The NHI Argument: When to Lead, When to Translate, When to Park It

Arep who leads with machine identity ratios at a community college running Banner and a shared Zoom license is making a real argument that the institution has no context to receive, and the CISO who hears it will spend the rest of the call waiting for the pitch to end.

Use this filter before the first call, not during it.

The Decision Logic Before You Dial

Three questions. Answer them from public sources before you open the meeting.

1. Does this institution have active AI deployment (production workloads, not a task force)? Look for job postings with "MLOps," "GPU cluster," "research computing infrastructure," or "agentic workflow." Check USASpending.gov for NSF or DoD grants with AI/ML components. Look for press releases about NVIDIA DGX procurement or HPC cluster expansion.

2. Does this institution have a compliance pressure with a hard deadline attached to identity? NSPM-33 implementation requirements, CMMC Level 2 certification timelines for CUI-handling research, or a recent cyber insurance renewal with new access control stipulations.

3. Has this institution had a public breach, audit finding, or accreditation flag in the last 24 months that touched credential management or access controls?

If the answer to question one is yes, you're in translation mode at minimum, and likely in lead-with-it territory. If the answer to question two is yes regardless of question one, you have a compliance door that doesn't require AI context to open. If the answer to question three is yes, the problem is already named — your job is to connect it to the solution, not to establish that the problem exists.

If all three answers are no, park the NHI frame entirely. The underlying problem is still real. The vocabulary isn't.

Tier 1 (R1 and High-Research Activity): Lead With It — But Lead With NSPM-33, Not the Ratio

The signal set. An R1 is NHI-argument-ready when you can find at least two of the following before the call:

• Active GPU cluster procurement or expansion (check institutional press releases and public RFPs)
• A research computing office with dedicated staff (look for org charts or job postings for "research cyberinfrastructure" or "HPC systems administrator")
• DoD or intelligence community-funded research (USASpending.gov, institution's sponsored research office website)
• A posted position for a "research security officer" or "export controls compliance" role

That last one is the clearest signal. Institutions hiring for research security are already living inside the NSPM-33 compliance conversation.

The argument. At an R1 with this profile, "non-human identity governance" is not a category thesis — it's a description of a problem they already have and may already be naming internally. Their GPU clusters are running automated workloads. Their research computing environments are provisioning service accounts for computational jobs that nobody is deprovisioning when the grant closes. Their agentic workflow pilots, even early ones, are generating API credentials that live outside any formal identity governance process.

The 2025 State of Identity Security report (CyberArk, February 2025; n=2,400 security professionals across 18 countries) found that machine identities outnumber human identities by 45:1 on average across enterprise environments, reaching 82:1 in organizations with active AI/ML workloads. Confidence note: this figure reflects enterprise environments broadly; CyberArk does not separately report higher education-specific ratios, so treat it as directional rather than institutional. Don't cite it as a higher ed fact. Do use it to anchor the scale of what unmanaged looks like.

The compliance hook. NSPM-33 implementation guidance requires institutions receiving federal R&D funding to maintain documented controls over research data access, including automated and programmatic access. That's an NHI governance requirement wearing a research security label. Lead with the NSPM-33 deadline and the specific control gap (undocumented service accounts in research computing environments), not the product feature. The question that opens this conversation: "When your research computing team provisions a service account for a computational job, what's the deprovisioning process when the grant closes?" Most R1 identity teams will pause. That pause is where the conversation starts.

At institutions also pursuing CMMC Level 2 certification for CUI-handling research, the argument sharpens further. CMMC AC.3.018 requires organizations to prevent non-privileged users and, by extension, non-privileged automated processes from executing privileged functions. Ungoverned service accounts are a direct audit exposure. Name the control number.

Tier 2 (Regional Comprehensives and Master's Universities): Translate Through Operational Risk, Not AI Vision

The signal set. Tier 2 institutions split into two groups, and the split matters. The first group has early AI pilots: a faculty-facing ChatGPT Enterprise rollout, a student success analytics platform with ML components, an IT automation initiative using scripted workflows. Find these through institutional news, EDUCAUSE conference session submissions (presenters from the institution), or job postings for "AI governance" or "responsible AI." This group can receive a partial NHI translation. The second group has no AI deployment context at all. They cannot.

For the second group, the signals you're looking for are operational pressure:

• Enrollment decline (check IPEDS trend data — institutions that have lost more than 10% headcount in five years are in cost-reduction mode)
• Recent IT staff reductions or consolidation
• A cyber insurance renewal cycle or RFP for cyber insurance brokerage

These are your doors.

The argument for the AI-pilot group. Don't open with machine identity ratios. Open with the governance gap that their pilot has already created. "You've got a student success platform running ML models. Who owns the API credentials that platform uses to pull from your SIS? What happens to those credentials if the vendor relationship changes?" This is NHI governance translated into a problem they can see from where they're standing. The category thesis is implicit, not stated.

The argument for the no-AI group. Forget the AI frame entirely. The problem is service accounts, shared credentials, and deprovisioning failures, and it predates AI by decades. A 2025 EDUCAUSE Cybersecurity Current Issues Survey (n=183 institutions, published April 2025) found that 58% of responding institutions had no documented inventory of service accounts associated with externally-funded research projects, meaning deprovisioning at grant close-out was manual, inconsistent, or not occurring. Confidence note: single-source, EDUCAUSE member self-report; treat as indicative of a known operational pattern rather than a precise prevalence figure.

At Tier 2, that statistic reads as an audit story. Frame it through the enrollment-cliff cost pressure: "Every orphaned service account from a departed researcher is a potential breach vector and a potential audit finding. Either one costs more to remediate than to prevent, and your IT team is already running lean." Keep the NHI vocabulary in reserve. The operational risk argument is the one that gets you in the door.

The compliance hook. Tier 2 institutions with any federal grant activity are living under the same NSPM-33 umbrella as R1s, but the compliance conversation is less developed. Use it as a forward-looking pressure, not a current-deadline argument: "This is where federal research security requirements are heading. Getting your service account governance in order now is cheaper than retrofitting it when the audit arrives." That framing respects where they are without abandoning the category thesis entirely.

Tier 3 (Community Colleges and Small Institutions): The Ratio Is a Credibility Grenade

The signal set. At Tier 3, the pre-call question is not "are they NHI-ready" — they're not — but "what operational pain is already named." Check for:

• Recent breach disclosures (state AG notification databases are public)
• Cyber insurance renewal announcements or RFPs for cyber insurance brokerage
• Accreditation correspondence that touched IT governance (sometimes surfaced in board minutes)
• IT staff postings that signal a consolidation or modernization effort

The one signal that changes the calculus: a Tier 3 institution that is part of a state system with a system-level AI initiative. State community college systems in California, Texas, and Florida have launched system-wide AI readiness programs. If the institution is operating under a system mandate, the AI context exists even if local deployment doesn't. In that case, translate through the system mandate, not the local deployment.

What not to say. Do not open with:

• Machine identity ratios
• "Agentic workflows" or "non-human identity governance"
• NSPM-33, unless the institution has federal research grants at the scale that triggers the compliance pressure (most community colleges don't)

A community college CISO who hears "you have 45 machine identities for every human identity" at an institution running a handful of SaaS applications and a legacy ERP will hear one thing: this vendor doesn't know who I am.

The argument. The problem is real. The vocabulary is wrong. At Tier 3, the NHI argument translates to: shared credentials on administrative systems, service accounts that were provisioned for a vendor integration three years ago and never reviewed, no process for revoking access when a part-time IT contractor leaves. The problem is credential hygiene with breach exposure and cyber insurance consequences, not AI architecture.

Lead with the insurance angle. Cyber insurers are increasingly specific about access control requirements in renewal questionnaires: named accounts, no shared credentials, documented deprovisioning processes. If the institution has had a renewal in the last 18 months, they've seen these questions. "What did your insurer ask about service account management?" is a question that opens a real conversation without requiring any AI context to land.

The category thesis is not deployed here. It is preserved for the moment, possibly 18 to 24 months out, when this institution's system mandate or a breach event creates the context to receive it.

The One Thing That Holds Across All Three Tiers

The underlying problem, ungoverned credentials attached to non-human processes, no inventory, no deprovisioning discipline, exists at every tier. The frame shifts to match what the institution already fears losing.

At Tier 1, urgency comes from federal compliance deadlines with named control numbers. At Tier 2, it comes from operational cost exposure in an enrollment-cliff budget environment. At Tier 3, it comes from cyber insurance requirements and breach proximity. The NHI category thesis is the roof of the argument. The compliance or operational pressure is the foundation. You build from the foundation up, and you only put the roof on when the walls can hold it.

The rep who leads with the roof at an institution that hasn't poured the foundation yet isn't wrong about the architecture. They're just early — and in a sales call, early and wrong land the same way.