Bring Governance To Your NHIs

NHI Governance is the practice of securing and managing the lifecycle of machine identities — such as service accounts, API keys, and bots — with the same rigor as human employees. It involves discovery, ownership assignment, access reviews, and automated decommissioning.

Unlike human identities that live centrally in an HRIS or IdP (like Okta), NHIs are often created ad-hoc by developers directly within applications (e.g., a local AWS IAM user or a GitHub Personal Access Token), creating shadow machine identities that central IT cannot see.

Lumos allows you to ask natural-language questions to instantly identify dormant accounts, orphaned NHIs, and Toxic Combinations (SoD).

Instead of digging through logs, you can simply ask Albus to, "show me all identities with admin access that haven't acted in 30 days," and then apply a remediation policy to revoke them automatically. This allows you to uncover risks and remediate them faster with less noise.

Coming in 2026.

Lumos unifies bots and humans in a single view but applies context-aware logic.

For example, a "last login" date might mean something different for a batch-job bot than for a human. Albus helps reviewers understand machine usage context so they don't accidentally break production workflows.

Coming in 2026.

A non-human identity is a digital identity used by machines, applications, services, bots, API keys, agents, or automated workflows instead of a person. These identities often need access to systems and data so they can perform background tasks or connect applications. Because they can hold powerful permissions, they need to be discovered, governed, and reviewed just like human users. Lumos describes non-human identities as including service accounts, bots, API keys, agents, and workload identities.

Common examples of non-human identities include service accounts, API keys, bots, agents, workload identities, tokens, and machine users. These identities are often created to automate tasks, connect SaaS tools, run cloud workloads, or support integrations between systems. Unlike employee accounts, they may not have a clear owner or lifecycle process. Lumos highlights service accounts, agents, workload identities, bots, and API keys as key NHI types.

Non-human identity governance is important because machine identities can accumulate sensitive access over time. If they are unmanaged, organizations may not know who owns them, what they can access, or whether they are still needed. Governance helps teams assign ownership, enforce least privilege, include NHIs in access reviews, and decommission risky or unused identities. Lumos positions NHI governance around visibility, ownership, access reviews, and automated lifecycle management.

Non-human identities are considered a growing attack surface because they can outnumber human users and often have persistent access to critical systems. If an API key, bot, or service account is overprivileged or ownerless, attackers may be able to abuse it without triggering the same controls used for employee accounts. This risk increases when organizations do not have centralized visibility into all machine identities. Lumos calls non-human identities the fastest-growing attack surface in organizations.

Organizations can discover non-human identities by continuously scanning identity providers, cloud infrastructure, and SaaS applications for machine accounts, service accounts, agents, and tokens. This helps security and IT teams build a complete inventory of identities that may otherwise be hidden across different systems. Discovery should not be a one-time project because NHIs are frequently created as teams add new tools, workflows, and integrations. Lumos says it continuously discovers service accounts, agents, and workload identities across IdP, cloud infrastructure, and SaaS apps.

Unmanaged non-human identities can create security, compliance, and operational risks. They may retain excessive permissions, lack a clear owner, continue running after a project ends, or expose credentials that attackers can exploit. Without governance, teams may struggle to know which NHIs are active, dormant, orphaned, or violating policy. Lumos specifically calls out risks like dormant accounts, orphaned NHIs, policy drift, and violations.

Every non-human identity should have a human owner because machines cannot make accountability decisions on their own. A human owner can confirm whether the identity is still needed, whether its access is appropriate, and whether it should be rotated, revoked, or decommissioned. Ownership also makes access reviews more reliable because reviewers know who is responsible for each service account or bot. Lumos emphasizes automatically mapping every NHI to a human owner for accountability.

Companies can map a non-human identity to the right owner by analyzing where it was created, what systems it accesses, which team uses it, and how it behaves over time. Ownership mapping should connect each machine identity to a responsible person or team that understands its purpose. This helps reduce orphaned accounts and makes remediation decisions faster. Lumos frames human owner assignment as a key part of preventing unmanaged service accounts from becoming vulnerabilities.

The best way to manage a non-human identity lifecycle is to treat it as a governed identity from creation through retirement. That means discovering it, assigning an owner, defining appropriate access, reviewing it regularly, rotating or revoking credentials when needed, and decommissioning it when it is no longer used. Automation is especially important because manual tracking does not scale as machine identities grow. Lumos states that traditional identity governance methods and manual tracking can no longer scale for NHIs.

Service accounts, bots, API keys, and workload identities are all types of non-human identity that need access to applications, infrastructure, or data. They are often essential for automation, integrations, deployments, and background processes. However, they can become risky when they are unmanaged, overprivileged, dormant, or missing an accountable owner. Lumos explicitly includes service accounts, bots, API keys, agents, and workload identities in its NHI governance approach.

Non-human identity access can be reviewed by including machine accounts in the same certification campaigns used for human users. App owners and reviewers should be able to see human and machine access side by side so they can compare permissions and identify risk. If an NHI is dormant, risky, or no longer needed, reviewers should be able to revoke access or trigger credential rotation from the review process. Lumos says app owners can review human and machine access side by side and take action on risky or dormant service accounts.

An orphaned non-human identity is a machine identity that has no clear human owner or business purpose. These accounts are risky because no one is actively responsible for reviewing their access, rotating credentials, or removing them when they are no longer needed. Orphaned NHIs can become hidden entry points for attackers or sources of compliance gaps. Lumos identifies orphaned NHIs as a category of risk that organizations should be able to find and remediate.

Dormant or unused non-human identities can be identified by reviewing activity data, login behavior, API usage, and access patterns. If an identity has not acted within an expected period, teams should investigate whether it is still needed. Remediation may include revoking permissions, rotating credentials, disabling the account, or decommissioning it completely. Lumos describes using natural-language questions to identify dormant accounts and apply remediation policies.

Non-human identity governance helps prevent breaches by reducing hidden, ownerless, and overprivileged machine access. When organizations know every NHI, who owns it, what it can access, and whether it is still active, they can close risky gaps before attackers exploit them. Governance also supports faster remediation when policy drift or anomalous behavior appears. Lumos connects NHI ownership and remediation to eliminating breaches before they happen.

Securing non-human identities at scale typically requires integrations with identity providers, SaaS applications, cloud infrastructure, and access review systems. These integrations help teams discover machine identities, monitor permissions, analyze usage, and automate remediation workflows. Without broad coverage, NHIs can remain hidden in disconnected systems. Lumos highlights more than 300 integrations and emphasizes visibility across IdP, cloud infrastructure, and SaaS apps.

Automation improves non-human identity lifecycle management by reducing manual tracking, review, and cleanup work. It can help discover new NHIs, assign owners, detect excessive permissions, flag dormant accounts, and trigger remediation workflows. This is especially valuable because machine identities can grow faster than security teams can manually manage them. Lumos positions automation as necessary because manual tracking and traditional governance methods do not scale for NHIs.

Enterprises should look for a non-human identity governance solution that provides continuous discovery, ownership assignment, least-privilege enforcement, access reviews, anomaly detection, and automated remediation. The solution should cover SaaS, cloud, and identity systems so security teams can manage NHIs from a unified view. It should also help reviewers understand machine context so they can reduce risk without disrupting production workflows. Lumos describes this as bringing human and non-human identity governance into a single pane of glass with visibility, intelligence, and automation.