It is no secret that the volume of machine identities – aka non-human identities (NHIs) – is increasing exponentially and rapidly outpacing the number of human identities. According to the Cloud Security Alliance, the ratio of machine-to-human identities in 2024 was 20:1, with some estimates now placing that ratio as high as 92:1. Shorter digital certificate lifespans, ephemeral cloud workloads, and the rise of agentic AI further compound the snowballing complexity of managing and securing machine identities and their associated credentials, at a time when these machine identities are being more frequently targeted by attackers and more heavily depended upon to keep businesses running.
As NHIs grow at breakneck speed, new NHI vendors flood the market, and emerging requirements for contextual access, it becomes easy to lose sight that modern machine identity security strategy success is keyed by human elements. Obviously, architectural frameworks and technical tools are instrumental and indispensable to addressing the challenges that machine identities bring, but these technical elements need to be aligned with these 3 human elements:
- Strong executive sponsorship. Establishing an executive-level sponsor that can ensure proper visibility, funding, and support is essential. IAM and security leaders must develop a compelling business case for machine identity security that speaks in business and financial terms. This case should be one the executive sponsor can confidently endorse and effectively communicate. It must emphasize reduced security and compliance risks, improved business agility and resiliency, and highlight how machine identity security supports strategic priorities such as digital transformation, agentic AI adoption, and Zero Trust.
- Well-defined machine identity governance model. For most organizations, machine identity security involve managing a prolonged and complicated transformation full of competing priorities and trade-offs. It necessitates the formation of a machine identity governance committee, ideally unified with an existing IAM governance structure, that can lead through influence, set strategic objectives, define policy, drive ownership and accountability, and monitor progress.
- Continuous cross-functional collaboration. Because machine identity security is complicated by a diversity of environments, use cases, and identity types, it becomes even more important for the IAM team to collaborate across the organization, including IT/OT infrastructure, cloud, security, DevOps, developer, and Line-of-Business teams. Continuous collaboration helps maintain alignment as priorities shift and requirements evolve. These cross-functional relationships also aid with discovery and inventory activities, facilitate machine identity lifecycle processes and integrations, and provide an ongoing internal network of machine identity security champions.
As you evaluate your organization’s current machine identity security posture and formulate your strategy, consider how these three human aspects can align with your existing IAM program and determine where reinforcement is needed to promote, develop, and sustain effective machine identity security.
I’ll be discussing machine identity security at Forrester’s upcoming Security & Risk Summit in Austin, TX, November 5–7. My track session, “The Secret(s) Life of Machine Identities,” will explore machine identity lifecycle in more detail and provide recommendations for approaching the machine identity security journey. I hope to see you there!
In the meantime, if you’re a Forrester client and want to know more, please reach out and set up an inquiry or guidance session.