Identiverse 2025: Trust, Delegation, and the Era of Continuous Identity

Dwayne McDaniel -

When people think of Las Vegas, images of neon lights, 24/7 blackjack tables, and Elvis impersonators tend to come to mind. But inside the climate-controlled oasis of Mandalay Bay, something far more consequential than roulette odds was being discussed, namely the invisible identities that drive nearly every modern system. Non-human identities, or NHIs, took center stage at Identiverse 2025, and the theme running throughout all the sessions was that our security blind spots aren’t just technical; they’re philosophical, operational, and already being exploited.

The Machine Identities Among Us

Identiverse 2025 drew together over 3000 identity professionals for four days of hallway conversations, breakout sessions, and emerging standards around what might be the most pressing identity crisis yet. Nowhere was this urgency more palpable than in the dedicated NHI Workshop, coordinated by Lalit (Mr NHI) Choda. Across panels and deep dives, the same themes kept resurfacing: most companies don’t know how many NHIs they have, governance often doesn’t begin until after a breach, and attackers are evolving faster than enterprises can adapt.

In the opening workshop, Lalit set the tone with stark numbers. When asked how many attendees were concerned about NHIs, 60% raised their hands. But when asked how many knew how to solve it, only two raised their hands, and they were vendors.

We’ve created digital entities that act without oversight, and most security teams still treat them as side quests.

Lalit Choda

Credentials vs. Identity: The Fundamental Misunderstanding

In “What Are NHIs: Criticality and the Key Risks and Challenges,” Lalit Choda led a panel with Kirby Fitch, Sr. Product Manager of Platform at SailPoint, and Shashwat Sehgal CEO of P0 Security that drilled into the core confusion plaguing most enterprises.

“An identity is different from a credential,” Shashwat explained. “You can’t protect one without the other.”

Kirby pointed out the misalignment in most IAM programs, which assume that the lifecycle of a service account is tied to a project, not to a person or process. In reality, NHIs often persist long after the engineers who created them are gone. Lalit emphasized the danger of NHIs that “move without human intervention,” citing internal threats from staff who abuse poorly governed accounts to bypass controls.

The result is a sprawling mess of over-permissioned accounts, orphaned credentials, and environments too brittle for privileged access management (PAM) to be implemented cleanly.

Hosted by Lalit Choda (#MrNHI) with Kirby Fitch and Shashwat Sehgal

Logging In, Not Breaking In

“How Attackers Compromise NHIs” with Michael Silva and Vincenzo Iozzo, CEO of SlashID captured the high stakes of ignoring NHI governance. The central message was chillingly simple: “Attackers aren’t breaking in, they’re logging in.”

31% of breaches, according to the Verizon DBIR, involve stolen credentials. The panel walked through live demos, showing how leaked tokens or hardcoded secrets can be harvested from Git repositories and other sources involved in the code-making process, and leveraged to pivot laterally inside networks. Because NHIs don’t have a lifecycle like humans do, these credential-based breaches tend to persist unnoticed.

The complexity of authorization protocols and broken permission models, such as ad-hoc RBAC schemes, only exacerbate the issue. MFA fatigue, esoteric OAuth2 misconfigurations, and static bearer tokens create an identity attack surface that is easier to exploit than endpoints hardened by EDR and MDM tools.

Best practices remain elusive, and the message was clear: “Governance is mandatory.”

Vincenzo Iozzo and Michael Silva

NHI Maturity Isn’t About Tooling; It’s About Ownership

In the workshop panel “The NHI Maturity Model,” Jesse Minor, Identity Security KPMG US, hosted a practical but sobering discussion with Sriram S, Identity, Sr. Director of Information Security Engineering at GAP Inc., Rich Dandliker, CSO at Veza, and Anthony Viggiano, Identity Governance Director at Cigna. The group peeled back the layers of what actually blocks NHI progress. According to them, it’s not just the technology.

Anthony described being brought into a new organization and given 90 days to clean up NHI chaos. “We did the assessments, found thousands of stale accounts. But you can’t just shut things off. The business will break, and then you get fired.”

Sriram emphasized that you can’t protect what you don’t understand. Provisioning without lifecycle tracking becomes a liability. Rich noted that “access reviews for machines are theater unless we trim over-privileges and assign ownership.”

Visibility is only the first step. Without strong metadata, human-backed ownership, and enforced lifecycle policies, organizations are just playing whack-a-mole with credentials.

Jesse Minor, Sriram S., Rich Dandliker, and Anthony Viggiano

Agentic AI: The Next Class of NHI

As AI systems evolve from narrow automation to agentic behavior, the overlap between NHIs and machine learning models has become impossible to ignore. Henrique Bernardes B Teixeira, SVP of Strategy at Saviynt, led a panel exploring this intersection in the workshop "Agentic AI and the Intersection with NHIs."

Idan Gour of Astrix noted that AI agents “are still NHIs, but they behave differently.” Unlike service accounts, agentic AI exhibits goal-driven behavior, operates across multiple trust domains, and can be harder to predict than a static API key.

Paresh Bhaya, Co-founder of Natoma, warned that in five years, domain-specific AI agents will be deployed without humans in the loop. If we don't get ahead of privilege boundaries now, post-incident discovery will be futile. “Walled-off RAG models aren’t enough. The era of Model Context Protocols (MCP) is already here,” he said.

The identity community is no longer asking if AI agents are NHIs; it’s asking how fast we can build governance frameworks around them.

Henrique Bernardes B Teixeira, with Idan Gour, Ido Shlomo, and Paresh Bhaya

A Case of Too Many Cooks

The case study Jon Lehtinen, Vice President - Identity Products at IDPro/UberEther, presented "How and Why IGA Programs Fail," which focused on a fast-scaling SaaS company with a hybrid technology stack, some commercial SaaS, and some homegrown platforms. Like many companies, this one had a C-suite with competing agendas, a well-meaning but resource-constrained security team, and a compliance function waiting in the wings.

On the surface, the pieces were there: a need for governance, a security team aware of the risks, and even a few champions pushing for bottom-up change. But culturally, the company was built on heroics, not Kaizen. There was always another urgent fire to put out, and governance took a backseat to shipping features or adopting new security tools with flashier short-term returns.

One of the session's most painful insights was about ownership. Multiple people were accountable, which meant no one really was. When an IGA rollout was finally greenlit, under the pressure of regulatory audits and executive fear, it was framed like an incident response: move fast, break things, and sort it out later.

He concluded the talk by explaining that the purchase of a tool is not the same as implementing it. Without a structured onboarding strategy, clear accountability matrices, RACI, and iterative pilot programs using simpler apps, even the best tools become shelfware.

Jon Lehtinen

The Grammarly Contrast: NHI Done Right

Thijn Bukkems, Threat Hunting Lead at Grammarly, shared what a mature identity program looks like and how governance can be rescued by clarity, not just controls, in his session "A Deep Dive into Grammarly’s NHI Security Strategy."

Grammarly supports over 40 million daily users and is integrated into over 500,000 apps and sites. Their human identity program already had phishing-resistant multi-factor authentication (MFA) and just-in-time access models. But it was NHIs, machine identities, that surfaced as the next major threat.

Thijn walked through a familiar list of issues: overprivileged service accounts, static credentials, inconsistent rotation, and zero visibility into downstream dependencies. These weren’t just governance gaps; they were operational landmines.

Grammarly approached the problem with a clear strategy:

  • Inventory all NHIs
  • Map context to every identity
  • Establish remediation flows
  • Prioritize short-lived credentials, OAuth tokens, and scoped roles,
  • Partner with vendors to productionize custom-built solutions

Most importantly, they took ownership seriously. The program didn’t stop at secrets scanning or IAM reviews. It aimed to educate developers, enforce lifecycle rules, and build baselines for anomaly detection.

Thijn Bukkems

NHIs Are a Mirror

A recurring theme at Identiverse 2025 was the recognition that NHIs are a mirror reflecting the weakest parts of our security culture. Unlike humans, machines don’t file helpdesk tickets. They don’t complain when their access breaks. They don’t attend compliance training. But they obey; sometimes too well.

Governance Deferred Is Governance Denied

Throughout the sessions and workshops, one phrase came up again and again: “We catch it after the fact.” Whether it’s legacy accounts never rotated, hardcoded secrets committed to Git, or tokens with no known owner, governance consistently trails behind functionality.

Participants repeatedly stressed that security is often traded for speed. Developers push ahead with service accounts, long-lived secrets, and hardcoded keys to meet release deadlines. Security teams often attempt to retrofit controls without sufficient context or cooperation. This is not negligence; it's the absence of operational clarity.

AI Exacerbates the Accountability Gap

As enterprises begin to embed LLMs and autonomous agents into their production pipelines, NHIs are no longer just infrastructure noise; they're potential actors with decision-making capabilities. That turns the traditional IAM model on its head.

These AI entities blur lines. They inherit permissions from their developers, but operate 24/7, interact across domains, and often don’t have a human watching their every move. 

The concept of “composite identities,” a blend of human and machine, came up in multiple side conversations. Security leaders now face a new challenge: how do you enforce least privilege when identities themselves are probabilistic, adaptive, and partially autonomous?

Tooling Without Ownership Solves Nothing

One panelist said most companies are lying to themselves about their NHI posture. It’s not just that the tools aren’t good enough; it’s that no one owns the problem.

You can buy secret scanners, vaults, and PAM platforms. But if no one is assigned to handle lifecycle, enforce rotation, and validate ownership, you're just moving tokens between silos. NHI maturity requires political capital, not just technical controls.

CI/CD Pipelines: The Forgotten Perimeter

Nearly every panel agreed that CI/CD pipelines remain one of the most neglected identity surfaces. These are where secrets leak, where tokens persist, and where automation often trumps security. Rotation remains the unsolved piece.

If the goal is zero standing privilege, then machine-first environments must be redesigned for ephemeral access. That means OAuth2 short-lived tokens, deterministic policy engines, and integrated anomaly detection that flags when a bot starts behaving out of character.

Maturity Is a Mindset, Not a Milestone

Across the board, every expert reiterated: there is no checkbox that makes your NHI program “done.” These are living systems. The infrastructure keeps changing. Identities multiply exponentially. New teams create new workflows.

The only path forward is continuous governance tied to actual business risk. That means inventory, lifecycle, ownership, and detection must be part of the same feedback loop. Secrets security can’t be a static audit exercise. It must become a living control system.

The Future Requires Governing Humans and Non-Humans

From the packed sessions to hallway debates, Identiverse 2025 discussions were about the reality that our machines are talking. They’re logging in, deploying code, making API calls, and sometimes leaking secrets while doing it.

Security teams can’t afford to treat NHIs as edge cases anymore. These identities are the infrastructure. And when ownership is unclear, risk is guaranteed.

GitGuardian’s work in NHI Governance and Secrets Security felt more relevant than ever. But as nearly every speaker emphasized, tooling only works when it’s paired with clarity, ownership, and a bias toward action.

You can’t govern what you can’t see. You can’t rotate what you don’t own. And you can’t wait for a breach to build your NHI strategy.

It’s time we start treating machine identity with the seriousness we once reserved for humans. Because the future isn’t coming, it’s already executing shell scripts in production.