The rise of non-human identities and the future of PAM

I just had a great conversation with Mr. NHI (Lalit Choda) about non-human identities (NHIs) and how they are reshaping the way security teams think about identity management. Lalit asked me a great question: are IAM, IGA and PAM solutions adapting fast enough to cover this massive growth in NHIs, or will we see an entirely new pillar of identity emerge?

That same theme echoed loudly at Black Hat this year. CISOs repeatedly told me that identity has become overwhelming.They’ve invested heavily in IAM, IGA and PAM platforms, yet they still see glaring gaps — especially around NHIs, multi-cloud and hybrid environments.Executives are asking two urgent questions: Should we renew the vendors we already use or add point solutions to fill the gaps? And just as important, where do we even begin?

Why non-human identity is the biggest unsolved problem

NHIs may be the single most unsolved challenge in cybersecurity. They already dwarf human identities in number, and with AI agents entering the stack, the complexity is compounding. The fundamental issue isn’t how many NHIs exist, but the explosion of access pathways they create to sensitive systems.

A CISO doesn’t lose sleep over raw counts of service accounts; they worry about whether a stray token, role or API key could provide a path into customer data or production applications. That is the metric that matters: access pathways to crown-jewel assets.

Dispelling myths and moving beyond fear

Lalit and I also touched on how the industry talks about NHIs. Too often, security marketing leans on fear,uncertainty, and doubt. Statistics like “NHIs outnumber humans 85:1” may grab headlines, but they obscure the real problem. What matters is not volume but risk: Can this identity access something sensitive?

The industry must pivot from fear-based metrics to risk-based frameworks that measure and reduce exposure paths.

Why three pillars still matter

My view is that the future of identity security will still revolve around the three established pillars:

●     IAM will authenticate both humans and NHIs (and very soon, agentic identities).

●     IGA will govern access and run access reviews for all identities across enterprise apps

●     PAM will enforce least-privileged access to privileged production resources.

Rather than inventing entirely new categories, these platforms must evolve to account for all identities, human and non-human alike. For P0, the mandate is clear: to secure privileged access across hybrid, multi-cloud, and cloud-native stacks in a way that reflects how identities really work today.

Closing thought

If there’s one takeaway from my discussion with Lalit, it’s that we can’t afford to lag behind. We’ve got to stay ahead of the demands in the NHI space, because if we wait for the threats to expose themselves, it will already be too late.

Watch the whole interview here.

‍