The number of Non-Human Identities (NHIs) in many organizations has exploded. Key trends, drivers, and market landscape in this fast-developing area are explored.
The growth in systems communicating over the internet without human involvement has been dramatic in recent years. The Internet of Things (IoT) is driving more machine-to-machine (M2M) communications without human intervention. There is also an explosion in application development underpinning the need for digital transformation, which is turbocharged by remote working and the ever-increasing adoption of e-commerce. This means that pieces of software code are interacting autonomously across networks as never before.
There is a need to manage system identities in the sense of what they are and what they can and cannot do when they are online. For example, can they both send and receive data? Where can they send it? In what volumes and formats? Can they access data that resides elsewhere, make copies, and forward it on, even to recipients outside the organization? Just as importantly, has their identity changed since the last time they were online, e.g., with extra access rights or new software on board that was not there before? Non-human identities (NHI) are already estimated to outnumber human identities by a ratio of 50 to one (50:1). With more and more business processes being automated by artificial intelligence (AI)/generative AI (GenAI) and accessed by AI-enabled services, NHI growth is likely to accelerate even further, bringing yet more expansion in the threat landscape.
Related:Identity Orchestration Is Gaining Traction
NHIs can be defined as digital identities tied to entities like applications, services, and machines within an enterprise technology stack. These include bots, API keys, service accounts, OAuth tokens, cloud services, and other credentials that allow machines or software to authenticate, access resources, and communicate within a system.
The need for effective NHI management (NHIM) arises from several key factors:
Related:How CISOs Can Communicate With Their Boards Effectively
The NHI market is still developing, as demonstrated by the fact that most players are startups. This includes companies like:
Some of these vendors are focused more specifically on NHI security while others provide broader NHIM capabilities, often described as NHI governance. We plan to deliver a report comparing and contrasting the leading players in this space in 2025.
Omdia believes that since most of the players in the NHI market are startups, they are ripe for acquisition by the larger identity security platform vendors. Indeed, one or two startups have already been acquired, such as Authomize, which privileged access management (PAM) vendor Delinea purchased in January this year. Whilst in May 2024, CyberArk (the market leader in PAM) acquired Venafi for $1.5bn. Venafi was an exception amongst the NHI specialists, because it had been around much longer, thanks to its certificate lifecycle management (CLM) and key management background.
Related:Managing Threats When Most of the Security Team Is Out of the Office