Non-Human Identity Governance in midPoint: Closing the 109-to-1 Gap

Service accounts, API keys, RPA bots, and AI agents now outnumber human users in the average enterprise by 109 to 1. Most IGA programs barely see them. Here is what that gap looks like, why it matters for your 2026 security posture, and how midPoint treats non-human identities (NHIs) as first-class identities you can actually govern.

The numbers most IGA programs would rather not look at

Palo Alto Networks publishes the 2026 Identity Security Landscape Report, which puts the average ratio of machine identities to human identities at 109 to 1. Rubrik Zero Labs measures the ratio at 45 to 1 in traditional enterprises, rising to 82 to 1 in their most recent Identity Crisis study. Some hyper-automated, cloud-native organizations report ratios closer to 500 to 1.

In absolute terms, the average enterprise now manages over 250,000 non-human identities across its cloud and on-premise estate. That includes:

• Service accounts on Active Directory, Linux, databases, and middleware
• API keys, OAuth tokens, and personal access tokens
• Workload identities (containers, serverless functions, virtual machines)
• CI/CD pipeline credentials
• RPA bots
• Machine-to-machine (M2M) certificates
• AI agents and copilots, the fastest-growing category, projected to grow 85% over the next 12 months

The governance posture, when measured, is uncomfortable:

• 97% of NHIs carry privileges beyond what their function requires
• 71% have not been rotated within the recommended timeframe
• 68% of identity-related security incidents now involve a machine identity
• Only 15% of organizations report high confidence in their ability to prevent NHI-based attacks

This is the gap, and it is not a future problem.

What recent breaches tell us

The 2024 and 2025 breach record reads like an NHI governance manual written backwards.

• BeyondTrust (December 2024). A compromised API key was paired with a command-injection bug to gain unauthenticated remote code execution on customer instances of its Remote Support SaaS.
• Snowflake customers (May 2024). Stolen credentials for non-MFA-protected service accounts gave attackers data from Ticketmaster, Santander, and dozens more.
• Dropbox Sign (May 2024). A compromised backend service account opened the customer database, exposing emails, API keys, and OAuth tokens.
• Schneider Electric (November 2024). Exposed Jira credentials let attackers exfiltrate 40 GB of internal project data.
• AWS “Codefinger” campaign (January 2025). Ransomware operators used compromised AWS keys plus customer-provided-key encryption to lock S3 buckets.
• DeepSeek (January 2025). Over one million log lines and sensitive secret keys exposed via an unsecured database.

The pattern is consistent. The attacker rarely needed a zero-day. They needed a credential that nobody owned, nobody reviewed, and nobody had rotated. NHIs.

Why traditional IGA misses non-human identities

Most IGA programs were built around employees: hire date, manager, department, role, leaver event. The data model and the workflows assume a human owner and a human lifecycle. That assumption breaks for NHIs in four ways:

1. No HR feed. A service account does not appear in Workday. There is no source of truth and no “joiner” event.

2. No clear owner. A bot created three years ago by a contractor who has since left has no human attached to it. Ownership rots.

3. No leaver. When the application that created the account is decommissioned, the NHI is rarely cleaned up. Orphan accounts accumulate.

4. No certification. Even where access reviews exist, certifiers either skip service accounts (“don’t touch, it’ll break production”) or rubber-stamp them.

The result is a population larger than your workforce, growing faster than your workforce, with weaker governance than your workforce. Gartner’s 2026 IAM track captured the same observation. Many organizations are still in a basic discovery phase for NHIs, inventorying what exists, assigning ownership, and understanding exposure before any meaningful policy work can begin.

How midPoint governs non-human identities

midPoint was designed around a generic identity object model rather than a fixed “user” type. That distinction matters more for NHIs than for any other category. In midPoint, a service account, an RPA bot, and an AI agent are governed using the same primitives as a human identity (roles, archetypes, policies, approvals, certifications, audit, outlier detection), but with object types, lifecycle rules, and ownership models tuned to non-human reality.

Here is what that looks like in practice.

First-class object model with archetypes

midPoint’s archetype mechanism lets you define distinct identity types such as service-account, rpa-bot, ci-cd-credential, and ai-agent. Each archetype carries its own:

• Required attributes (purpose, system, owner, expiry, risk tier)
• Lifecycle states and transitions
• Approval policies for creation and privilege change
• Certification cadence
• Default role assignments via inducement

This is what makes governance possible. An ai-agent archetype can require an explicit human owner, a 90-day certification cycle, and an attestation that the agent’s tool list has been reviewed, automatically on every change.

Joiner-Mover-Leaver, adapted for machines

midPoint extends its JML processes to NHIs with a critical addition: human-dependency triggers. When the responsible person for a service account leaves the organization, midPoint can:

• Re-route ownership to the leaver’s manager
• Suspend the account if no owner is reassigned within an SLA
• Trigger an immediate access review
• Decommission the account when the underlying application is retired

This closes the orphan-account loop that most NHI breaches exploit.

Role-based and policy-based access for machines

Service accounts get the same RBAC discipline as users. Roles can be:

• Birthright for a given archetype. An ai-agent may always get logging and observability access.
• Conditional on attributes. Only agents deployed in production get database read access.
• Approval-gated for anything sensitive. Write access to a financial system requires the data owner’s sign-off.

Segregation-of-duties checks apply equally. A bot cannot simultaneously hold “create payment” and “approve payment” entitlements without raising a policy violation.

Certifications that cover the whole identity population

midPoint’s access certification campaigns can target NHIs as their own scope. The certifier sees the account, the owner, the assigned roles, the last-used timestamp (when fed from the target system), and the risk tier. Decisions such as keep, revoke, or reassign owner flow back as automated provisioning actions, not Jira tickets.

This is where the “97% over-privileged” statistic finally gets addressable.

Outlier detection for the population you cannot eyeball

When you are governing 250,000 identities, the human eye cannot find the bad one. midPoint’s outlier detection flags accounts whose role assignments deviate from peers in the same archetype, owner group, or organizational unit. That surfaces the rogue bot which has accumulated production write access nobody approved.

Integration with secrets vaults and PAM

midPoint is the governance layer, not the secret store. The pattern that works in production is:

• midPoint owns the lifecycle, ownership, role assignments, certifications, and audit.
• A vault (HashiCorp Vault, CyberArk Conjur, AWS Secrets Manager, Azure Key Vault) owns the credential material, rotation, and short-lived issuance.
• ConnId connectors wire midPoint to the vault, so that creating a service account in midPoint provisions both the identity record and the vault entry, and decommissioning cleans both sides.

This separation means rotation, ephemerality, and policy enforcement live where they belong, while governance, ownership, and audit live in midPoint.

AI agents as a governed identity class

The fastest-growing NHI category is also the least governed. midPoint’s archetype model makes AI agents tractable:

• Each agent gets a human owner and a documented purpose
• The agent’s tool list and target systems are modeled as role assignments
• Privilege escalation requires the same approval flow as a human role request
• Periodic certifications attest that the agent still needs every entitlement it holds
• Decommissioning the agent’s owning application triggers automatic clean-up

Gartner predicts that by 2028, at least 15% of daily workplace decisions will be made by AI agents. Each of those decisions traces back to an NHI with access to data. Governing that population the same way you govern people is not optional. It is the only model that survives audit.

A reference blueprint: NHIs in midPoint

For a typical enterprise starting from a midPoint baseline, the working blueprint is:

1. Discovery and inventory. Use midPoint’s resource shadows to pull every service account from Active Directory, Linux, databases, cloud IAM, and SaaS admin consoles. Tag each with its source system.

2. Archetype design. Define service-account, rpa-bot, ci-cd-credential, workload-identity, and ai-agent. Set required attributes and risk tiers.

3. Ownership assignment. Bulk-assign owners from application catalogues, CMDB, or where nothing exists, to the department head responsible for the target system. Make ownership mandatory.

4. Role modeling. Define birthright roles per archetype. Move ad-hoc entitlements into named roles. Apply SoD policies.

5. Vault integration. Connect the credential store. Wire creation, rotation, and revocation events both ways.

6. Certifications and outlier detection. Schedule NHI-specific campaigns. Turn on outlier detection. Make remediation automated, not a ticket queue.

7. Decommissioning rules. Build the JML triggers for application retirement and owner departure. Rehearse them.

Most organizations can stand up steps 1 to 4 within a single quarter on top of an existing midPoint instance. Vault integration and certifications follow in the next cycle.

Common mistakes to avoid

• Treating NHIs as a discovery problem only. Inventory without governance is a spreadsheet that rots.
• Building a separate “NHI platform.” A parallel system means parallel ownership, parallel audit, and parallel cost. midPoint already has the primitives.
• Excluding service accounts from certification campaigns. This is the single most common audit finding.
• Letting application teams self-manage their bots’ privileges without policy. That is how the 97-percent-over-privileged number was earned.
• Treating AI agents as “just an integration” instead of an identity. They are identities. They have entitlements. They need owners.

The bottom line

Non-human identities are not a niche category any more. They are the majority of your identity population, they are the majority of identity-related incidents, and they are growing faster than your headcount ever will. The NHI access management market itself is forecast to grow from USD 9.45 billion in 2024 to USD 18.71 billion in 2030, at an 11.9% CAGR. That is the market following a problem that already exists, not creating one.

The good news is that midPoint does not require a new product, a new vendor, or a new program to govern this population. It requires the same IGA discipline you already apply to your workforce, extended to the identities that now outnumber them by 109 to 1.

Start your NHI governance journey

WeKnowIdentity helps organizations extend midPoint’s governance model to the full non-human identity population. That includes archetypes, lifecycle automation, certifications, vault integration, and AI-agent onboarding. If your midPoint deployment governs your workforce but not your service accounts, bots, and AI agents, that is the gap where your next incident will land.

Book a free NHI governance assessment

Related Resources

• NIS2 Directive: How midPoint Helps You Meet Identity Security Requirements
• GDPR Compliance with midPoint: Automated Access Certification and Audit Reporting
• Building Custom midPoint Connectors for REST APIs
• midPoint on Kubernetes: A Production Deployment Guide

Sources

• Palo Alto Networks, 2026 Identity Security Landscape Report. Machine-to-human ratio 109:1, AI agent growth 85% over 12 months.
• Rubrik Zero Labs, The Identity Crisis. 45:1 and 82:1 NHI ratios.
• The Hacker News, The Non-Human Identity Crisis (May 2026).
• CSO Online, Why non-human identities are your biggest security blind spot in 2026.
• Gartner, Market Guide for Identity Governance and Administration.
• Gartner Peer Insights, Workload Identity Management market.
• Evolveum, Non-Human Identities.
• Evolveum Docs, Role-based access control.
• NHI Mgmt Group, 52 Non-Human Identity Breaches case library.
• Aembit, Real-Life Examples of Workload Identity Breaches.
• MarketsAndMarkets, NHI Access Management Market 2025 to 2030.