The 4 packed days at KuppingerCole EIC Summit 2025 brought together security leaders and innovators to confront the fast-evolving world of identity and access management. As someone deeply involved in the work we do at GitGuardian, where we focus on non-human identity (NHI) and secrets security, I felt content with how quickly the conversation is shifting from traditional user controls to the complex realities of AI agents, machine identities, and the persistent risks of secrets sprawl. The emphasis on future-proofing identity strategies, considering their lifespan well into the next decade, deeply resonated with our mission to secure the identities of tomorrow.

The Evolving Identity Fabric

Founder and Principal Analyst Martin Kuppinger said that the concept of the Identity Fabric is a "production mesh of identity services". This underscores IAM's fundamental role in providing secure and well-governed access for everyone and everything. The keynote highlighted the limitations of current IAM landscapes, often characterized by loosely coupled tools struggling with API-driven service delivery and comprehensive identity type support, leading to complex integrations. The future, as envisioned, points towards more combined, integrated, and orchestrated solutions, decoupling data, functionality, and UX – a crucial step for the 2040 vision.

NHIs: From Edge Case to Infrastructure

We had the NHI Pavilion, opened by Lalit Choda, Founder of the Non-Human Identity Management Group. A quick audience poll showed that the awareness of NHI risk is growing, but remediation lags far behind. Lalit’s war stories, including one from a global bank flooded with hardcoded credentials, were a sobering reminder that NHIs are everywhere, often invisible, and dangerously over-permissioned.

Today, every organization manages NHIs, yet few have structured onboarding, ownership, or lifecycle controls in place. This risk is only growing as AI agents and machine identities proliferate.

Attackers Are Logging In, Not Breaking In

Vincenzo Iozzo from SlashID highlighted a harsh truth: 82% of breaches are now malware-free, relying on stolen credentials and poor identity hygiene.

Key stats:

  • 6x rise in Kerberoasting attacks targeting AD
  • 66% of AWS breaches stem from leaked IAM access keys
  • OAuth token abuse is increasing via over-permissioned apps
  • Persistent access via rogue IDPs, forged tokens, or added MFA devices
  • Over 50% of breaches are detected by external parties

The call to action: adopt identity threat detection, use device-bound tokens, automate permission right-sizing, and eliminate excess trust.

Secrets Sprawl: A Crisis in Plain Sight

In GitGuardian's own session, your author presented the 2025 edition of the State of Secrets Sprawl, which revealed:

  • 23.8 million secrets leaked on public GitHub in 2024, a 25% YoY increase.
  • Private repos are 8x more likely to contain secrets due to a false sense of safety.
  • Collaboration tools (Slack, Jira, Confluence) have become significant leak vectors.
  • Repositories using AI coding assistants like Copilot are 40% more likely to leak secrets.
  • 100,000+ valid credentials were found in public DockerHub images.
  • Most alarming: 70% of secrets leaked in 2022 were still valid in 2024.

Detection is just the beginning. Remediation remains a challenge, often hindered by a lack of context and fear of breaking production. Real security requires visibility, rotation, and a shift toward secretless authentication. The developer culture around secrets must change. Urgently.

Standing Privileges: A Root Problem

KuppingerCole analyst Matthias Reinwart’s keynote cut through the noise: standing privileges are not just a risk. They're fundamentally incompatible with modern, compliant access models.

Why Standing Privileges Fail:

  • Static and context-less
  • Forgotten or orphaned
  • Easily exploited for lateral movement
  • Non-compliant with least privilege principles

The Alternative: Zero Standing Privileges

Matthias laid out a vision centered on Just-In-Time (JIT) access and Policy-Based Access Control (PBAC)

Access that expires by default, granted only when needed.

Key tactics:

  • Task-based access tied to CI/CD or ITSM workflows
  • Event-driven entitlements
  • Dynamic roles based on job function, location, or risk
  • Continuous, automated access reviews
  • Behavioral analytics to spot anomalies

Organizations should start by targeting high-risk NHI accounts and gradually reduce standing access—even a 30% reduction significantly shrinks the attack surface.

Why IGA and PAM Are Failing NHIs

In another key panel session, experts tackled a pressing question: Can IGA and PAM scale to secure non-human identities (NHIs)? The answer was clear—not yet.

The Core Problem:

  • IGA is ticket-driven and slow; NHIs are ephemeral and automated
  • PAM assumes human sessions and interactive logins; NHIs use APIs and scripts

Case Study: 15-Year-Old SaaS Provider

John Lettman’s case study revealed that despite modern IAM features, the organization lacked basics: application inventories, role ownership, or structured governance. As a result, NHI governance became a crisis.

What Must Change:

  • Automate lifecycle management
  • Move to policy-as-code
  • Build tools that understand machine behavior
  • Create shared accountability between IAM, Security, and DevOps

Agents Are the New Identity Class

From Enrique Teixeira and Jonathan Neal of Savyint:

  • Many orgs manage 20,000+ NHIs per 1,000 employees
  • NHIs lack structured onboarding, MFA, and often ownership
  • Risks include hardcoded credentials, shared secrets, no rotation, and invisible over-permissioning

With AI agents poised to power a $74B market, this exposure will only grow. AI agents are rapidly becoming autonomous actors in enterprise systems, and our controls aren’t ready.

Meir Wahnon from Descope also emphasized in his session, building agent-aware APIs, implementing JIT access, and setting consent boundaries. New standards like OAuth 2.1, MCP, and A2A help, but complexity remains.

Zero Trust: A Culture Shift, Not Just a Framework

The session by Dr. Silvia Knittl from PWC on the evolution of Zero Trust was another highlight. It means verifying every entity continuously.

Core tenets:

  • Identity is the new perimeter
  • Least privilege by default
  • Real-time context and risk-based access decisions
  • Unified visibility across cloud, endpoint, and app layers

With regulations like DORA and NIS2 raising expectations, runtime access control and dynamic policy enforcement are quickly becoming not just best practices, but regulatory requirements.

Despite this, many organizations admit they are not prepared for cloud threats, third-party breaches, or attacks on connected products. The financial impact is real.

€276 billion in cybercrime losses in Germany alone last year, with organized crime accounting for the lion’s share.

Final Takeaways

  1. AI and agents are redefining identity. Treat them as first-class identities.
  2. Secrets are leaking at scale. Visibility, vaulting, and secretless auth are key.
  3. Static IAM is obsolete. Move to dynamic, just-in-time, policy-based controls.
  4. Legacy tools are lagging. PAM and IGA must evolve for NHIs.
  5. Zero Trust is foundational. It’s about building secure digital trust, not eliminating human trust.

The Bottom Line

Non-human identities are no longer edge cases. They are your infrastructure. Securing NHIs and their secrets is now a core part of defending the modern enterprise.

At GitGuardian, we have built an NHI Security platform to help organizations discover, secure, and govern every machine identity in their environment. You can schedule a quick walkthrough whenever you like!

Because in today’s world, identity is the perimeter, and machines are the majority.