Non-Human Identities Now Dwarf Humans

Forty-five machine identities run for every single human employee. API keys, service accounts, and now autonomous agents have pushed non-human identities (NHI) to dozens of times the human headcount inside an organization. Because agents call other agents and invoke tools on their own, an identity is minted when a task begins, not when a person logs in. The core shift is that what you govern has moved from static accounts to dynamic identities that spin up and disappear moment to moment.

Legacy IAM Cannot Keep Up

78% of organizations have no policy for creating or deleting AI identities, and 92% say legacy IAM makes this risk hard to manage. Human-centric IAM was designed around long-lived credentials, manual provisioning, and quarterly access reviews. That cadence does not fit agent identities that appear and vanish within seconds. Un-revoked tokens and over-privileged service accounts simply linger as attack surface.

Ephemeral Tokens Bound to a Task

NIST launched its AI Agent Standards Initiative in February 2026, and its direction is context-aware ephemeral tokens. A token is issued bound to a specific task, scope, and lifetime, and it expires the instant the task completes. Privileges are scoped narrowly by the calling context (which user, which data, which tools). Remove standing credentials, and a leaked token loses its window for reuse.

An In-Depth Guide: From Planning to Operations

In planning, fix your target metrics as numbers. Set a baseline of a 15-minute maximum token lifetime, a p95 latency under 5 seconds from task completion to token revocation, zero orphaned tokens that fail to expire, and zero least-privilege violations. Measure the ratio of privileges actually used against privileges granted, so over-provisioning becomes a quantitative signal rather than a hunch.

Three failure patterns are common. First, a token outlives its task and revocation is missed. Second, a token renewal fails mid-run and a long task breaks. Third, privileges are issued beyond the calling scope. Make the recovery branches explicit. Near expiry, evaluate remaining work and retry renewal once; if the retry fails, escalate to a human check. When a call is detected outside its granted scope, revoke the token immediately without retry and safely truncate and halt the task.

For the operational checklist, start with standardized logs. Record token issue and revocation timestamps, the linked task ID, the granted scope, and the calling agent in a one-line format so incidents are traceable after the fact. Apply PII masking rules to logs and audit data, and run regular scans to confirm no standing credentials remain. Always keep an alert and a forced-revocation path ready for revocation failures.

Run the continuous-improvement loop weekly. Analyze the gap between granted and actually-used privileges to tighten scopes, and trace which task types produce orphaned tokens to reinforce revocation triggers. For tasks that renew often, extend the initial lifetime to cut needless interruptions, and promote anything drifting from the zero-violation target to the top of the next cycle's fixes.

Executive Summary

In short, NHI already outnumbers human identities 45 to 1, and legacy IAM cannot cope when 78% of organizations lack even a policy. Anchored to NIST's context-aware ephemeral tokens, bind tokens to tasks and revoke on completion, escalate renewal failures to a human check, and revoke immediately on scope violations. Drive the improvement loop against zero orphaned tokens and sub-5s p95 revocation, and you sustain an identity system that resists reuse even after a leak.

References

Identity is the Agentic AI Problem (Resilient Cyber)