NHIM Part 2: How Anthropic, Mythos and AI Agents Are Rewriting Cybersecurity

By Valerie Aelbrecht, Investment Manager

AI / Data

Posted
June 25 2026

When I wrote our first piece on Non-Human Identity Management last year, the category felt important but was still finding its vocabulary. A year later, NHIM increasingly looks less like a standalone security category and more like a window into some of cybersecurity’s biggest shifts: autonomous AI agents, machine-speed vulnerability discovery, and the growing concentration of power among a handful of AI platforms.

The foundational thesis – that the explosion of non-human actors in enterprise environments was creating a security and governance challenge the industry wasn’t adequately equipped for – has held up well. What has changed is the speed and scope of that transition. In the time since that post, a new operating discipline has emerged in direct response to AI-class models, the geopolitical map underpinning European technology infrastructure has been redrawn, and the identity of AI agents has gone from a footnote to the defining frontier of the space. The landscape has structurally shifted.

And what ties these shifts together is simple: every new AI capability ultimately creates new identities that must be governed.

That is, in a strange way, one of the most exciting things about following this category. I expect to be writing Part 3 in roughly a year’s time, and I genuinely don’t know which parts of this piece will feel most outdated by then. In a category moving this quickly, today’s map rarely survives for long. What follows is where things stand today.

What has shifted

The ratio keeps accelerating and the character is changing. Last year’s post cited 50 NHIs per human identity. Today it’s up to 150 to 1 in most enterprises, and significantly more in cloud-native environments. But the more important shift isn’t the number, it’s what NHIs are. The 24-25 cohort was mostly service accounts, certificates, and API keys: passive identities that receive credentials and use them in predictable, bounded ways. A growing share are now AI agents that act autonomously, chain tool calls together, request access dynamically, execute privileged operations on behalf of users and behave non-deterministically. Traditional governance frameworks assumed identities behaved predictably, but AI agents did not get the memo.

The over-privileging problem got reproduced at scale. Last year’s post flagged a familiar failure mode: DevOps teams under deadline pressure escalate an NHI’s permissions to fix something fast, then never revert them. This pattern has now been replicated in the AI development layer, with a new class of credential and far higher velocity. GitGuardian’s State of Secrets Sprawl 2026 found 28.65 million hardcoded secrets i.e. API keys, access tokens, and service credentials that machine identities use to authenticate to each other, committed to public GitHub in 2025, a 34% year-over-year increase and the largest single-year spike on record. AI service credentials specifically surged 81% – developers integrating AI APIs at pace, with none of the credential hygiene habits that apply to human logins. Same root cause as last year, however now with a larger blast radius.

Consolidation has redrawn the map. Last year, I framed CyberArk as a prominent PAM player and Machine Identity Management reference point. By February 2026, Palo Alto Networks had closed its roughly $25 billion acquisition of CyberArk, one of the largest cybersecurity deals on record. The rationale Palo Alto cited explicitly: the rise of machine identities and AI agents as the central security challenge of the era. Veza was another one I highlighted in last year’s piece as an interesting PBAC-driven access governance play. In March 2026, ServiceNow acquired it for approximately $1 billion, as part of CEO Bill McDermott’s stated ambition to build an ‘AI control tower’. Both deals show similar strategic intent: machine identity and AI agent governance is now mission-critical infrastructure and no longer a point solution. They also send a clear signal to the rest of the market as every platform vendor will need to close the same gaps. For well-differentiated startups, that is a potentially rich exit environment. But it also means we need to ask ourselves the harder question, i.e. is there still room for a standalone platform winner? My view is that the opportunity is probably narrowing and increasingly more layer-specific, but more on that below.

What Has Fundamentally Changed? Enter Anthropic

AI agents as a first-class NHI threat. Gartner projects 40% of enterprise applications will embed AI agents by the end of 2026, up from under 5% a year ago. Every agent is a new NHI, one that requests access dynamically, executes privileged operations, and leaves a governance gap most organisations aren’t equipped to close (yet). The Model Context Protocol (MCP), introduced by Anthropic, is now the standard connector between AI systems and enterprise data across Anthropic, OpenAI, Google, and Microsoft. It has simultaneously become the most powerful enterprise AI integration layer and a significant new threat vector.

Meanwhile, Anthropic has also published Zero Trust for AI Agents, a security framework for deploying autonomous agents in the enterprise, applying the classic ‘never trust, always verify’ principle to agents themselves: minimum permissions per task, declared intent before execution, full audit logging, and human checkpoints for high-stakes actions. This poses an interesting question: will Anthropic end up owning the agent governance layer that every NHIM vendor is currently racing to build? Anthropic created MCP, and now it’s publishing the security framework for how those agents should be governed. Combined with direct model distribution and deep enterprise relationships, they are credibly positioned to claim the agent governance layer from the inside, before a standalone NHI vendor gets there. That is a competitive dynamic the NHIM market hasn’t fully priced in. And that’s not even the full picture.

That said, and before we dive into the next piece of the puzzle, there is no need to panic (yet). What Anthropic published is closer to a shared responsibility framework than a land grab, and the orchestration, tools and environment layers are explicitly left open. It’s something we’ve seen before in cloud security: AWS securing the cloud didn’t make it the only vendor, and if anything it created Wiz. But Anthropic is also the one writing the rules of the game, which again, is a dynamic worth watching closely.

Mythos changed the maths, VulnOps is the response. Anthropic’s Mythos demonstrated that frontier AI systems can discover software vulnerabilities at unprecedented scale, shifting the industry’s bottleneck from discovery to remediation. Project Glasswing’s first month alone produced over 10,000 high- and critical-severity vulnerabilities across critical software systems. The direct consequence of this has been the emergence of a new operating discipline: VulnOps. The term predates Mythos, but its operational urgency is entirely a product of it. VulnOps is best understood as what happens when you apply DevOps thinking to vulnerability discovery and remediation: a continuous, automated, machine-speed discipline rather than a periodic scan-and-patch queue.

Why does all of this matter for NHIM specifically? Because the bottleneck Anthropic itself identified is not vulnerability discovery, but it is the human capacity to triage, disclose, and patch at the speed Mythos generates findings. That triage and remediation cycle is an identity and access governance problem at its core: who (or what NHI) has the authority to act on a finding, access the affected system, deploy a patch, verify it, and prove the action in a compliance audit? Every VulnOps workflow will need to be backed by robust NHI governance. Autonomous remediation agents are themselves NHIs, and highly privileged ones. The companies building the identity and access layer underneath VulnOps workflows are building something that will be essential infrastructure, not optional tooling.

That said, there is an interesting symmetry here: Mythos accelerated the discovery problem that VulnOps was born to address, and Anthropic is as mentioned, now also publishing the governance framework for the autonomous remediation agents that sit at the other end of that same pipeline. Whether that’s a conflict of interest or the clearest view in the room is a question the NHIM market will need to answer.

EuroStack and geopolitics as demand creation. The original post had no geopolitical framing, and if you’ve been reading my colleague Cat’s Venture Geopolitics newsletter, you know that this is no longer viable in today’s backdrop. The Fable 5 incident, i.e. the US government flipping an off-switch on Anthropic’s most advanced models for all foreign nationals, overnight and with no notice, did more to accelerate European AI sovereignty conversations than any policy paper in the last three years. From a national security perspective, the US effectively treated a frontier AI model as munition. The EuroStack initiative no longer needs to make the theoretical case as it just happened in real time. And the urgency is seemingly compounding by the day, as Five Eyes just issued a rare joint warning that AI models capable of devastating cyberattacks on governments and businesses are only months away. This really should keep us up at night, and (hopefully) creates the national-level pressure that makes sovereign solutions a top priority.

The above adds a further layer to the Anthropic dynamic already discussed. The Zero Trust for AI Agents framework asks enterprises to embed Anthropic’s governance principles into their audit trails and CISO risk models. Fable 5 demonstrated that the vendor underpinning that framework can be switched off by its own government overnight. That is creating a valid argument against building your governance stack around any single US vendor, however well-intentioned. Therefore the companies building cloud-agnostic, model-agnostic NHI governance, that doesn’t assume any single vendor’s infrastructure underneath, are no longer solving a hypothetical problem.

The NHI implication is direct. If European public-sector and critical-infrastructure organisations are migrating away from US-hyperscaler-dependent architectures i.e. cloud platforms, productivity suites, identity providers, they need to rebuild identity management from scratch in the new stack: workload identity that doesn’t depend on Azure AD or AWS IAM, machine identity governance that is genuinely cloud-agnostic, and lifecycle management that spans NIS2, DORA, GDPR, and the EU AI Act simultaneously. That is where the structural opportunity for European founders lies.

The ‘so what’ for VCs: know which layer you’re backing

NHI security in 2026 has split into distinct problem layers. To go back to the standalone platform question we raised earlier – the layers I think have the best chance of producing one are where the problem is most nascent and the standards are least settled.

Discovery and inventory: you cannot govern what you cannot see and a single pane of glass for cyber vulnerability is therefore more relevant than ever. Our portfolio company Panaseer does exactly that by giving a company full asset and controls visibility and automating the discovery of hidden control gaps.

Lifecycle governance: creation through rotation to revocation, with least-privilege enforcement throughout. This layer tries to solve for the ever-growing over-privileging problem described before.

Actor authenticity and identity verification: knowing not just what permissions an identity holds, but whether the actor presenting that identity is what it claims to be. Our portco Innerworks is building within that layer.

Runtime enforcement: the new and hardest layer. An AI agent’s permissions need to be evaluated and constrained dynamically, based on what it is actually trying to do right now. Static policies break against non-deterministic agents. We have a stealth investment in this space.

Secrets management and pipeline security: operationally mature but structurally re-energised by the AI development explosion. The CI/CD pipeline is now ground zero for credential exposure.

VulnOps infrastructure: the most nascent layer. As autonomous remediation workflows become real, every action taken by an AI remediation agent, like accessing a codebase, deploying a patch, verifying a fix,… needs to be backed by governed NHI credentials.

MCP and agentic protocol governance: The layers above address how individual agents are governed. A recent new white space is the security of MCP as the protocol layer itself, the channel through which all agents access enterprise data and tools, and a significant new threat vector as mentioned before. MCP has gone from one company’s idea in late 2024 to a global infrastructure standard in under 18 months. The VC analogy would be HTTP becoming the standard for the web: the protocol itself is not investable, but the tooling, security, and governance built on top of it very much is. However, agent identity standards are still being written: MCP-I was only donated to the Decentralised Identity Foundation in March this year, and Google A2A protocol adds agent-to-agent coordination complexity on top. Securing this channel while agent identity standards are still being written, means that this category will probably require a Part 3 blog next year. Anthropic can’t own the protocol, but their Zero Trust for AI Agents framework is a move to become the default reference point for how enterprises think about agent governance. That is agenda-setting rather than ownership, but strategically hard to ignore. The HTTP analogy cuts both ways though: if MCP follows the same path as HTTP, the winners could be the foundational infrastructure players building the security stack on top of a neutral standard, rather than the protocol owner itself. A vendor-neutral MCP governance layer could be one of those foundational bets (and Fable 5 gave every European enterprise a political reason to want one that doesn’t come with sovereign risk attached). Our investment in Gravitee is setting the standard in this approach.

Mike Privette’s newsletter Return on Security, is another gem worth adding to your reading stack. Weekly, he runs a poll or ‘vibe check’ with his readership (CISOs, security practitioners and investors), and two recent ones land directly on this space. His readers voted overwhelmingly that AI governance rules will not keep pace with agent deployment. Mike’s own take: governing agents will go the way Zero Trust went: not one tool or standard but a collection of principles and checks, real and important but definitionally fragmented. That fragmentation thesis is precisely why a vendor-neutral MCP governance layer would be a foundational bet rather than a niche one – if no single platform wins, the infrastructure sitting underneath all of them does. A separate poll found that controlling what agents can do and knowing what they did were voted the biggest unsolved concerns in AI agent security by his readership, and if Mythos’ limited release is anything to go by, even Anthropic hasn’t cracked the control problem yet.

TL:DR – where does that leave us?

The NHIM category has moved from emerging to consequential in under 2 years. The ratio of non-human to human identities keeps climbing, but more importantly, the nature of those identities has fundamentally changed.

The platforms have made their bets. The acquirers have named their rationale. The geopolitical environment has removed the last of the theoretical arguments for sovereign, cloud-agnostic infrastructure. And meanwhile, new operating disciplines such as VulnOps are about to create a wave of highly privileged autonomous agents that will need governing from day 1.

Anthropic serves as a useful case study throughout all of this, because it currently sits at multiple layers of the emerging agent stack simultaneously: model provider, protocol creator, and increasingly governance architect. That concentration is either the most coherent vision in the market or the most interesting conflict of interest in it – probably both (!).

For both investors and founders, this creates both opportunity and complexity. The platforms are consolidating, but the standards layer is fragmenting and that’s where the durable independent opportunities sit: protocol governance, actor authenticity, runtime enforcement and the identity infra underpinning autonomous systems. European founders building cloud- and model-agnostic sovereignty-native tooling may possess a structural advantage created as much by geopolitics as by technology.

The category remains early, but the infrastructure decisions being made now may define the next decade of enterprise AI. The standards are still being written, the acquirers are still hungry, and the whitespace around MCP governance alone could define the next generation of companies in this space. Part 3 will hopefully tell us who got there first.

If you’re building at this intersection, we’d love to hear from you.

Sources: