Explainer · non-human identity

Why non-human identity is the security problem of the next decade.

Every AI feature you switch on in Microsoft 365 creates something new and invisible: an identity. Understanding those identities, and who can see them, is fast becoming the difference between adopting AI safely and stalling at the pilot. Here's what "non-human identity" means, why it's exploding, and what the analysts are saying.

What is an non-human identity?

When people think "identity" they picture a person with a username. But most identities in a modern cloud tenant aren't people at all, they're non-human identities (NHIs): service accounts, service principals, OAuth-connected apps, app registrations, automation, and now AI agents and Copilots. Each can authenticate, hold permissions, and reach data without a human in the loop at the moment it acts.

An "non-human identity" is simply a non-human identity created by, or acting on behalf of, an AI system. A Copilot connected to SharePoint, a custom agent with mailbox access, a third-party AI tool granted OAuth scopes: each is an identity with standing reach into company data.

Why AI creates new identities, fast

The whole point of an AI agent is to act for you, which means it needs access. Turn on more AI and you mint more identities, each with permissions that rarely get reviewed. The result is a quiet explosion of non-human identities inside every Microsoft 365 tenant:

45:1
Machine identities outnumber humans ~45 to 1 on Gartner’s estimate, and some vendor telemetry runs as high as 144:1, up from 92:1 a year earlier1
+44%
Growth in non-human identities in a single year1
~half
Of machine identities hold sensitive or privileged access2
$27B
Forecast non-human identity security market by 2033, ~2× 2025 (11.9% CAGR)3

1 Gartner (analyst estimate, ~45:1); vendor telemetry: Entro Labs, NHI & Secrets Risk Report (H1 2025), 144:1. 2 CyberArk, 2025 State of Machine Identity Security (which independently puts the ratio at >80:1 and finds 79% of leaders expect up to 150% growth in a year). 3 Grand View Research. Cited as third-party industry research.

Why it matters now

This isn't a future problem, the industry's most-watched voices are already flagging it:

You can't adopt, or secure, what you can't see. non-human identity is the new perimeter.

What good governance looks like

Governing non-human identities comes down to four capabilities: discover every non-human identity in the tenant; understand what each can reach and who owns it; score the risk and blast radius; and govern continuously, with the evidence mapped to the frameworks auditors and insurers ask about. Done well, governance isn't a brake on AI, it's what lets you say "yes" with confidence.

Who delivers it: your MSP

For most organisations, the partner best placed to do this is the MSP who already runs their Microsoft 365 tenant. That's what Sabiki AIRM is built for: an agentless, read-only layer that gives MSPs the observability and governance to make AI safe for every client, and turn it into a recurring managed service.

See the non-human identities in a real tenant, free.

Register free and run one full NHI Risk assessment on any Microsoft 365 tenant. Agentless, read-only, results the same day.

Free NHI Risk Score →

Go deeper: The non-human identity explosion in Microsoft 365 → · How MSPs turn this into a service →

Sources

  • 1 Entro Labs, NHI & Secrets Risk Report (H1 2025), reporting
  • 2 CyberArk, 2025 State of Machine Identity Security, report (PDF)
  • 3 Grand View Research, Non-Human Identity Access Management Market, market report
  • 4 Gartner, “Applying Uniform Governance Across AI Agents Will Lead to Enterprise AI Agent Failure” (May 2026), source
  • 5 Canalys (now part of Omdia), “MSP Trends & Predictions 2025”, source
  • 6 Cloud Security Alliance, non-human identity security research, CSA

Sabiki Security is not affiliated with, sponsored by, or endorsed by these organisations; their research is cited as third-party industry context. Analyst/vendor names and quotations are subject to each provider's usage terms, confirm permitted use before public launch.

← Back to resources
For security leaders

The questions every CISO is being asked right now.

AI adoption is accelerating faster than security teams can govern it, and security leaders are increasingly concerned about AI agents and their impact on security. AIRM was built to answer these questions, and to act on the answers.

“Are we ready for AI?”

Your board and CEO are pushing AI adoption, and you've been asked to sign off on it. But many organisations already have AI agents running in production, most deployed without security review, with permissions nobody explicitly granted.

How AIRM helps

A full inventory of every non-human identity, AI agents included in the Microsoft 365 environment, so you can answer “what AI do we have, and what can it access?” before anyone signs off.

“What is Shadow AI doing in our environment?”

Unsanctioned AI tools are already running in most tenants. Many were granted OAuth tokens and elevated permissions plugged straight into business systems, outside any standard provisioning workflow.

How AIRM helps

AIRM detects every service principal and AI agent in the tenant, sanctioned or not. Unreviewed identities are flagged, with their permissions, blast radius and compliance implications shown together.

“If an approved AI agent is compromised, how bad could it get?”

An AI agent you legitimately approved can still be compromised: its logic updated, its permissions silently widened. Traditional tools watch for human behaviour anomalies, they weren't built to catch this.

How AIRM helps

Blast Radius Analysis maps exactly what an attacker would reach if any identity were compromised, built from real granted permissions, not assumed activity. You see the worst case before it happens.

“Are we compliant with the EU AI Act, DORA and ISO 42001?”

Regulators are now asking specific questions about AI governance. The EU AI Act's high-risk obligations phase in through 2026, and DORA has been in force since January 2025. Most organisations can't yet produce evidence of AI agent oversight.

How AIRM helps

Every finding maps automatically to 11 frameworks, including the EU AI Act, ISO 42001 and DORA, generating per-framework reports you can hand to auditors and regulators.

“How do we enable AI without losing control?”

Security teams are under pressure to enable AI, and saying yes without visibility is the fastest way to lose control. The organisations that build agent inventories and privilege policies now are the ones in control when something goes wrong.

How AIRM helps

AIRM is the visibility layer that makes “yes” safe: monitor every AI agent continuously, detect permission drift, get alerted when behaviour changes, and demonstrate governance to the board.

AIRM is your Non-Human Identity Control Plane.

You don't have to choose between enabling AI and securing it. AIRM gives security teams the visibility, intelligence and evidence they need to say yes to AI with confidence.

Get your free Sabiki NHI Risk Score →
No credit card · agentless · connect in minutes