BeyondTrust has introduced NHI Governance, a new capability within the BeyondTrust Pathfinder platform designed to manage and secure non-human identities across cloud, SaaS, endpoint, and on-premises environments. As service accounts, API keys, OAuth clients, workload identities, and AI agents continue to expand throughout organizations, NHI Governance applies BeyondTrust’s long-standing privileged access expertise to help enterprises control these growing identity risks. The solution brings governance to non-human identities that increasingly outnumber human users but often remain unmanaged and insufficiently protected.
The Problem: The Privileged Surface Changed. Controls Didn’t Keep Up.
Service accounts, API keys, OAuth clients, workload identities, and AI agents now hold most of the standing privilege in the enterprise, and they outnumber the people. BeyondTrust Phantom Labs™ research found that non-human identities already vastly outnumber human ones, with enterprise AI agents growing more than 460% year over year. Almost none are ever assigned an owner; their privileges are rarely reviewed, attested, or rightsized; and their credentials are seldom rotated or retired. They are granted access on the day they are created and often retain that access indefinitely.
The industry’s response has been to inventory them. But a longer list is not a control. The risk was never just that an identity exists; it is also, and especially, the privilege that identity holds and everything that privilege can reach.
The recent wave of SaaS-to-SaaS software supply chain attacks made that abundantly clear. Attackers increasingly compromise the OAuth tokens trusted between applications, allowing legitimate access to data at scale. No malware, no escalation, no human in the loop. Every action reads as authorized because it was. Discovery and visibility alone do not stop an attack. Stopping the exfiltration requires controls to be executed ahead of the incident: access already scoped down, the token already rotated, or the unused identity already retired before the attacker arrived.
“Seeing non-human identities was only half the equation,” said Marc Maiffret, Chief Technology Officer, BeyondTrust. “The other half is doing something about the privilege they carry at scale: deciding who owns each one, pulling back the privilege they aren’t using, and retiring the ones that should not exist. And doing so without requiring teams to address them one by one with the limited time they have. That’s not paperwork you bolt onto a tool built for employee onboarding. That’s managing non-human identities at machine scale.”
Helping Customers Move from an Inventory List to Real Control
NHI Governance is built to execute the non-human equivalent of joiner, mover, leaver actions that actually reduce risk, in the right order:
- Establish ownership. Every non-human identity is assigned to a person or a team who is accountable for it, so nothing runs unowned.
- Enforce least privilege. Lock down the identities that hold real privilege, and constrain what each one can reach, closing the paths to privilege it was never meant to have.
- Decommission NHIs. Retire the stale, orphaned, and abandoned identities that make up most of the ungoverned population, so the attack surface shrinks instead of growing unchecked.
- Secure AI Agents. Bring them under the same controls, with their own credentials and their own access.
Built on Two Decades of Privilege Enforcement
For more than two decades, BeyondTrust has helped organizations reduce identity-based risk by governing privileged access across their most critical systems. Non-human identities are no exception. Identity Security Insights® already provides industry-leading visibility and intelligence across non-human identities and the privileges they hold, while BeyondTrust Password Safe® secures, manages, and rotates the credentials behind them. NHI Governance builds on that foundation by turning visibility and credential management into lifecycle governance that establishes ownership, enforces least privilege, and reduces identity-based risk.
Part of the BeyondTrust Pathfinder platform, NHI Governance builds on the recent introduction of AI Agent Security, further unifying discovery, governance, and enforcement within a single platform to secure privilege consistently across every identity capable of privileged action.
Availability
NHI Governance is planned for US general availability in Fall 2026, with other global regions to follow.
Related News:
BeyondTrust Unveils PathfinderAI and MCP Server
BeyondTrust Report Shows Rise in Critical Microsoft Vulnerabilities