Loading…
Loading…
Written by Max Zeshut
Founder at Agentmelt · Last updated Jul 8, 2026
Machine and service credentials that authenticate non-human actors—AI agents, service accounts, API keys, OAuth tokens, workload identities—to systems and other services. Non-human identities now vastly outnumber human ones in most enterprises (Gartner estimates 45:1 by 2026), and the ratio is accelerating with AI agent deployments where each agent may hold multiple tokens across CRM, email, calendar, storage, and internal APIs. NHI security is a fast-growing category because agent credentials are typically over-privileged, rarely rotated, hard to audit, and inherit blast radius from every tool they touch—making them a prime target for both direct compromise and [[prompt-injection]]-driven abuse.
A support AI agent is deployed with a single Slack bot token, a Salesforce integration user, a Zendesk API key, and an OpenAI/Anthropic key—four non-human identities. In a mature NHI program each is: scoped to only the actions the agent actually takes (least privilege), rotated on a fixed schedule, monitored for anomalous usage (a burst of `users.list` calls at 3am), and revocable in one action if the agent is compromised. In an immature program, one leaked key gives the attacker persistent, unmonitored access to four systems.