As organisations grapple with the expanding complexity of machine identities and automated systems, we spoke with Eric Fourrier, CEO and Co-founder of GitGuardian, a leading provider of secrets detection and remediation solutions.
With GitGuardian’s recent launch of their Non-Human Identity Governance platform, Fourrier shares his insights on one of cybersecurity’s most pressing challenges and explains why traditional security approaches are no longer sufficient in today’s machine-dominated landscape.
Non-human identities have become a major concern for enterprises. Can you explain the scale of this challenge?
The numbers are staggering. In today’s digital landscape, non-human identities – which include service accounts, API keys, automation scripts and machine identities – outnumber human users by a ratio of 100 to 1. This exponential growth is driven by the increasing adoption of cloud services, microservices architectures and DevOps practices.
What makes this particularly challenging is that each of these identities requires access to sensitive resources and carries potential security risks. Unlike human users, who follow predictable patterns and can be managed through traditional IAM solutions, non-human identities operate 24/7, often with elevated privileges, making them attractive targets for attackers.
Recent research shows a rise in software supply chain attacks. How does this relate to non-human identity security?
The connection is direct and concerning. According to IDC, nearly 20% of organisations faced a software supply chain attack in 2024. These attacks often exploit weaknesses in non-human identity management – compromised API keys, exposed service account credentials, or vulnerable automation scripts.
What’s particularly worrying is that a single compromised non-human identity can provide attackers with extensive access to an organisation’s infrastructure. These identities often have broad permissions and can operate across multiple systems, making them ideal targets for lateral movement within networks.
The concept of ‘vault sprawl’ seems to be linked to this subject, could you elaborate on this challenge?
Vault sprawl is a significant problem that has emerged as organisations have adopted multiple secrets management solutions. The average enterprise now uses more than five different secrets managers across their infrastructure. The fragmentation creates significant security and operational challenges.
Each vault solution has its own security policies, access controls and management interfaces. This lack of centralisation makes it extremely difficult to maintain consistent security practices
and creates dangerous blind spots. Security teams struggle to track which secrets exist, who has access to them and whether they comply with security policies.
How is the rise of AI and automation affecting the non-human identity landscape?
The emergence of AI, particularly Generative AI and autonomous agents, is accelerating the proliferation of non-human identities at an unprecedented rate. These AI systems require various forms of access to function – API keys, service accounts and other credentials – all of which need to be properly secured.
We’re seeing organisations rapidly adopt AI-powered tools and automation, often without fully considering the security implications. Each new AI integration potentially introduces dozens of new non-human identities that need to be managed and secured. This is creating a perfect storm where the attack surface is expanding faster than security teams can adapt.
This seems to represent a fundamental shift in cybersecurity. How should organisations adapt their security strategies?
We’re witnessing a paradigm shift in how we need to think about identity security. Traditional security models were built around human users – focusing on aspects like authentication, authorisation and access management from a human-centric perspective. But this approach is inadequate for the machine-dominated future we’re entering.
Organisations need to adopt a comprehensive governance framework specifically designed for non-human identities. This means implementing automated discovery and classification of all machine identities and their secrets, establishing centralised visibility and control and enforcing consistent security policies across all platforms and environments.
What immediate steps can organisations take to address these challenges?
First, organisations need to gain visibility into their non-human identity landscape. This means conducting a thorough inventory of all machine identities and their secrets, their access patterns and their risk profiles.
Second, they should work to consolidate and standardise their secrets management practices. While completely eliminating vault sprawl might not be feasible, organisations can implement a centralised governance layer that provides unified visibility and control.
Finally, organisations should adopt automated solutions for continuous monitoring and rotation of machine identities. The scale and complexity of this challenge make manual management impossible – automation is essential for maintaining security at scale.
The future of cybersecurity will increasingly revolve around managing and securing non-human identities. Organisations that recognise this shift and adapt their security strategies accordingly will be better positioned to protect their digital assets in an increasingly automated world.
