The NHI procurement clause gap: every vendor-provided AI agent is a vendor-issued non-human identity inside your environment

CyberArk’s 2025 State of Machine Identity Security report put the machine-to-human identity ratio in surveyed enterprises at more than 80:1. The same report found 50% of respondents had experienced a breach linked to compromised machine identities in the prior 12 months. Both numbers were measured at the leading edge of the 2025-2026 wave of agentic AI deployments at scale. The ratio that matters in 2026 is rising further still, and so is the share of NHIs that are vendor-issued rather than customer-issued, because that is the share an enterprise is accepting into its environment without an identity primitive it controls.

A 2026 enterprise contracting for a third-party AI agent platform is, in almost every case, accepting a vendor-issued principal into its environment with the authority to read, write, transact, and call further agents. The standard 2026 agentic AI master service agreement governs the data the agent processes, the SLA for availability, the price for tokens or compute, and the exit terms. It generally does not govern the identity primitive the vendor uses to issue the agent’s credentials, the rotation cadence of those credentials, the customer’s right to inventory and audit them, or the vendor’s disclosure obligations if a credential class is compromised on the vendor side. This piece is about the procurement-side instrument for closing that gap.

What the ratio is doing in 2026

The earlier-cycle CyberArk ratio (roughly 45:1 in 2022) was anchored to a pre-agentic deployment baseline. The components of the ratio in that baseline were CI/CD service accounts, RPA bots, SaaS integration tokens, IoT credentials, and traditional Kubernetes workload identities. The agent component was a rounding error. By the 2025 report the ratio had more than doubled to over 80:1, driven by cloud-native and AI adoption.

In a 2026 enterprise deploying agentic AI at moderate scale, say, three agentic platforms (a coding assistant for engineering, a customer service agent for support, a copilot for knowledge work), the agent contribution to the NHI count is a step change rather than an increment. Each platform issues credentials per agent, often per session, sometimes per tool invocation. A 1,000-employee enterprise running these three platforms has plausibly already moved past the 80:1 ratio CyberArk’s 2025 report measured, pushing the agentic-deployment count higher still.

The number that matters operationally is not the ratio. It is the share of NHIs the customer issued versus the share the vendor issued. A customer-issued NHI sits in the customer’s identity provider, rotates on the customer’s policy, is revocable through the customer’s tooling, and is in scope for the customer’s existing identity-governance audit. A vendor-issued NHI sits in the vendor’s identity primitive, rotates on the vendor’s policy (or none), is revocable only through the contract, and is in scope for an audit conversation the customer is largely unprepared for in 2026.

The four clauses that should be in a 2026 agentic AI MSA

A procurement-template review across roughly 30 agentic AI MSAs surfaced in early 2026 found that none of the standard templates covered all four. The templates included Anthropic, OpenAI, Microsoft, Google, AWS Bedrock partners, SAP Joule, Salesforce Agentforce, and several open-source-derived platforms. Coverage of clause one (identity disclosure) was common at the documentation level. Coverage of clauses two through four was rare and concentrated in customer-redlined versions from Fortune 100 financial services, healthcare, and federal contractors. The procurement maturity of the buying enterprise was the primary determinant of whether the clauses appeared.

Clause one, identity primitive disclosure. The vendor names the identity primitive(s) the agent uses to authenticate to customer systems. The options in 2026 are API key, signed JWT, OAuth 2.0 client credential, mTLS certificate, or a runtime-attestation primitive (SPIFFE/SPIRE-style, AWS IAM Roles Anywhere, GCP Workload Identity Federation, Microsoft Entra Workload Identity). The vendor names which primitive is used for which authentication path, the issuance method (vendor-side automated, vendor-side manual, customer-bring-your-own), the storage location for the long-lived credential (vendor secrets manager, customer secrets manager, ephemeral memory), and the maximum credential lifetime. The customer’s identity governance team needs this on day one to scope the audit response.

Clause two, rotation cadence and audit right. The customer has the right to require a maximum rotation interval for each credential class. Reasonable defaults are 90 days for long-lived primitives (API key, OAuth client credential) and 1 hour or less for short-lived tokens (JWT, mTLS-bound runtime token). The customer has the right to audit the rotation logs on request, with a defined SLA for the vendor’s response (typically 10 business days). The audit right is the operational test of the rotation policy; without it, the policy is a contract paragraph that nobody verifies.

Clause three, vendor-side breach disclosure for the identity class. A compromise of the credential class on the vendor side (not just the specific customer instance) triggers a defined disclosure obligation. The window is typically 72 hours, matching GDPR’s general breach-notification baseline. The disclosure includes the credential class affected, the customer instances within the class, the vendor’s understanding of the action surface a compromised credential could have exercised, and the vendor’s mitigation status. The clause is the customer’s only mechanism for learning about a vendor-side identity breach in time to revoke the affected credentials before the threat actor uses them.

Clause four, customer-side revocation control. The customer can revoke the vendor-issued NHI unilaterally. The vendor is contractually obligated to honour the revocation within a defined window (typically 1 hour for production credentials, 15 minutes for credentials with transaction authority), regardless of contract status, billing dispute, or transitional service obligations. The clause is the customer’s instrument for ending the relationship in the case of breach, vendor insolvency, or regulatory action against the vendor. Without it, the customer is unable to exit the identity relationship even after exiting the commercial one.

What “good” looks like, the procurement-mature pattern

The Fortune 100 financial services and federal-contractor pattern that appears in customer-redlined MSAs follows a consistent shape. The customer’s identity governance team is involved in the procurement before the legal redline. The vendor’s identity primitive is one of three pre-approved options (vendor-issued OAuth client credential with 90-day rotation, customer-issued mTLS certificate via the customer’s PKI, or SPIFFE-style runtime attestation against a customer-controlled trust domain). The audit right is exercised on a defined cadence (quarterly for high-risk vendors, annually for moderate-risk). The breach-disclosure clause is mirrored against the customer’s own disclosure obligations under GDPR, NYDFS Part 500, HIPAA, or sector-specific regimes. The revocation clause includes a tested runbook with named contacts on both sides.

The pattern is operationally expensive. The procurement cycle for a Fortune-100-grade agentic AI MSA is materially longer than for a SaaS MSA in the same category, typically 60-120 days versus 30-60 days. The cost is recovered at the audit and incident-response layer rather than at the procurement layer, which is why the pattern is concentrated in enterprises whose audit and incident discipline already prices in the up-front procurement work.

The SOC 2 / ISO 27001 / SOX audit consequence

The clause gap is a paper-procurement problem until an auditor asks the operational version of the question. Three audit pathways are exposed.

SOC 2 Trust Services Criteria CC6.1 (logical access controls) requires the customer organisation to identify, classify, and govern access to its information assets. A vendor-issued NHI acting on customer assets is in scope. The auditor’s questions are: what is the inventory of vendor-issued NHIs operating in your environment, what is the rotation evidence for each, what is the documented revocation procedure, and what is the evidence the revocation has been tested. A 2026 enterprise without identity-disclosure language in the vendor MSA cannot answer the inventory question without the vendor’s cooperation, which is the wrong dependency to surface in an audit.

ISO 27001:2022 Annex A 5.16 (identity management) extends the requirement specifically to lifecycle management of all identities, including non-human and supplier-issued. Annex A 5.19 (information security in supplier relationships) couples the supplier-issued identity question to the broader supplier-risk evaluation. An ISO 27001:2022 audit in 2026 will surface the gap; the structural fix is procurement-side because the operational fix (a separate identity-inventory tool covering vendor-issued NHIs) is still maturing on the tooling side.

SOX section 404 implicates the integrity of financial reporting controls. An AI agent issuing or approving financial transactions on the customer’s behalf, with a credential the customer cannot inventory or revoke, is a material weakness candidate. The SOX auditor’s question is not whether the AI agent is well-behaved; it is whether the customer has the controls to detect and respond to a credential compromise that affects financial reporting in time to prevent material misstatement. The four-clause set is the procurement-side evidence that the operational answer is yes.

What this means for the IT leadership agenda in Q3 2026

Three actions are operationally tractable in the Q3 2026 procurement and audit cycles for an enterprise that is reading this for the first time.

The first is the inventory pass. Identify every agentic AI platform under contract or in active procurement. For each, document the identity primitive in use, the rotation cadence (or absence), the revocation mechanism, and the most recent vendor security disclosure. The artefact is a spreadsheet, not a tool purchase; the cost is procurement-team time, not budget. The output is the gap inventory that the next procurement cycle will redline against.

The second is the MSA template work. The four clauses above are the minimum viable text. Procurement counsel should sit with the identity governance team and produce a customer-redline addendum that can be attached to every agentic AI MSA going forward. The template is then evaluated against the renewal calendar; the highest-risk renewals (financial-transaction agents, customer-data-processing agents, agents with broad tool-use scope) lead the queue.

The third is the audit conversation. The SOC 2, ISO 27001, and SOX audits scheduled for Q4 2026 and Q1 2027 will surface the gap with or without the procurement work; the procurement work determines whether the audit response is a documented control or a documented deficiency. The IT leader who has the inventory and the MSA-template work in motion has a defensible audit story. The one who does not is preparing the post-audit remediation plan with the contract already in place.

The Storm-0558 piece (AM-155) covers the structural reading of credential failures that already happened. The pillar piece on IAM-axis mismatch (the 2026 NHI playbook) covers the customer-side identity architecture that closes the gap from the inside. This piece covers the procurement-side instrument for closing the gap from the contract layer outwards. The three together describe the customer’s identity stance toward an agentic-AI portfolio that is not yet, in most enterprises, governed end-to-end.

The procurement question to leave with the IT leadership team is short. For every AI agent your organisation has under contract or in evaluation, who issued the identity it is acting under, who can revoke it, and within what window. If the answer to any of the three is “the vendor”, the four-clause set is the cheapest available instrument for changing that answer before the next audit.