Non-human identities (NHIs) encompass devices, software workloads, and AI agents — any digital identity not tied to a human user. NHIs outnumber human identities by roughly 20:1 in cloud-native organizations, yet only 15% of organizations feel confident securing them. The post distinguishes NHI from machine identity, explains the unique security challenges of workload credentials (OAuth tokens, API keys, JWTs, SSH keys), and highlights why AI agents require a distinct identity model due to their non-deterministic, autonomous behavior. It covers the two primary M2M authentication flows — OAuth client credentials and token exchange — along with emerging patterns like CIBA, Dynamic Client Registration, and Cross-App Access (XAA) relevant to agentic workflows.
Table of contents
NHI vs. machine identityNHI types and risk surfaceWhere AI agents break the traditional NHI modelMachine-to-machine (M2M) authentication flowsHandling non-human identity in the agentic eraFAQs about non-human identitySort: