Govern the Identities Nobody Owns
Non-human identities - agents, service accounts, OAuth apps, CI bots - now outnumber people and are the least governed. AegisAI gives each one an owner, a roster entry, and boundaries.
Illustrative product view
The non-human identity problem
Every service account, OAuth app, CI bot, and AI agent is an identity that can act - and most were created without an owner, a defined scope, or a review. They outnumber human identities and are where a lot of quiet risk lives. AegisAI (nonhuman_identity.py) governs them as first-class identities: each gets an owner, a roster entry, a scope, and the same decision-point checks a human faces.
What you govern per NHI
| Dimension | What it defines |
|---|---|
| Owner | A human accountable for the identity |
| Roster | The registered set of known NHIs |
| Scope | What the identity is permitted to do |
| Anomalies | Ownerless, unknown, or over-scoped flags |
| Decisions | Every action checked by the PDP |
The non-human actors covered
- AI agents - with owner linkage and a roster
- Service accounts - including legacy and long-lived ones
- OAuth apps - third-party grants acting on your behalf
- CI bots - automation in your build and deploy pipelines
How it connects
- Builds on identity resolution’s agent roster and owner linkage
- OAuth app governance and SaaS posture extend it to granted apps
- The decision point holds NHIs to the same tenant and scope rules
- A non-human actor lowers the Action Trust Score by default
Frequently asked questions
What is non-human identity governance?
Non-human identity governance manages the identities that act without being people - AI agents, service accounts, OAuth apps, and CI bots. AegisAI gives each an owner, a roster entry, and a defined scope, and holds it to the same decision-point checks as a human, so machine identities are governed rather than anonymous.
Why are non-human identities risky?
They now outnumber human identities and are often created without an owner, a scoped set of permissions, or any review. A powerful, ownerless, over-scoped service account or agent is a large, quiet attack surface. Governance surfaces ownerless and over-scoped identities so they can be assigned and tightened.
What counts as a non-human identity?
AI agents, service accounts (including legacy long-lived ones), OAuth apps that act on your behalf, and CI bots in your pipelines. AegisAI treats all of them as first-class identities with owners, rosters, and scopes, rather than as anonymous automation with shared keys.
How does this reduce risk from a compromised agent?
By giving each identity a defined scope and owner and checking its actions at the decision point. If an over-scoped identity is found, its scope can be reduced to shrink the blast radius, and because a non-human actor lowers the Action Trust Score by default, its actions get more scrutiny.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
Give every machine identity an owner
Govern agents, service accounts, OAuth apps, and bots as first-class identities.
Talk to us