Knowing the handoff point is what makes you credible in that room.

If the Conversation Drifts to AI Model Security

Prompt injection, red teaming, model bias. Real concerns, different domain. Say: "That's important and distinct from the identity governance problem. Let me connect you with someone who can speak to our broader AI security perspective." Then bring it back to the identities underneath the agents.

Card owner: Identity & AI Agents enablement. Refresh by: August 2026 or upon ISPM GA announcement, whichever comes first.

Things to follow up on...

MCP protocol breaking change: The MCP 2026-07-28 release candidate is the largest spec revision since launch, delivering stateless HTTP and OAuth-aligned authorization — accounts deploying MCP today will face reconfiguration, which strengthens the case for identity governance at the gateway layer.
Copilot Studio in GCC-High: Microsoft is expanding Copilot agentic tools into GCC and GCC-High, meaning every Okta federal account that is also an M365 customer is now a potential agent governance conversation.
SLED chatbot-to-agent transition: Mississippi CIO Craig Orgeron predicts AI-enabled chatbots will be replaced by agents that take action on citizens' behalf, a pattern documented across multiple states that opens the identity governance gap the moment a chatbot becomes action-capable.
CyberArk's MCP integration play: CyberArk has shipped MCP server registration and zero-standing-privilege enforcement for AI agents in their Secrets Manager, signaling that MCP is becoming a competitive battleground where privilege-first and governance-first approaches will collide in deal cycles.