What Comes After Humans? A New Era of Secure Identity Management
By Valerie Aelbrecht, Investment Manager
The digital world is no longer just about human interactions. As we embrace automation, cloud computing, and the Internet of Things (IoT), the number of non-human identities (NHIs) โ machines, applications, APIs, and devices โ is exploding. In fact, it is estimated that NHIs will outnumber human identities by a ratio of 50 to 1. These NHIs, just like human users, require secure identities and access control to operate safely and efficiently within our systems. It is that crucial practice of assigning, securing and overseeing these identities and controls that is called Non-Human Identity Management (NHIM).
Why is NHIM Critical (and growing)?
The importance of NHIM stems from several factors (non-exhaustive!):
- A growing reliance on automation: businesses are increasingly reliant on interconnected systems and autonomous applications, making NHIs central to operations as they interact within digital ecosystems, access resources and execute tasks autonomously. This increased automation means that more information is being accessed by NHIs, much more then human identities. Therefore the threat surface becomes larger, which brings us to the next two points.
- The evolving threat landscape: cybercriminals are progressively targeting NHIs due to their often-weak authentication mechanisms and inadequate monitoring.
- An expanding attack surface: driven by several factors, including the growing number of connected devices, the widespread adoption of cloud computing and microservices architectures, the increasing complexity of modern IT infrastructure, and the surge in IoT devices and edge computing.
- ๐๐ฏ๐๐ซ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐๐ ๐ข๐ง๐ ๐จ๐ ๐๐๐๐ฌ: the growing trend of NHIs being granted excessive privileges. This often occurs when Devs, DevOps, and QA teams, under tight deadlines and significant pressure, focus primarily on ensuring basic functionalityโtesting whether “it works”โrather than verifying “if it works securely.” When issues arise, Dev(Ops) teams may temporarily escalate an NHI’s permissions to admin level for debugging or resolution purposes but fail to follow up and revert the NHI to its least privileged state, leaving it overprivileged indefinitely.
- ๐๐ก๐ ๐ซ๐ข๐ฌ๐ ๐จ๐ ๐๐: Imagine a VC blog post without the mention of AI! No surprises here but AI is having a massive impact on access management. Just one example would be platforms like FraudGPT that can create bots in just seconds.
- ๐๐ฏ๐จ๐ฅ๐ฏ๐ข๐ง๐ ๐ซ๐๐ ๐ฎ๐ฅ๐๐ญ๐ข๐จ๐ง๐ฌ ๐๐ง๐ ๐ฌ๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ & ๐ฉ๐ซ๐ข๐ฏ๐๐๐ฒ ๐๐จ๐ง๐๐๐ซ๐ง๐ฌ: As automation and AI systems proliferate, ensuring that only authorized devices and algorithms have access to sensitive data or critical operations becomes essential. NHIM provides a framework to secure these non-human entities, ensuring they are authenticated and properly managed to prevent breaches. Good old GDPR is just one example.
Unveiling the Complexity of NHIM
NHIM goes beyond simply managing passwords and keys. It involves a complex interplay of concepts and technologies designed to ensure secure authentication, authorisation, and monitoring of NHIs throughout their lifecycle. Let’s explore some of the key areas:
- ๐๐๐๐ง๐ญ๐ข๐ญ๐ฒ ๐๐ง๐ ๐๐๐๐๐ฌ๐ฌ ๐๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ (๐๐๐): IAM systems provide the foundational framework for NHIM, securing identity provisioning, authentication, and authorisation for NHIs across enterprise environments. Astrix Security and Oasis Security go beyond that even, combining IAM with Identity Threat Detection and Response (ITDR), whilst Okta aims to cover both human and non-human identities. Yoti is a growth-stage UK company serving financial institutions and government bodies.
- ๐๐๐ฏ๐ข๐๐ ๐๐ง๐ ๐๐จ๐ ๐๐๐๐ง๐ญ๐ข๐ญ๐ฒ ๐๐ง๐ ๐๐๐๐๐ฌ๐ฌ ๐๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ: Companies like Periphery, specialise in that area by providing threat management for IoT manufacturers, covering the extended IoT device attack surface. Italy-based Exein, in a similar vein, focuses on protecting connected devices across various industries, including automotive, manufacturing, healthcare, and consumer electronics, by automatically detecting and securing vulnerabilities within device firmware.
- ๐๐๐๐ก๐ข๐ง๐ ๐๐๐๐ง๐ญ๐ข๐ญ๐ฒ ๐๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ (๐๐๐): This broader concept encompasses all machines and systems, focusing on secure communication and interactions between them. CyberArk, with its focus on managing privileged credentials for machines and applications, plays a significant role in this domain.
- ๐๐๐ ๐๐๐๐ง๐ญ๐ข๐ญ๐ฒ ๐๐ง๐ ๐๐๐๐๐ฌ๐ฌ ๐๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ: APIs, acting as non-human entities, require specific identity management to prevent unauthorised access to data or services. Our portfolio company Gravitee.io offers IAM and federated API access management as part of their end-to-end full lifecycle API support platform.
- ๐๐ข๐ ๐ข๐ญ๐๐ฅ ๐๐ฐ๐ข๐ง ๐๐๐๐ง๐ญ๐ข๐ญ๐ฒ ๐๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ: helps keep the digital twin and its physical counterpart synchronized and secure, enabling more efficient monitoring and predictive maintenance. UK-based Iotics and Franceโs Cosmo Tech are some European examples here.
- ๐๐๐ฏ๐ข๐๐-๐ญ๐จ-๐๐๐ฏ๐ข๐๐ (๐๐๐) ๐๐ฎ๐ญ๐ก๐๐ง๐ญ๐ข๐๐๐ญ๐ข๐จ๐ง: A practical application of NHIM within IoT networks, supporting autonomous communication between devices in scenarios like smart homes and industrial IoT. Incumbents like Sectigo and Thales operate in this field, but also more recent players such as Crypto Quantique offering device security for both developers/manufacturers and IC designers are worth noting.
- ๐๐ฎ๐ญ๐จ๐ง๐จ๐ฆ๐จ๐ฎ๐ฌ ๐๐ฒ๐ฌ๐ญ๐๐ฆ๐ฌ ๐๐ง๐ ๐๐จ๐ญ ๐๐๐๐ง๐ญ๐ข๐ญ๐ฒ ๐๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ: Covers identity management for autonomous decision-making systems. Innerworks for example has built a cascading model of techniques to deliver โproof of humanityโ and โproof of identityโ. To the AI point made before, new bots generations are becoming increasingly harder to detect with GenAI being capable of mimicking (human) behaviour, and Innerworks is tackling exactly that. The Estonian-based BotGuard would be another European player to watch here.
- ๐๐จ๐๐จ๐ญ๐ข๐ ๐๐ซ๐จ๐๐๐ฌ๐ฌ ๐๐ฎ๐ญ๐จ๐ฆ๐๐ญ๐ข๐จ๐ง (๐๐๐) ๐๐จ๐ญ ๐๐๐๐ง๐ญ๐ข๐ญ๐ฒ: RPA bots automate business processes and require identity management to ensure their actions are secure, auditable, and compliant with organizational policies. BluePrism and UiPath spring to mind here.
๐๐จ๐ซ๐ค๐ฅ๐จ๐๐ ๐ข๐๐๐ง๐ญ๐ข๐ญ๐ฒ ๐ฆ๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ: Last but not least, and tying in nicely with the CSPM/ASPM topic below, Cofide is securing workloads (i.e. applications and services across cloud environments) dynamically and efficiently, whilst ensuring alignment with modern cloud-native practices. By focusing on intelligent workload identity management, the company is not only complementing CSPM/ASPM tools but also aiming to make Zero Trust Architectures practical and achievable for organizations.”
Enabling Technologies and Solutions for NHIM
Various, better-known, technologies and solutions support and enable these core concepts in NHIM, and so deep integrations within the rest of the organisationโs tech stack is crucial (some more acronyms to add to the cyber alphabet soup!):
- ๐๐ฅ๐จ๐ฎ๐ ๐๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐๐จ๐ฌ๐ญ๐ฎ๐ซ๐ ๐๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ (๐๐๐๐) ๐๐ง๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง ๐๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐๐จ๐ฌ๐ญ๐ฎ๐ซ๐ ๐๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ (๐๐๐๐): These platforms manage and monitor the identities of respectively cloud and application resources, ensuring only authorised entities interact within the cloud/application environment. Not directly an ASPM tool, but Tracebit is an adjacent UK-company to keep an eye on. They are using cloud canaries to uncover suspicious activity, such as unauthorized data access, across an organisation (from cloud infrastructure to identity and endpoints).
- ๐๐จ๐ง๐ญ๐ข๐ง๐ฎ๐จ๐ฎ๐ฌ ๐๐จ๐ง๐ญ๐ซ๐จ๐ฅ๐ฌ ๐๐จ๐ง๐ข๐ญ๐จ๐ซ๐ข๐ง๐ (๐๐๐): monitoring of security controls helps assure coverage and effectiveness of controls for (N)HIs (e.g. all NHIs must be managed by PAM). Our portfolio company, Panaseer, recognised as a leader by Gartner in the CCM category, provides solutions to ensure continuous compliance and validation of NHIM policies.
- ๐๐ง๐๐ฉ๐จ๐ข๐ง๐ญ ๐๐๐ญ๐๐๐ญ๐ข๐จ๐ง ๐๐ง๐ ๐๐๐ฌ๐ฉ๐จ๐ง๐ฌ๐ (๐๐๐), ๐๐ฑ๐ญ๐๐ง๐๐๐ ๐๐๐ญ๐๐๐ญ๐ข๐จ๐ง ๐๐ง๐ ๐๐๐ฌ๐ฉ๐จ๐ง๐ฌ๐ (๐๐๐), ๐๐ง๐ ๐๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐๐ง๐๐จ๐ซ๐ฆ๐๐ญ๐ข๐จ๐ง ๐๐ง๐ ๐๐ฏ๐๐ง๐ญ ๐๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ (๐๐๐๐): All of these tools support NHIM by identifying, investigating and responding to security threats.
- ๐๐ซ๐ข๐ฏ๐ข๐ฅ๐๐ ๐๐ ๐๐๐๐๐ฌ๐ฌ ๐๐๐ง๐๐ ๐๐ฆ๐๐ง๐ญ (๐๐๐): PAM solutions focus on securing high-privilege NHIs, like admin-level bots and root devices, ensuring only trusted entities execute sensitive operations. CyberArk and BeyondTrust are prominent PAM providers, often integrating their solutions with RPA platforms like Blue Prism and UiPath.
- ๐๐จ๐ฅ๐ข๐๐ฒ-๐๐๐ฌ๐๐ ๐๐๐๐๐ฌ๐ฌ ๐๐จ๐ง๐ญ๐ซ๐จ๐ฅ (๐๐๐๐): PBAC enables granular access control policies tailored to NHIs, facilitating secure interactions in complex ecosystems. Veza, offering data security and access governance, utilises PBAC to manage access across cloud and hybrid environments.
- ๐๐๐ซ๐จ ๐๐ซ๐ฎ๐ฌ๐ญ ๐๐ซ๐๐ก๐ข๐ญ๐๐๐ญ๐ฎ๐ซ๐ (๐๐๐): Applying zero trust principles to NHIs means continuous verification for all network transactions, ensuring that no device or machine has inherent trust. Innerworks deserves a mention here as well.
And so what?
Non-Human Identity Management is essential in todayโs world, where devices, machines, algorithms, and automated systems are central to nearly every industry. We see NHIMโs impact especially in fields like healthcare (with IoT-enabled medical devices and AI diagnostics), manufacturing and industrial IoT, energy and utilities (including operational technology and smart grids), finance and banking, telecommunications, transportation and autonomous vehicles, smart cities, and other critical infrastructure sectors, all underpinned by AI advancements. As Industry 4.0 practices continue to advance, NHIM will play an even more pivotal role in securely managing the growing ecosystem of non-human actors. It is fast becoming a foundational element for ensuring secure, compliant, and efficient operations across our increasingly interconnected industries.
Weโre inspired by companies like Cofide, Periphery, Tracebit, Innerworks, and several other innovative European players in the space. If youโre working on something exciting in this area, weโd love to hear from you!
Special thanks to Marc Moesse from Panaseer for his insights.
Sources: Oasis Security, Cloud Security Alliance, Cybersecurity Tribe, Security Magazine, LinkedIn, TechTarget, Mitnick Security, Veza, Cycode, Astrix Security, Darkreading
Other news
DeepSeek Implications for UK/EU VC Ecosystem
Decision intelligence AI unicorn Quantexa reached the $100m ARR mark and announced a partnership with Microsoft
10 Pivotal Quantexa moments that propelled their year