The NHI Problem: 100 Non-Human Identities for Every Developer

For every human developer in a modern enterprise, there are approximately 100 non-human identities: service accounts, API keys, bot credentials, machine tokens, certificates, and managed identities that power the infrastructure. A 200-person engineering organization typically operates with 20,000 or more NHIs. Most security teams cannot tell you how many they have, who owns them, or when they were last rotated. This is the NHI problem, and it has moved from a niche concern to a board-level priority.

Why NHIs Matter Now

Three trends have converged to make NHI governance urgent. First, the scale of NHI proliferation has accelerated dramatically. Cloud-native architectures, microservices, and CI/CD pipelines each generate dozens of machine credentials. A single Kubernetes deployment may involve service account tokens for the pod, API keys for external services, database connection strings, message queue credentials, and certificate-based mutual TLS identities. Multiply that across hundreds of microservices and the numbers become staggering.

Second, NHI compromise is now a primary attack vector. The 2024 IBM Cost of a Data Breach report found that breaches involving stolen credentials cost an average of $4.81 million, higher than any other initial attack vector. And stolen credentials had the longest mean time to identify at 292 days and contain at 233 days. Attackers are not breaking through firewalls. They are finding abandoned API keys and using them to walk through the front door.

Third, regulatory pressure is intensifying. SOC 2 Type II audits now routinely ask for evidence of credential rotation policies and access reviews for service accounts. HIPAA requires audit trails for all system access, including automated processes. PCI-DSS mandates strong authentication for non-consumer users and applications. Organizations that cannot demonstrate NHI governance are failing audits and facing remediation findings.

The Inventory Problem

The most fundamental challenge of NHI governance is that most organizations do not know what NHIs they have. A manual inventory effort typically takes 2 to 6 months, involves interviewing dozens of engineering teams, and produces a spreadsheet that is outdated by the time it is completed. New NHIs are created daily as developers provision services, configure integrations, and deploy infrastructure. The spreadsheet approach simply cannot keep up.

Existing secret scanning tools attempt to solve the inventory problem by scanning code repositories. This approach finds NHIs that were committed to code, which is valuable but incomplete. Many NHIs are provisioned through cloud consoles, CLI tools, or infrastructure-as-code pipelines that do not commit credentials to repositories. A developer who creates an API key through the AWS Console and pastes it into a configuration management system has created an NHI that no repository scanner will ever find.

Log-Based Discovery: A Better Approach

Netallion AI Assurance takes a fundamentally different approach to NHI discovery. Instead of scanning where credentials are stored, we scan where they are used. Azure Monitor logs, application telemetry, and infrastructure diagnostics capture every API call, every authentication event, and every service-to-service interaction. By analyzing this telemetry, Netallion AI Assurance discovers NHIs that are actively in use in production, regardless of how they were provisioned.

Log-based discovery provides several advantages over repository scanning. First, it finds NHIs that never appeared in code. Service accounts created through cloud consoles, managed identities provisioned by infrastructure automation, and credentials shared through configuration management systems are all visible in log telemetry even if they were never committed to a repository.

Second, log-based discovery reveals usage patterns. Rather than simply knowing that a credential exists, organizations can see which services use it, what resources it accesses, how frequently it authenticates, and when it was last active. This context is essential for risk prioritization. A credential that accesses production databases hourly is more critical than one that accesses a development sandbox weekly.

Third, log-based discovery is continuous and automatic. New NHIs are detected as soon as they appear in log telemetry, without requiring repository scans, manual registration, or team interviews. The inventory stays current because it is derived from live production data rather than static configuration.

From Inventory to Lifecycle Management

Discovery is only the first step. Effective NHI governance requires lifecycle management: assigning owners, enforcing rotation policies, tracking usage, and remediating compromised credentials. Netallion AI Assurance provides the complete lifecycle.

Ownership mapping assigns a human owner to every non-human identity. When a credential needs to be rotated or investigated, there is a clear escalation path. Orphaned identities without owners are flagged for immediate review, as they often represent the highest-risk credentials in an organization.

Rotation policies enforce credential hygiene based on configurable schedules. Different credential types may have different rotation requirements. Production database credentials might rotate every 30 days. CI/CD pipeline tokens might rotate every 90 days. The policy engine tracks compliance, sends alerts before deadlines, and escalates overdue rotations.

Blast radius analysis maps what each credential can access. When a credential is compromised, the first question is always "What is at risk?" Netallion AI Assurance maps the blast radius across AWS, Azure, and GitHub, showing exactly which resources, databases, and repositories the credential can reach. This enables targeted remediation rather than broad emergency rotations that disrupt production systems.

The Market Response

The NHI security market is growing rapidly. GitGuardian raised a $50 million Series C and expanded its NHI management capabilities. TruffleHog raised $25 million to build enterprise features around its open-source scanner. The total NHI security market is projected to grow from $12.2 billion in 2026 to $38.8 billion by 2036, a 12.3% compound annual growth rate.

Netallion AI Assurance differentiates in this market through log-based discovery. While competitors discover NHIs by scanning code repositories, Netallion AI Assurance discovers them from log telemetry, providing a fundamentally more accurate and complete inventory. For Azure-centric organizations, this approach reveals NHIs that no repository scanner can find.

Getting Started

If your organization does not have a complete NHI inventory, you are not alone. Most enterprises are in the same position. The good news is that log-based discovery can provide a comprehensive inventory faster than any manual effort. Netallion AI Assurance populates the NHI inventory automatically from your existing Azure Monitor telemetry, with no agent installation or repository access required.

Start with a 14-day free trial to see what NHIs are active in your environment. Most organizations are surprised by what they find. The credential that no one remembers creating, the service account that has not been rotated in years, the API key with access to production data that belongs to a former employee. These are the risks that NHI lifecycle management is designed to address.