TL;DR: Non-human identities (NHIs) - service accounts, API keys, OAuth tokens, SSH keys, machine certificates, AI agent identities - now outnumber human users by 25:1 in the Guardz 2026 SMB monitoring dataset, 45:1 across the modern enterprise per Rubrik Zero Labs research, and as high as 100:1 to 500:1 in cloud-native environments per ManageEngine's 2026 Identity Security Outlook. Two-thirds of enterprises have already suffered a breach through a compromised NHI, and the security industry's consensus for 2026 is that machine identities are now the primary breach vector in cloud environments. For NC small businesses, the structural problem is that NHIs typically have persistent credentials, broad permissions, unclear ownership, and no rotation - and the addition of AI agents (which acquire new permissions at runtime) accelerates the sprawl.
Key takeaway: A typical 75-employee NC manufacturer has roughly 1,875 non-human identities across Microsoft 365, ERP, EDI gateways, backup systems, payment processors, and SaaS integrations. Most have never been inventoried. A 30-day NHI sprint typically reduces the attack surface by 60-80% without breaking integrations.
Need an NHI security baseline for your NC small business? Preferred Data Corporation has provided managed IT and cybersecurity services to North Carolina small businesses since 1987. Call (336) 886-3282 or request an identity governance review. Serving the Piedmont Triad, Charlotte, and Raleigh metros.
What is a non-human identity (NHI)?
A non-human identity is any digital identity that authenticates to a system but is not a human user. Per the Palo Alto Networks definition and Obsidian Security's NHI guide, NHIs include:
| NHI type | Common SMB examples |
|---|---|
| Service accounts | ERP-to-EDI sync, backup software credentials, SQL replication accounts |
| API keys | Stripe, Twilio, SendGrid, QuickBooks, vendor portals |
| OAuth tokens / grants | M365 third-party app permissions, Google Workspace add-ins, Zapier |
| SSH keys | Server-to-server automation, deployment pipelines |
| Machine certificates | mTLS between internal services, VPN device certs |
| RPA bots | UiPath, Power Automate, Zapier flows |
| AI agent identities | Custom GPTs, Microsoft Copilot agents, autonomous workflow agents |
| Cloud workload credentials | AWS IAM roles, Azure managed identities, GCP service accounts |
For an NC manufacturer or construction firm, the typical NHI footprint includes ERP-to-EDI service accounts, backup-software credentials, M365 OAuth grants for productivity add-ins, line-of-business SaaS API keys, and increasingly, AI agent tokens.
Why is the NHI ratio growing so quickly?
Per the CSO Online deep dive on NHI sprawl and the Hacker News expert analysis, four structural forces compound:
- SaaS proliferation: Each SaaS app the business adopts creates 1-5 new NHIs (service account, OAuth grants for add-ins, API keys for integrations)
- Cloud-native automation: Every Lambda, every Cloud Function, every Kubernetes pod authenticates - usually with a unique machine identity
- DevOps and CI/CD: Build pipelines, deployment automations, and infrastructure-as-code each carry credentials
- AI agents and autonomous workflows: Microsoft Copilot, custom GPTs, agentic AI workflows (Power Automate AI, n8n with AI nodes) authenticate as themselves, often acquiring new scopes at runtime
The compounding effect: a 25:1 NHI:human ratio in 2024 has grown to 45-500:1 in 2026 depending on environment, per Entro Labs H1 2025 research cited by GitGuardian.
Why are NHIs the biggest security blind spot for SMBs?
Per the Token Security NHI guide and corroborated by Cybersecurity Dive's coverage of NHI proliferation, six structural gaps make NHIs uniquely dangerous:
- Persistent credentials: Most NHIs use long-lived secrets (API keys, service-account passwords) rather than short-lived tokens
- Excessive permissions: NHIs are often created with broad permissions for convenience; scope reduction is rarely revisited
- No clear owner: A service account created during a 2019 ERP migration may have no human still at the company who knows what it does
- Static credentials in code or config files: API keys hardcoded in source control or stored in unencrypted config
- No lifecycle management: NHIs persist long after the project, integration, or employee that created them is gone
- Limited visibility: Most SMB security tools focus on human user behavior; NHI activity is rarely monitored
Per industry breach data, two-thirds of enterprises have already suffered a breach via a compromised NHI. The pattern: attacker harvests a leaked API key from a public GitHub repo, replays it, pivots into the customer's cloud environment.
What is the practical NHI inventory and governance plan for NC small businesses?
A focused 30-day NHI sprint for an NC SMB with 10-200 employees:
| Days | Action | Owner |
|---|---|---|
| 1-5 | Discovery: enumerate NHIs across M365, Google Workspace, Azure/AWS/GCP, line-of-business SaaS, ERP, backup, network gear | Managed security partner + IT |
| 5-10 | Classification: tag each NHI by purpose, scope (read/write), data sensitivity, and owner | IT + ops |
| 10-15 | Ownership assignment: every NHI gets a documented human owner (succession plan if owner leaves) | IT + ops |
| 15-20 | Scope reduction: revoke unused permissions, remove dormant NHIs, decommission orphaned service accounts | IT + managed partner |
| 20-25 | Rotation: rotate credentials older than 12 months; move to short-lived tokens where possible | IT + managed partner |
| 25-30 | Monitoring: enable NHI activity logs in M365, Google, cloud; route to managed security partner SIEM | Managed security partner |
For an NC SMB with 50-100 NHIs (typical for a 75-employee business), the sprint typically reduces the attack surface by 60-80%. The remaining NHIs are documented, scoped, rotated, and monitored.
Schedule an NHI inventory and governance review →
What does AI agent identity governance look like?
Per GitGuardian's NHI strategy guide and the Hacker News NHI crisis analysis, AI agents introduce a qualitatively new NHI risk:
- AI agents are autonomous - they take sequences of actions
- AI agents can call external APIs and acquire new credentials at runtime
- AI agents can spawn sub-agents with delegated identities
- AI agents can write and execute code - including code that interacts with other identities
For NC small businesses deploying AI agents (Microsoft Copilot Studio, custom GPTs, n8n AI workflows, Power Automate AI), the governance controls that matter most:
1. Principle of least privilege at agent definition
Agents should be defined with the minimum permissions required for their stated purpose. If an agent only needs to read inventory data, it should not have write access to inventory or any access to financial data.
2. Time-bounded credentials
AI agent identities should use short-lived tokens (minutes to hours) rather than long-lived API keys, refreshed via managed identity or workload identity federation where possible.
3. Agent action audit trail
Every agent action - external API call, file access, email sent, database query - should be logged with the agent identity and the prompt/task context that triggered it.
4. Human approval gates for high-risk actions
Agents should not be allowed to send wire transfers, execute payroll, modify production code, or access HR data without an explicit human approval gate.
The Microsoft Purview shadow AI detection capability is one tool in the stack, but the governance discipline matters more than any single tool.
How does NHI security connect to compliance frameworks?
NHI governance is increasingly explicit in compliance frameworks NC small businesses face:
- CMMC 2.0: Practice IA.L2-3.5.5 (identify and authenticate non-organizational users and devices) and AC.L2-3.1.5 (least-privilege access) both apply directly to NHIs
- NIST 800-171: The Identification and Authentication (IA) and Access Control (AC) families cover service accounts and machine identities
- CIS Controls v8: Controls 5 (Account Management) and 6 (Access Control Management) require service-account inventory and least privilege
- SOC 2 Type II: Common Criteria CC6 requires logical and physical access controls including for non-human identities
- PCI DSS v4.0: Requirement 8 explicitly covers system and service account management
For NC manufacturers pursuing CMMC, CMMC Level 2 assessments now actively check NHI inventory and management - a gap here is a finding.
What is the difference between a managed identity, a service account, and an API key?
Three commonly confused NHI types:
| Type | Where it lives | Lifecycle | Common SMB use |
|---|---|---|---|
| Service account | On-premise AD, M365, line-of-business app | Long-lived; manual rotation | ERP-to-EDI sync, backup software, SQL replication |
| API key | SaaS provider (Stripe, Twilio, SendGrid) | Long-lived; manual rotation | Payment processing, SMS, email delivery |
| Managed identity / workload identity | Cloud provider (Azure, AWS, GCP) | Short-lived; auto-rotated by platform | Cloud function authenticating to storage, container to database |
| OAuth grant | SaaS provider grants permission to a third-party app | Long-lived until revoked; scoped | M365 add-in, Google Workspace integration, Zapier |
| Machine certificate | Internal CA or cloud provider | Defined validity period; auto-renewed if managed | mTLS between internal services, device authentication |
The preferred pattern in 2026 is to migrate from long-lived API keys and static service-account passwords to short-lived managed/workload identities wherever possible, and to rotate the remaining long-lived secrets on a documented cadence.
What is the relationship between NHI sprawl and the recent SMB breach patterns?
Per the Black Kite 2026 Third-Party Breach Report, the Vercel OAuth supply chain breach, and the Guardz 2026 MSP Threat Report, the dominant pattern of recent breaches is:
- Attacker harvests a credential or token from an NHI (info-stealer log, public repo, vendor breach)
- Replays the token against the legitimate API or SaaS
- Pivots into the customer's environment through trusted integration paths
- Exfiltrates data or moves laterally before any human user notices
This pattern is invisible to defenders who only monitor human user behavior. The defense is NHI-aware logging and alerting - which is exactly what most SMBs do not have today.
How does Preferred Data Corporation help NC small businesses?
We run NHI inventory and governance baselines specifically for NC SMB environments. We enumerate service accounts in Microsoft 365 and Active Directory, OAuth grants in M365 and Google Workspace, API keys across line-of-business SaaS, and AI agent identities in Copilot and custom workflows. We assign owners, reduce scope, rotate credentials, and route activity logs to our managed security operations. We integrate AI agent governance into AI transformation engagements so new agents are deployed with least-privilege identity from day one. And we coordinate with M&A advisory work so acquirers inherit a documented NHI inventory rather than a surprise. Most NC SMBs do not know how many NHIs they have; the first step is finding out.
Frequently Asked Questions
What is a non-human identity in plain English?
A non-human identity is anything other than a person that logs into a computer system. Service accounts (the username your ERP uses to talk to your EDI gateway), API keys (the token your accounting software uses to pull bank data), OAuth grants (the permissions you gave that Excel add-in to read SharePoint), and AI agent identities all qualify. Most businesses have far more non-human identities than employees.
How many non-human identities does my business have?
Multiply your employee count by roughly 25 to estimate. A 50-employee NC SMB typically has 1,000-2,500 non-human identities across M365, line-of-business SaaS, cloud workloads, and integrations. A 200-employee manufacturer may have 5,000-15,000. Most are invisible until inventory work is done.
Why is non-human identity now a top breach vector?
Because the attacker side has discovered what defenders missed: NHIs typically have persistent credentials, broad permissions, no clear owner, and no monitoring. Stealing one valid API key gives an attacker durable access to a customer's environment, and the activity blends with legitimate integration traffic. Two-thirds of enterprises have already had a breach via a compromised NHI.
What is an AI agent identity?
An AI agent identity is the credential an autonomous AI workflow uses to authenticate to systems and APIs. Examples include the identity Microsoft Copilot uses to read SharePoint, the identity a custom GPT uses to call your CRM API, or the identity an n8n AI workflow uses to send emails. Agent identities are dangerous because they can acquire new permissions at runtime and act without direct human supervision.
How often should service-account credentials be rotated?
For long-lived service accounts and API keys, every 90-180 days is the conservative standard, with annual rotation as a maximum. For high-risk identities (database admins, M365 global admins, payroll system service accounts), 90 days or shorter. The better pattern is to migrate to short-lived managed/workload identities that rotate automatically every 1-24 hours.
Does NHI governance break existing integrations?
Done carelessly, yes. Done with inventory, owner assignment, and a documented rotation plan, no. The correct sequence is: discover NHIs, document what each does, assign ownership, reduce scope without rotating, then rotate on a schedule with owner notification. A 30-day sprint typically completes inventory, scope reduction, and a first rotation cycle without integration breakage.
Is non-human identity covered by cyber insurance requirements?
Increasingly yes. Cyber insurance carriers in 2026 are explicitly asking about service-account inventory, OAuth governance, API key rotation, and AI agent oversight on renewal questionnaires. Gaps in NHI governance can result in coverage reductions, premium increases, or denied claims for incidents that involve compromised machine identities.
Related Resources
- Guardz 2026 MSP threat report - 89% SMBs compromised users NC
- Vercel OAuth breach SaaS supply chain defense NC
- Microsoft Purview shadow AI detection SMB governance NC
- Black Kite 2026 third-party breach report manufacturing pressure zone NC
- Managed cybersecurity services for NC businesses
- AI transformation services for NC businesses
About the author: Preferred Data Corporation has provided managed IT, AI transformation, and cybersecurity services to North Carolina small businesses since 1987. Based at 1208 Eastchester Drive, Suite 131, High Point, NC 27265, we serve manufacturers, construction firms, and professional services organizations across the Piedmont Triad, Charlotte, and Raleigh metros. Call (336) 886-3282 or request an identity governance review.