BeyondTrust launches NHI governance for machine identities
Fri, 10th Jul 2026 (Today)
BeyondTrust has launched NHI Governance on its Pathfinder platform to govern non-human identities across cloud, software-as-a-service, endpoint and on-premises environments.
The launch expands the company's identity security portfolio into managing service accounts, API keys, OAuth clients, workload identities and AI agents, which many organisations now use at a scale that exceeds their human workforce.
It comes as security teams face growing concern over how machine identities are created, granted access and left in place. Many are never assigned an owner, their privileges are rarely reviewed, and they often retain access indefinitely once deployed.
That creates a growing area of exposure in enterprise systems, particularly as attackers target trusted links between applications instead of relying on malware or direct account compromise. OAuth tokens and other machine credentials have become a focal point in software supply chain attacks because they can provide legitimate access to data and systems without triggering conventional warning signs.
Changing risk
The issue is no longer limited to discovering where non-human identities exist. BeyondTrust argues that governance must also assign accountability, reduce unnecessary access and retire identities that are no longer needed.
The new module is intended to apply those controls across the non-human identity lifecycle. Organisations will be able to assign each identity to a person or team, enforce least-privilege rules, decommission stale or orphaned accounts and bring AI agents under the same framework.
The product sits within the Pathfinder platform and builds on other BeyondTrust tools that already address visibility and credential management. These include Identity Security Insights, which maps non-human identities and their access, and Password Safe, which secures and rotates the credentials behind them.
By adding governance to discovery and credential control, BeyondTrust is seeking to address a gap that has become more visible as automated systems spread across enterprise technology estates. Non-human identities can include integrations between software services, background processes, containers, bots and AI systems that operate independently in production environments.
Research cited from BeyondTrust's Phantom Labs unit found that non-human identities already vastly outnumber human ones in enterprises. It also found that enterprise AI agents are growing by more than 460% year on year, adding to the volume of identities that require access to systems, applications and data.
Control focus
Marc Maiffret, Chief Technology Officer at BeyondTrust, said security teams need to move beyond visibility and act on the privileges these identities hold.
"Seeing non-human identities was only half the equation," said Marc Maiffret, Chief Technology Officer at BeyondTrust. "The other half is doing something about the privilege they carry at scale: deciding who owns each one, pulling back the privilege they aren't using, and retiring the ones that should not exist. And doing so without requiring teams to address them one by one with the limited time they have. That's not paperwork you bolt onto a tool built for employee onboarding. That's managing non-human identities at machine scale."
The launch reflects a broader shift in cybersecurity spending towards identity-based controls. As organisations adopt more cloud services, automation tools and AI systems, machine identities have become embedded in routine operations but often remain outside the governance structures built for employees and contractors.
Conventional identity and access management tools have largely centred on workforce users, with joiner, mover and leaver processes tied to HR systems and manual reviews. BeyondTrust is attempting to extend those principles to software-driven identities that can be created rapidly and in large numbers, often by development teams or automated deployment pipelines.
That approach is likely to resonate with companies under pressure to show tighter oversight of privileged access. In practice, service accounts and tokens can hold broad permissions across applications and cloud environments, while unused or forgotten identities can persist long after their original purpose has ended.
NHI Governance is intended to reduce that exposure by establishing ownership and limiting the reach of machine identities before an incident occurs. BeyondTrust also argues that AI agents should be treated as a distinct category within governance programmes, with dedicated credentials and defined access boundaries rather than inheriting broad trust by default.
The launch extends BeyondTrust's effort to position its platform around privilege control across human, machine and AI identities. The company says it serves more than 20,000 customers, including 75 of the Fortune 100.
BeyondTrust said the recent rise in SaaS-to-SaaS attacks has shown that "a longer list is not a control".