Topic · Non-human identity
How enterprise IT manages AI agents as first-class identities — lifecycle, credentials, procurement clauses, audit.
Agents are not service accounts. The identity layer breaks first; this pillar is where it gets named.
Non-human identity (NHI) is the pillar where the existing IAM stack breaks fastest. Agents are not service accounts: they take input that crosses tenancy boundaries, they execute against multiple downstream APIs in a single decision cycle, and they hold credentials that traditional rotation policies were never designed to manage. The first 18 months of enterprise agentic-AI rollouts are surfacing exactly this gap.
This is the thinnest pillar by spoke count today and the most editorially under-served in public. The market is moving, the regulators are watching, and most enterprise CISOs we've talked to have a position on what their NHI architecture should be by Q3 2026 — but very little of that position is written down with named tooling and named tradeoffs.
Coverage threads this pillar opens: credential rotation policies for agent identities — what Vault, Doppler, and 1Password Secrets configurations actually look like in production, what the rotation cadence is, what breaks. Service-account to AI-agent identity migration playbooks — when to split, when to keep, and the SAML / OIDC / SCIM patterns that work in each case.
NHI procurement clauses — what an MSA with a multi-agent vendor needs to declare about agent-level identity tracking, audit log retention, and revocation. NHI inventory and observability — the SIEM and SOC patterns that actually catch agent identity sprawl before it becomes an audit finding. Auth0, Clerk, WorkOS, Stytch, and JumpCloud product-comparator pieces with the methodology declared and the workload pinned.
Expect this pillar to grow fastest of the five over Q2–Q3 2026.
Pillar last refreshed 2026-05-01
What survives review
- Okta vs specialized NHI vendors: the enterprise agent identity decision matrix for 2026 — Holding · AM-176
- The NHI procurement clause gap: every vendor-provided AI agent is a vendor-issued non-human identity inside your environment — Holding · AM-167
- Storm-0558 and the structural risk in AI agent credentials — Holding · AM-155
- Non-human identity for AI agents: the 2026 IAM playbook — Holding · AM-037
What has broken
Nothing has moved to Partial or been retired in this topic yet.
Spoke articles
- Okta vs specialized NHI vendors: the enterprise agent identity decision matrix for 2026
Okta's 2025 Identity Threat Detection and Privileged Access additions extended the platform into the non-human identity space that specialized NHI vendors (Astrix, Apono, Britive, Aembit, Andesite, P0 Security) have been purpose-building since 2020. The procurement choice is not 'Okta or specialist' as a binary; it is which work the existing Okta deployment covers natively, which work the specialist closes, and where the federated-trust seam is priced. The 2026 buying-committee matrix walks the agent-identity surface in five dimensions and produces the architecture-not-tool decision the audit will ask about.
- The NHI procurement clause gap: every vendor-provided AI agent is a vendor-issued non-human identity inside your environment
CyberArk's 2025 State of Machine Identity Security report put the machine-to-human identity ratio at more than 80:1 in surveyed enterprises, with agent-heavy 2026 deployments pushing it higher still. The number that matters more than the ratio is the share of those NHIs that are vendor-issued rather than customer-issued. A 2026 enterprise contracting for a third-party AI agent platform is, in almost every case, accepting a vendor-issued principal into its environment with the authority to read, write, transact, and call further agents. The four procurement clauses that should govern that principal are missing from most standard agentic AI MSAs.
- Storm-0558 and the structural risk in AI agent credentials
The Cyber Safety Review Board's April 2024 report on the Storm-0558 intrusion catalogued the credential-management practices that produced the breach: a four-year-old signing key past its rotation policy, an environment boundary that did not enforce its own separation, a crash-dump leak that the existing detection tooling could not see, and a corporate account compromise that completed the chain. Read it forward, not backward: those same four practices describe how most enterprises are storing AI agent credentials in 2026. Storm-0558 was a forward indicator for the structural risk in non-human identity, not a one-off Microsoft incident.
- Non-human identity for AI agents: the 2026 IAM playbook
AI agents are not just another flavour of non-human identity. They are dynamic, ephemeral, delegating actors with reasoning capacity that legacy IAM cannot represent. The 92% of enterprises that report low IAM confidence for agentic AI are running an identity model with one structural axis where the deployment requires four. The remediation is a layered extension on top of existing IAM, not a rip-and-replace migration.
What we're watching next
- Auth0, Okta, Ping, JumpCloud shipping first-class agent-identity primitives.Existing IAM platforms support service accounts and OAuth applications but treat agents as either. The first IAM platform to ship agent-as-a-first-class-identity (with reasoning-trace correlation, action-class scoping, ephemeral credential rotation calibrated to agent lifetimes) sets the integration pattern the rest follow.
- EU AI Act enforcement language touching agent-identity provenance.Article 12 logging requires action attribution. If competent authorities interpret 'attribution' as requiring per-agent identity rather than per-application identity, the IAM extension this pillar argues for becomes a compliance prerequisite, not a security recommendation.
- First named-company breach where the failure mode was agent-identity sprawl.The pillar argues agent-identity sprawl is the dominant 2026 IAM gap. A canonical case study — comparable to the Mercor / LiteLLM chain in security — would calibrate the remediation cost and force the issue into 2027 risk-register conversations.
- NIST or CISA publishing agent-identity guidance distinct from existing NHI guidance.Standards-body recognition that agents need IAM treatment beyond the existing service-account framing would accelerate enterprise procurement of the four-axis identity model. Without it, most enterprises will ride the existing NHI playbook into the gap.
Primary sources we trust for this topic
A curated list of primary research, regulator guidance, and vendor documentation for non-human identity. Populated on the quarterly refresh — not a link dump, not competitors.
This pillar page is refreshed quarterly. Last refresh: 19 Apr 2026. Next refresh: 18 Jul 2026.