Skip to content.

What Comes After Humans? A New Era of Secure Identity Management

By Valerie Aelbrecht, Investment Manager

AI / Data

Posted

The digital world is no longer just about human interactions. As we embrace automation, cloud computing, and the Internet of Things (IoT), the number of non-human identities (NHIs) โ€“ machines, applications, APIs, and devices โ€“ is exploding. In fact, it is estimated that NHIs will outnumber human identities by a ratio of 50 to 1. These NHIs, just like human users, require secure identities and access control to operate safely and efficiently within our systems. It is that crucial practice of assigning, securing and overseeing these identities and controls that is called Non-Human Identity Management (NHIM). 

Why is NHIM Critical (and growing)?

The importance of NHIM stems from several factors (non-exhaustive!):

  • A growing reliance on automation: businesses are increasingly reliant on interconnected systems and autonomous applications, making NHIs central to operations as they interact within digital ecosystems, access resources and execute tasks autonomously. This increased automation means that more information is being accessed by NHIs, much more then human identities. Therefore the threat surface becomes larger, which brings us to the next two points.
  • The evolving threat landscape: cybercriminals are progressively targeting NHIs due to their often-weak authentication mechanisms and inadequate monitoring.
  • An expanding attack surface: driven by several factors, including the growing number of connected devices, the widespread adoption of cloud computing and microservices architectures, the increasing complexity of modern IT infrastructure, and the surge in IoT devices and edge computing.
  • ๐Ž๐ฏ๐ž๐ซ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ข๐ง๐  ๐จ๐Ÿ ๐๐‡๐ˆ๐ฌ: the growing trend of NHIs being granted excessive privileges. This often occurs when Devs, DevOps, and QA teams, under tight deadlines and significant pressure, focus primarily on ensuring basic functionalityโ€”testing whether “it works”โ€”rather than verifying “if it works securely.” When issues arise, Dev(Ops) teams may temporarily escalate an NHI’s permissions to admin level for debugging or resolution purposes but fail to follow up and revert the NHI to its least privileged state, leaving it overprivileged indefinitely.
  • ๐“๐ก๐ž ๐ซ๐ข๐ฌ๐ž ๐จ๐Ÿ ๐€๐ˆ: Imagine a VC blog post without the mention of AI! No surprises here but AI is having a massive impact on access management. Just one example would be platforms like FraudGPT that can create bots in just seconds.
  • ๐„๐ฏ๐จ๐ฅ๐ฏ๐ข๐ง๐  ๐ซ๐ž๐ ๐ฎ๐ฅ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐š๐ง๐ ๐ฌ๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ & ๐ฉ๐ซ๐ข๐ฏ๐š๐œ๐ฒ ๐œ๐จ๐ง๐œ๐ž๐ซ๐ง๐ฌ: As automation and AI systems proliferate, ensuring that only authorized devices and algorithms have access to sensitive data or critical operations becomes essential. NHIM provides a framework to secure these non-human entities, ensuring they are authenticated and properly managed to prevent breaches. Good old GDPR is just one example.

Unveiling the Complexity of NHIM

NHIM goes beyond simply managing passwords and keys. It involves a complex interplay of concepts and technologies designed to ensure secure authentication, authorisation, and monitoring of NHIs throughout their lifecycle. Let’s explore some of the key areas:

  • ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐š๐ง๐ ๐€๐œ๐œ๐ž๐ฌ๐ฌ ๐Œ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ (๐ˆ๐€๐Œ): IAM systems provide the foundational framework for NHIM, securing identity provisioning, authentication, and authorisation for NHIs across enterprise environments. Astrix Security and Oasis Security go beyond that even, combining IAM with Identity Threat Detection and Response (ITDR), whilst Okta aims to cover both human and non-human identities. Yoti is a growth-stage UK company serving financial institutions and government bodies.
  • ๐ƒ๐ž๐ฏ๐ข๐œ๐ž ๐š๐ง๐ ๐ˆ๐จ๐“ ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐š๐ง๐ ๐€๐œ๐œ๐ž๐ฌ๐ฌ ๐Œ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ: Companies like Periphery, specialise in that area by providing threat management for IoT manufacturers, covering the extended IoT device attack surface. Italy-based Exein, in a similar vein, focuses on protecting connected devices across various industries, including automotive, manufacturing, healthcare, and consumer electronics, by automatically detecting and securing vulnerabilities within device firmware.
  • ๐Œ๐š๐œ๐ก๐ข๐ง๐ž ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐Œ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ (๐Œ๐ˆ๐Œ): This broader concept encompasses all machines and systems, focusing on secure communication and interactions between them. CyberArk, with its focus on managing privileged credentials for machines and applications, plays a significant role in this domain.
  • ๐€๐๐ˆ ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐š๐ง๐ ๐€๐œ๐œ๐ž๐ฌ๐ฌ ๐Œ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ: APIs, acting as non-human entities, require specific identity management to prevent unauthorised access to data or services. Our portfolio company Gravitee.io offers IAM and federated API access management as part of their end-to-end full lifecycle API support platform.
  • ๐ƒ๐ข๐ ๐ข๐ญ๐š๐ฅ ๐“๐ฐ๐ข๐ง ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐Œ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ: helps keep the digital twin and its physical counterpart synchronized and secure, enabling more efficient monitoring and predictive maintenance. UK-based Iotics and Franceโ€™s Cosmo Tech are some European examples here.
  • ๐ƒ๐ž๐ฏ๐ข๐œ๐ž-๐ญ๐จ-๐ƒ๐ž๐ฏ๐ข๐œ๐ž (๐ƒ๐Ÿ๐ƒ) ๐€๐ฎ๐ญ๐ก๐ž๐ง๐ญ๐ข๐œ๐š๐ญ๐ข๐จ๐ง: A practical application of NHIM within IoT networks, supporting autonomous communication between devices in scenarios like smart homes and industrial IoT. Incumbents like Sectigo and Thales operate in this field, but also more recent players such as Crypto Quantique offering device security for both developers/manufacturers and IC designers are worth noting. 
  • ๐€๐ฎ๐ญ๐จ๐ง๐จ๐ฆ๐จ๐ฎ๐ฌ ๐’๐ฒ๐ฌ๐ญ๐ž๐ฆ๐ฌ ๐š๐ง๐ ๐๐จ๐ญ ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐Œ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ: Covers identity management for autonomous decision-making systems. Innerworks for example has built a cascading model of techniques to deliver โ€˜proof of humanityโ€™ and โ€˜proof of identityโ€™. To the AI point made before, new bots generations are becoming increasingly harder to detect with GenAI being capable of mimicking (human) behaviour, and Innerworks is tackling exactly that. The Estonian-based BotGuard would be another European player to watch here.    
  • ๐‘๐จ๐›๐จ๐ญ๐ข๐œ ๐๐ซ๐จ๐œ๐ž๐ฌ๐ฌ ๐€๐ฎ๐ญ๐จ๐ฆ๐š๐ญ๐ข๐จ๐ง (๐‘๐๐€) ๐๐จ๐ญ ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ: RPA bots automate business processes and require identity management to ensure their actions are secure, auditable, and compliant with organizational policies. BluePrism and UiPath spring to mind here.
    ๐–๐จ๐ซ๐ค๐ฅ๐จ๐š๐ ๐ข๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐ฆ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ: Last but not least, and tying in nicely with the CSPM/ASPM topic below, Cofide is securing workloads (i.e. applications and services across cloud environments) dynamically and efficiently, whilst ensuring alignment with modern cloud-native practices. By focusing on intelligent workload identity management, the company is not only complementing CSPM/ASPM tools but also aiming to make Zero Trust Architectures practical and achievable for organizations.” 
Enabling Technologies and Solutions for NHIM

Various, better-known, technologies and solutions support and enable these core concepts in NHIM, and so deep integrations within the rest of the organisationโ€™s tech stack is crucial (some more acronyms to add to the cyber alphabet soup!):

  • ๐‚๐ฅ๐จ๐ฎ๐ ๐’๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐๐จ๐ฌ๐ญ๐ฎ๐ซ๐ž ๐Œ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ (๐‚๐’๐๐Œ) ๐š๐ง๐ ๐€๐ฉ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง ๐’๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐๐จ๐ฌ๐ญ๐ฎ๐ซ๐ž ๐Œ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ (๐€๐’๐๐Œ): These platforms manage and monitor the identities of respectively cloud and application resources, ensuring only authorised entities interact within the cloud/application environment. Not directly an ASPM tool, but Tracebit is an adjacent UK-company to keep an eye on. They are using cloud canaries to uncover suspicious activity, such as unauthorized data access, across an organisation (from cloud infrastructure to identity and endpoints).
  • ๐‚๐จ๐ง๐ญ๐ข๐ง๐ฎ๐จ๐ฎ๐ฌ ๐‚๐จ๐ง๐ญ๐ซ๐จ๐ฅ๐ฌ ๐Œ๐จ๐ง๐ข๐ญ๐จ๐ซ๐ข๐ง๐  (๐‚๐‚๐Œ): monitoring of security controls helps assure coverage and effectiveness of controls for (N)HIs (e.g. all NHIs must be managed by PAM). Our portfolio company, Panaseer, recognised as a leader by Gartner in the CCM category, provides solutions to ensure continuous compliance and validation of NHIM policies.
  • ๐„๐ง๐๐ฉ๐จ๐ข๐ง๐ญ ๐ƒ๐ž๐ญ๐ž๐œ๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐‘๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž (๐„๐ƒ๐‘), ๐„๐ฑ๐ญ๐ž๐ง๐๐ž๐ ๐ƒ๐ž๐ญ๐ž๐œ๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐‘๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž (๐—๐ƒ๐‘), ๐š๐ง๐ ๐’๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ˆ๐ง๐Ÿ๐จ๐ซ๐ฆ๐š๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐„๐ฏ๐ž๐ง๐ญ ๐Œ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ (๐’๐ˆ๐„๐Œ): All of these tools support NHIM by identifying, investigating and responding to security threats.
  • ๐๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐€๐œ๐œ๐ž๐ฌ๐ฌ ๐Œ๐š๐ง๐š๐ ๐ž๐ฆ๐ž๐ง๐ญ (๐๐€๐Œ): PAM solutions focus on securing high-privilege NHIs, like admin-level bots and root devices, ensuring only trusted entities execute sensitive operations. CyberArk and BeyondTrust are prominent PAM providers, often integrating their solutions with RPA platforms like Blue Prism and UiPath.
  • ๐๐จ๐ฅ๐ข๐œ๐ฒ-๐๐š๐ฌ๐ž๐ ๐€๐œ๐œ๐ž๐ฌ๐ฌ ๐‚๐จ๐ง๐ญ๐ซ๐จ๐ฅ (๐๐๐€๐‚): PBAC enables granular access control policies tailored to NHIs, facilitating secure interactions in complex ecosystems. Veza, offering data security and access governance, utilises PBAC to manage access across cloud and hybrid environments.
  • ๐™๐ž๐ซ๐จ ๐“๐ซ๐ฎ๐ฌ๐ญ ๐€๐ซ๐œ๐ก๐ข๐ญ๐ž๐œ๐ญ๐ฎ๐ซ๐ž (๐™๐“๐€): Applying zero trust principles to NHIs means continuous verification for all network transactions, ensuring that no device or machine has inherent trust. Innerworks deserves a mention here as well.

And so what?

Non-Human Identity Management is essential in todayโ€™s world, where devices, machines, algorithms, and automated systems are central to nearly every industry. We see NHIMโ€™s impact especially in fields like healthcare (with IoT-enabled medical devices and AI diagnostics), manufacturing and industrial IoT, energy and utilities (including operational technology and smart grids), finance and banking, telecommunications, transportation and autonomous vehicles, smart cities, and other critical infrastructure sectors, all underpinned by AI advancements. As Industry 4.0 practices continue to advance, NHIM will play an even more pivotal role in securely managing the growing ecosystem of non-human actors. It is fast becoming a foundational element for ensuring secure, compliant, and efficient operations across our increasingly interconnected industries.

Weโ€™re inspired by companies like Cofide, Periphery, Tracebit, Innerworks, and several other innovative European players in the space. If youโ€™re working on something exciting in this area, weโ€™d love to hear from you!

Special thanks to Marc Moesse from Panaseer for his insights.

Sources: Oasis Security, Cloud Security Alliance, Cybersecurity Tribe, Security Magazine, LinkedIn, TechTarget, Mitnick Security, Veza, Cycode, Astrix Security, Darkreading

Other news

DeepSeek Implications for UK/EU VC Ecosystem

DeepSeek Implications for UK/EU VC Ecosystem

Read the article >

AlbionVC year in review

Read the article >

Decision intelligence AI unicorn Quantexa reached the $100m ARR mark and announced a partnership with Microsoft

10 Pivotal Quantexa moments that propelled their year

Read the article >