It is no secret that the volume of machine identities — aka nonhuman identities (NHIs) — is increasing exponentially and rapidly outpacing the number of human identities. According to the Cloud Security Alliance, the ratio of machine to human identities in 2024 was 20 to 1, with some estimates now placing that ratio as high as 92 to 1. Shorter digital certificate lifespans, ephemeral cloud workloads, and the rise of agentic AI further compound the snowballing complexity of managing and securing machine identities and their associated credentials, at a time when these machine identities are being more frequently targeted by attackers and more heavily depended upon to keep businesses running.

As NHIs grow at breakneck speed, new NHI vendors flood the market, and emerging requirements for contextual access expand, it becomes easy to forget that modern machine identity security strategy success depends on human elements. Obviously, architectural frameworks and technical tools are instrumental and indispensable to addressing the challenges that machine identities bring, but these technical elements need to be aligned with these three human elements:

  1. Strong executive sponsorship. Establishing an executive-level sponsor that can ensure proper visibility, funding, and support is essential. Identity and access management (IAM) and security leaders must develop a compelling business case for machine identity security that speaks in business and financial terms. This case should be one the executive sponsor can confidently endorse and effectively communicate. It must emphasize reduced security and compliance risks, improved business agility and resiliency, and how machine identity security supports strategic priorities such as digital transformation, agentic AI adoption, and Zero Trust.
  2. A well-defined machine identity governance model. For most organizations, machine identity security involves managing a prolonged and complicated transformation full of competing priorities and trade-offs. It necessitates the formation of a machine identity governance committee, ideally unified with an existing IAM governance structure, that can lead through influence, set strategic objectives, define policy, drive ownership and accountability, and monitor progress.
  3. Continuous cross-functional collaboration. Because machine identity security is complicated by a diversity of environments, use cases, and identity types, it becomes even more important for the IAM team to collaborate across the organization, including IT/OT infrastructure, cloud, security, DevOps, developer, and line-of-business teams. Continuous collaboration helps maintain alignment as priorities shift and requirements evolve. These cross-functional relationships also aid with discovery and inventory activities, facilitate machine identity lifecycle processes and integrations, and provide an ongoing internal network of machine identity security champions.

As you evaluate your organization’s current machine identity security posture and formulate your strategy, consider how these three human aspects can align with your existing IAM program and determine where reinforcement is needed to promote, develop, and sustain effective machine identity security.

Want to learn more? I’ll be discussing machine identity security at Forrester’s upcoming Security & Risk Summit in Austin, Texas, on November 5–7. My track session, “The Secret(s) Life Of Machine Identities,” will explore machine identity lifecycle in more detail and provide recommendations for approaching the machine identity security journey. I hope to see you there!

And as always, if you’re a Forrester client and want to know more, please reach out and set up an inquiry or guidance session.