Research shows that 75% of non-human identities (NHIs) in an average enterprise have no named owner. At the same time, NHIs grow at a ratio of 50:1 vs. human identities — service accounts, AI agents, IoT devices, application-to-application credentials. The 2024 IBM Cost of a Data Breach Report identifies "stolen credentials" as the #1 attack vector, and NHI credentials (long-lived, static, nobody's responsibility) are the most exploitable.
This whitepaper describes how RapidValue IGA's 4-tier classification model + blast-radius computation + ownership claim-flow takes you from zero to full NHI ownership coverage in 90 days.
NHIs have historically been an afterthought in identity governance. They were created by application teams without central registration. They have standing credentials that never rotate. They often hold more rights than strictly necessary. Nobody knows who the owner is when the script breaks. After a breach, nobody can say "this NHI is authorised to perform this action."
| Pain point | Industry average |
|---|---|
| NHIs without an owner | 75% |
| Static credentials older than 1 year | 43% |
| NHIs with admin-level access | 18% |
| NHIs without any access review | 89% |
| Mean time to attribute an NHI incident | 3–5 days |
Inspired by Omada's NHI governance maturity model, RapidValue classifies every NHI into 4 tiers based on risk profile and operational pattern:
Governance: Reuse existing IGA flow + manual approval on creation.
Governance: Scoped permissions, annual review, 90-day credential rotation.
Governance: JIT-only access, policy-as-code, behavioural monitoring, max 24h credentials.
Governance: Agent identity federation, delegation tokens, full audit chain per call.
For every NHI, RapidValue computes a 4-level transitive reachability graph. This is graph traversal, not ML — deterministic and explainable to auditors.
When an NHI is discovered without an owner, the following automated flow triggers:
Time-bounded replacements (vacation / leave): owners can delegate to a substitute for a defined period.
| Week | Activity |
|---|---|
| 1–2 | Quick Scan on AD + Entra → discovery of all NHIs |
| 3–4 | Classification into 4-tier (default Tier 1, manual escalation for higher tiers) |
| 5–6 | Bulk-assign to management groups (per application team) |
| 7–8 | Per-team campaign: claim your NHIs or flag for decommission |
| 9–10 | Tier 2/3/4 review with security team — advanced governance setup |
| 11–12 | Credential rotation policy enforcement for Tier 2+ NHIs |
| 13 | Baseline ownership coverage > 95% |
After baseline: continuous discovery + automatic ownership revocation when an owner becomes a leaver.
Based on 3 customer pilots (Q1 2026, average 8,000 NHIs per tenant):
| Metric | Before RapidValue | After 90 days |
|---|---|---|
| NHI ownership coverage | 23% | 97% |
| Static credentials > 1 year | 51% | 8% |
| Mean time to attribute NHI incident | 3.5 days | < 1 hour |
| Tier 3/4 NHIs under JIT access | 0% | 88% |
| NHI-related audit findings | 47 per audit | 3 per audit |
| Framework | NHI governance addresses |
|---|---|
| DORA Art. 9 | Maintain mapping between ICT assets (including NHIs) and access rights; continuous monitoring |
| NIS2 Art. 21 | Identity and treatment of access anomalies; NHI credentials in scope for access policy |
| GDPR Art. 32 | Demonstrable measures for confidentiality — NHI credentials as a confidentiality risk |
| ISO 27001 A.9 | Periodic access reviews extended to non-human accounts; ownership required for compliance |
| EU AI Act | AI agent identities (Tier 3/4) require governance, oversight mechanisms, and audit trails |
NHI governance is no longer an optional feature. In 2026, NIS2 and DORA expect NHI credentials to receive the same governance as human accounts. RapidValue IGA's 4-tier model is built in from day 1, not sold as an add-on.
The combination of automatic discovery + blast-radius computation + ownership claim-flow takes you from "we have no idea how many there are" to "continuous attestation per NHI" in 90 days.