Non-Human Identity, By the Numbers
Machine identities passed human identities years ago and the gap keeps widening. A few figures that explain why non-human identity has become the leading edge of the IVIP category, sourced from Gartner's research and Hydden's own operating data.
The Numbers Behind the NHI Problem
Non-human identity isn't a niche concern inside identity security — by volume, it's the majority of the identity estate most enterprises are trying to govern.
The 50:1 and 20-40% figures reflect Hydden's own analysis of enterprise identity estates across its customer base and are not independently audited third-party statistics. The capability count and 2028 projection are Gartner's, as published in the Hype Cycle for Identity and Access Management Technologies (2025).
Why Machine Identities Are Harder to Govern Than Human Ones
A human identity is created through a known process — HR onboarding, an access request, a provisioning ticket — and that process usually leaves a record. A service account, API key, or AI agent credential is frequently created by an engineer solving an immediate problem, with no equivalent record and no obvious owner once that engineer moves teams or leaves.
That asymmetry is why machine identity sprawl compounds instead of self-correcting. Nobody is assigned to notice when a non-human identity should have been decommissioned, because in most organizations, no single system of record was ever built to track it in the first place.
Human identities get decommissioned because someone leaves. Machine identities keep running because nobody is watching for the equivalent signal.