Non-Human Identity

What It Is

A non-human identity is any credential issued to a machine rather than a person. API keys that allow a service to read a database, OAuth tokens that let one SaaS tool write to another, and service accounts that grant an AI agent permission to act inside a corporate system are all non-human identities. Unlike human user accounts, they are rarely subject to the same access reviews, expiration policies, or revocation workflows. They proliferate quietly and accumulate permissions over time.

Why It Matters

Every AI agent you deploy requires non-human identities to function. A customer-service agent needs a token to read order history. A financial crimes agent needs credentials to query transaction records. A coding agent needs an API key to push to a repository. In a small deployment, this is manageable manually. At enterprise scale, with dozens of agents running across dozens of integrated systems, the credential surface grows faster than any team can audit by hand. Unmanaged non-human identities are one of the primary attack vectors for adversaries targeting AI-enabled enterprises, because compromising a machine credential often grants broader and quieter access than compromising a human account.

In Practice

The security discipline emerging around non-human identity treats every machine credential as a first-class object with a defined lifecycle, a minimum-necessary access scope, and a revocation path. Platforms like Astrix Security, acquired by Cisco in May 2026, map the full inventory of non-human identities across an enterprise, flag over-permissioned credentials, and surface anomalous behavior in real time. Any operator deploying agents at scale should audit whether their current identity infrastructure was designed for a world where software acts, not just where software runs.