What is a non-human identity (NHI)?

Short answer. A non-human identity (NHI) is any digital identity that is not bound to a person — service accounts, machine credentials, API keys, secrets, and AI agent identities. Today the typical large enterprise has 100–250 NHIs per human employee, and most of them have no audit trail naming the human who authorized them.

The four common kinds

Service accounts. Long-lived accounts representing a system or process; often shared across teams. Machine credentials. Workload identities issued to compute resources (containers, VMs, lambdas) for service-to-service authentication. API keys and secrets. Tokens issued to integrations; sometimes with rotation, often without. AI agent identities. The newest class. An agent that signs into systems on behalf of a human or organization, increasingly with its own DID rather than borrowed credentials.

Why NHIs are suddenly a category

NHIs have existed for thirty years; they became a named category because three things happened simultaneously. The agent boom multiplied them. Cloud-first architectures put them on the hot path of customer data. Compliance regulators (notably the EU AI Act and SEC cyber-disclosure rules) started asking who was accountable for their actions. The combination made the category visible — and venture-backed.

Where NHI security stops

NHI security tools (Astrix, Entro, Oasis, GitGuardian) are excellent at inventory: finding the NHIs you have, finding ones you forgot, flagging risky permissions. They are not designed to answer the next question — "which human authorized the action this NHI just took." That question is the identity layer above NHI inventory; it is the layer Manav operates on.

How NHI relates to HATI

HATI (Human-Agent Trust Infrastructure) is the layer that binds an NHI to the human who delegated authority to it. NHI-management vendors give you the inventory. HATI gives you the chain: human → delegation → agent → action. Both layers are necessary; neither is sufficient alone.

Quick reference

For the broader category map, see how HATI differs from IAM, NHI, and PoP. For the inventory side, see the major NHI vendors. For the delegation side, you are reading the right blog.

Common objections

The two objections we hear most: (1) this is just OAuth re-skinned, and (2) we'll wait for the standard. On the first: OAuth scoped delegations between services; this layer scopes delegations from a verified human to an agent — different actor, different audit-trail shape. On the second: the standard is being shaped by the relying parties who integrate first. Waiting is a position.

Frequently asked questions

Is the answer the same for an enterprise and an individual? The shape is the same — a signed delegation, a verifier, an audit log — but the magnitude caps and approval flows differ. Enterprises layer multi-signature for high-stakes actions; individuals usually run with a single device-bound key. Both end up with the same regulator-grade chain.

What if the agent acts before I notice? That is what magnitude caps and time-to-live exist for. A correctly scoped delegation will refuse the action at the relying party before the human's attention is required. Revocation under 200 ms catches the residual cases.

How does this compose with what we already run? It sits next to existing IAM (Okta, Auth0, Entra), not over it. Login is still the IdP's job. Manav signs the human's delegation to the agent, which the relying party verifies in addition to the IdP session. Two layers, one audit trail, no rip-and-replace.

Where to start

Start with the 100 to 1 ratio for the broader category map. Then read hati vs iam nhi pop for the implementation pattern. The two together compress a week of reading into thirty minutes; everything else on the site is depth on a specific layer.

Why NHI vendors and Manav are building toward each other

The non-human identity vendors started with workloads — service accounts, certificates, machine-to-machine authentication — and are slowly adding the human upstream. Manav started with the human and is slowly adding the agent downstream. The two roads meet in the middle, at the delegation. Whichever side ships the meeting point first wins the next decade of identity. NHI vendors have the enterprise distribution, the SOC 2 templates, the secrets-manager hooks. Manav has the human binding, the wallet, the regulator-grade audit trail. The likeliest outcome is not displacement but composition: the NHI vendor manages the agent registry, Manav certifies the human upstream of every agent on it, and the two products together produce the artifact the auditor wants to read. Customers will buy from whichever side gets to that handshake first.

What buyers should ask in the next RFP

Buyers writing identity-related RFPs should ask three questions that surface the NHI/HATI gap quickly. Does the proposal name the human upstream of every workload? Is the audit trail portable across vendors? Are delegation and authentication separated in the data model? Vendors that answer cleanly are operating in the substrate-grade tier. Vendors that conflate the questions are answering the procurement need from one side only, and the audit will eventually surface the gap.

NHIs are the noun. HATI is the verb.