logo

Non-Human Identities Gain Momentum, Requires Both Management, Security

Headshot of Don Tait, Omdia.
Source: Omdia

COMMENTARY

The growth in systems communicating over the internet without human involvement has been dramatic in recent years. The Internet of Things (IoT) is driving more machine-to-machine (M2M) communications without human intervention. There is also an explosion in application development underpinning the need for digital transformation, which is turbocharged by remote working and the ever-increasing adoption of e-commerce. This means that pieces of software code are interacting autonomously across networks as never before.   

There is a need to manage system identities in the sense of what they are and what they can and cannot do when they are online. For example, can they both send and receive data? Where can they send it? In what volumes and formats? Can they access data that resides elsewhere, make copies, and forward it on, even to recipients outside the organization? Just as importantly, has their identity changed since the last time they were online, e.g., with extra access rights or new software on board that was not there before? Non-human identities (NHI) are already estimated to outnumber human identities by a ratio of 50 to one (50:1). With more and more business processes being automated by artificial intelligence (AI)/generative AI (GenAI) and accessed by AI-enabled services, NHI growth is likely to accelerate even further, bringing yet more expansion in the threat landscape.

Why NHI Management is Required

NHIs can be defined as digital identities tied to entities like applications, services, and machines within an enterprise technology stack. These include bots, API keys, service accounts, OAuth tokens, cloud services, and other credentials that allow machines or software to authenticate, access resources, and communicate within a system.

The need for effective NHI management (NHIM) arises from several key factors:

  • IT infrastructures are becoming more complex: Modern IT infrastructures are characterized by their complexity, featuring a myriad of interconnected systems, cloud services, and devices, including, in many cases, a host of IoT devices that operate autonomously. Managing the identities of non-human entities within such environments is essential for ensuring accountability, traceability, and security.

  • An increase in automation: Organizations are increasingly adopting automation to streamline processes, improve efficiency, and reduce manual intervention, with agentic AI only intensifying the trend. Non-human entities, including bots, scripts, and automated workflows, execute tasks autonomously, necessitating proper identity management to prevent unauthorized access and misuse.

  • An increase in cybersecurity threats: Cybercriminals often target NHIs, particularly those in the IoT area that operate without human intervention, seeking to exploit vulnerabilities for malicious purposes. Weak authentication mechanisms, misconfigured permissions, and inadequate monitoring can leave non-human entities susceptible to attacks, leading to data breaches, system compromises, and service disruptions.

Related:How CISOs Can Communicate With Their Boards Effectively

A Nascent Market, Ripe for Acquisitions

The NHI market is still developing, as demonstrated by the fact that most players are startups. This includes companies like: 

  • Aembit; Andromeda Security; Astrix; AxisNow; Clarity Security; Clutch Security; Corsha; Entro Security; Natoma; Oasis; P0 Security; SlashID; TrustFour; Unosecur; Veza; Whiteswan Security

Some of these vendors are focused more specifically on NHI security while others provide broader NHIM capabilities, often described as NHI governance. We plan to deliver a report comparing and contrasting the leading players in this space in 2025.

Omdia believes that since most of the players in the NHI market are startups, they are ripe for acquisition by the larger identity security platform vendors. Indeed, one or two startups have already been acquired, such as Authomize, which privileged access management (PAM) vendor Delinea purchased in January this year. Whilst in May 2024, CyberArk (the market leader in PAM) acquired Venafi for $1.5bn. Venafi was an exception amongst the NHI specialists, because it had been around much longer, thanks to its certificate lifecycle management (CLM) and key management background.

Related:Managing Threats When Most of the Security Team Is Out of the Office

Conclusions

The growth in devices communicating over the internet with no humans involved in the process has raised awareness of the need to manage these system’s identities. Omdia believes that over the coming years, NHI growth is likely to accelerate and further increase the threat landscape. Enterprises must be aware that trends such as the adoption of cloud, microservices, and DevOps have fueled the growth of NHIs in enterprise environments. Omdia also believes that opportunities for vendors in the identity security market are still huge, as machine identities already outnumber human identities by a ratio of 50:1. That figure is only likely to increase going forward.


Free security scan for your website