Topic · Non-human identity
How enterprise IT manages AI agents as first-class identities — lifecycle, credentials, procurement clauses, audit.
Agents are not service accounts. The identity layer breaks first; this pillar is where it gets named.
Non-human identity (NHI) is the pillar where the existing IAM stack breaks fastest. Agents are not service accounts: they take input that crosses tenancy boundaries, they execute against multiple downstream APIs in a single decision cycle, and they hold credentials that traditional rotation policies were never designed to manage. The first 18 months of enterprise agentic-AI rollouts are surfacing exactly this gap.
This is the thinnest pillar by spoke count today and the most editorially under-served in public. The market is moving, the regulators are watching, and most enterprise CISOs we've talked to have a position on what their NHI architecture should be by Q3 2026 — but very little of that position is written down with named tooling and named tradeoffs.
Coverage threads this pillar opens: credential rotation policies for agent identities — what Vault, Doppler, and 1Password Secrets configurations actually look like in production, what the rotation cadence is, what breaks. Service-account to AI-agent identity migration playbooks — when to split, when to keep, and the SAML / OIDC / SCIM patterns that work in each case.
NHI procurement clauses — what an MSA with a multi-agent vendor needs to declare about agent-level identity tracking, audit log retention, and revocation. NHI inventory and observability — the SIEM and SOC patterns that actually catch agent identity sprawl before it becomes an audit finding. Auth0, Clerk, WorkOS, Stytch, and JumpCloud product-comparator pieces with the methodology declared and the workload pinned.
Expect this pillar to grow fastest of the five over Q2–Q3 2026.
Pillar last refreshed 2026-05-01
What survives review
What has broken
Nothing has moved to Partial or been retired in this topic yet.
Spoke articles
- Non-human identity for AI agents: the 2026 IAM playbook
AI agents are not just another flavour of non-human identity. They are dynamic, ephemeral, delegating actors with reasoning capacity that legacy IAM cannot represent. The 92% of enterprises that report low IAM confidence for agentic AI are running an identity model with one structural axis where the deployment requires four. The remediation is a layered extension on top of existing IAM, not a rip-and-replace migration.
What we're watching next
- Auth0, Okta, Ping, JumpCloud shipping first-class agent-identity primitives.Existing IAM platforms support service accounts and OAuth applications but treat agents as either. The first IAM platform to ship agent-as-a-first-class-identity (with reasoning-trace correlation, action-class scoping, ephemeral credential rotation calibrated to agent lifetimes) sets the integration pattern the rest follow.
- EU AI Act enforcement language touching agent-identity provenance.Article 12 logging requires action attribution. If competent authorities interpret 'attribution' as requiring per-agent identity rather than per-application identity, the IAM extension this pillar argues for becomes a compliance prerequisite, not a security recommendation.
- First named-company breach where the failure mode was agent-identity sprawl.The pillar argues agent-identity sprawl is the dominant 2026 IAM gap. A canonical case study — comparable to the Mercor / LiteLLM chain in security — would calibrate the remediation cost and force the issue into 2027 risk-register conversations.
- NIST or CISA publishing agent-identity guidance distinct from existing NHI guidance.Standards-body recognition that agents need IAM treatment beyond the existing service-account framing would accelerate enterprise procurement of the four-axis identity model. Without it, most enterprises will ride the existing NHI playbook into the gap.
Primary sources we trust for this topic
A curated list of primary research, regulator guidance, and vendor documentation for non-human identity. Populated on the quarterly refresh — not a link dump, not competitors.
This pillar page is refreshed quarterly. Last refresh: 19 Apr 2026. Next refresh: 18 Jul 2026.