← Back to blogs
2026-07-17 | 0gulcandogan | Imported from Medium

Old Friend Showed Up With a Key: Non-Human Identity Governance

Old Friend Showed Up With a Key: Non-Human Identity Governance

IAM Role doesn’t have a password. A Lambda function doesn’t need MFA, aservice account never quits, never goes on vacation, never says “I forgot my password” and that’s exactly why nobody questions it.

According to Tenable’s 2026 Cloud and AI Security Risk Report, 52% of non-human identities carry critically excessive permissions a rate that outpaces human identities (37%). Somewhere in your environment, there are ghosts quietly stacking up privileges nobody’s watching.

This article is about making them visible.

Principle 1: They’re Not Human, But Their Permissions Are Real

“Not human” doesn’t mean “harmless.”

Non-human identity (NHI) is a surprisingly wide family: IAM Roles, service accounts, Lambda functions, CI/CD pipelines, AI agents, API integrations. What they all share is this none of them has a person sitting behind it approving every action. They act on their own.

That’s where the problem starts. When a human user does something wrong, someone notices. It comes up in a meeting, it raises an eyebrow in a Slack thread. But a service account opened three years ago, whose founding developer left long ago, that nobody remembers the purpose of anymore it might still be running with full permissions.

Nobody notices, because nobody’s looking.

Principle 2: Ghost Roles Permissions That Never Die, But Never Live Either

The most dangerous access is the access nobody remembers granting.

A project ends. An integration gets abandoned. A “temporary” test role never gets deleted. Over time, your environment accumulates roles that serve no purpose anymore but still sit there with full permissions these are called ghost roles. This isn’t theoretical: roughly a third (37%) of over-privileged non-human identities aren’t actively used at all meaning a meaningful chunk of the biggest risk pool out there is identities nobody’s touched in ages.

Why are these so dangerous?

This is exactly what IAM Access Analyzer’s unused access findings are built for. It continuously reviews last-accessed information across your IAM roles and users, and surfaces unused roles, unused access keys and passwords, and permissions that haven’t been exercised within a set tracking window. If a role hasn’t made a single API call in six months, that’s your signal a candidate for deletion, or at minimum a serious trim.

Ask yourself: does every role in your environment have an owner, or does it look like some of them are ghosts haunting an empty house?

Principle 3: AI Agents Same Old Problem, New Generation

Tell an agent “just this once,” and it hears “forever.”

The development driving 2026’s NHI conversation is AI agents. You give an agent access to get a task done but that access usually isn’t scoped to the task. It’s scoped to “get it done, whatever it takes.”

The numbers back this up starkly. The Cloud Security Alliance’s March 2026 report, “The Identity and Access Gaps in the Age of Autonomous AI” (commissioned by Aembit), found that 68% of organizations can’t reliably tell whether an action came from an AI agent or a human. Tenable’s telemetry shows why that’s dangerous: 18% of organizations have AI services holding administrative permissions that are rarely, if ever, audited. Different research firms, same story nobody’s watching, and everybody’s exposed.

This is standing privilege permission that stays open indefinitely, never temporary. Even after an agent finishes its job, that permission is still sitting there, still active, still waiting to be misused.

AWS’s own security team is leaning into this problem too. In a June 2026 post, AWS walked through using resource-based policies on Amazon Bedrock AgentCore to grant one tenant cross-account access while restricting another to VPC-only traffic in a shared, multi-tenant AI platform — in other words, scoped, tenant-specific access for agents is now an officially recommended pattern, not just a best practice you invent yourself.

The fix is the same logic that applies to human identities just applied to a machine this time:

Telling an AI agent “you can do this” is easy. The hard part is remembering to say “not anymore.”

Principle 4: You Can’t Govern What You Haven’t Inventoried

You can’t protect what you can’t count.

Most organizations’ biggest question is: “How many NHIs do we actually have?” And the honest answer is usually: we don’t know.

The first step of NHI governance isn’t exciting — it’s inventory. But it’s non-negotiable:

An identity with no owner is a weapon with no one responsible for it. Nobody looks at it until something goes wrong.

Principle 5: Lifecycle Management Birth, Review, Retirement

NHIs deserve a retirement plan too.

Human users have a natural lifecycle: you’re onboarded, your role changes, you leave. NHIs usually never get this they’re created once and live forever.

A healthy NHI lifecycle should look like this:

  1. Creation: When an NHI is provisioned, its purpose, owner, and minimum required permissions should be clearly defined.
  2. Periodic review: At regular intervals (quarterly, say), check whether each NHI is still actually being used.
  3. Automatic expiration: Unused identities should be disabled automatically don’t rely on human memory.

Without these three, your environment fills up with ghost roles over time. And every ghost role is an open door that makes an attacker’s job easier.

Finally: Make the Invisible Visible

NHI governance isn’t a complex technology. What’s complex is breaking the habit of ignoring it.

Remember: the invisible isn’t dangerous because it’s weak it’s dangerous because nobody’s looking at it.

References:

Original: https://medium.com/@0gulcandogan/old-friend-showed-up-with-a-key-non-human-identity-governance-c9eebb89560f?source=rss-746132cb79a8------2