Picture this: you're an IT admin at a 75-person company. Six months ago, your sales team asked you to connect Salesforce to Microsoft 365. You opened a permissions dialog, read something about "Read all directory data" and "Access your organization's data," clicked Accept, and moved on. The integration worked. Everyone was happy.
That click created something.
It didn't create a user account. It didn't create a password. It created a persistent, credential-bearing identity that now has ongoing access to your organization's directory — and it will keep that access indefinitely, silently, unless someone specifically revokes it.
That identity has a name. You've probably never heard it.
It's called a Non-Human Identity.
The term nobody outside enterprise security knows
"Non-human identity" — or NHI — is a term that exists almost exclusively in the vocabulary of enterprise cybersecurity professionals. If you work in security at a Fortune 500 company, you know what it means. You probably have a dedicated team managing it. You might have a six-figure software platform to track it.
If you're the IT administrator at a mid-size company, you've almost certainly never heard the phrase. But you have hundreds of them.
Every time you connected an app to your Microsoft Entra ID (formerly Azure Active Directory), you created a non-human identity. Every service principal, every app registration, every OAuth permission grant, every managed identity in your Azure environment — these are all non-human identities. They're digital credentials that exist entirely outside the human user lifecycle. They don't show up in your standard user reports. They don't get flagged when someone leaves the company. And in most organizations, they're never reviewed once created.
What they actually look like
In practical terms, non-human identities in a typical Microsoft 365 environment include things like:
The Salesforce integration you set up that can read your entire directory
The GitHub connector your development team asked for that has "Admin consent" for user data
The automation tool your marketing manager connected that can send email on behalf of anyone in the org
The Zoom integration from 2021 that nobody uses anymore but still has active permissions
The custom script your previous IT person wrote that authenticates with a client secret that expires in 2027
None of these are users. None of them show up in your "Active Users" list. All of them represent real access to real systems. And in most SMBs, no one has ever looked at the full list.
Why this matters right now
Non-human identities are the fastest-growing attack surface in enterprise security. The numbers are striking: industry research consistently shows that NHI-related credentials are now involved in a majority of significant cloud security incidents. Attackers don't need to compromise a user account if they can find and abuse an over-permissioned service principal or a forgotten OAuth token.
The major enterprise security vendors — Microsoft, CrowdStrike, Okta — have been sounding the alarm about this for several years. There are entire product categories, multi-million-dollar platforms, and dedicated security teams in large organizations specifically focused on NHI governance.
But here's the problem: those tools are built for those organizations. They require security engineers to operate, assume you have a dedicated identity governance team, and come with price tags that make sense when you have a hundred-person security organization. They're not designed for the IT administrator managing everything from laptops to printers to Microsoft 365 at a company with 50, 100, or 500 employees.
That IT administrator has the same problem — just without the vocabulary for it, the tooling to address it, or the budget to buy the tools that exist.
A new vocabulary for a real problem
If you take one thing from this post, let it be this: "non-human identity" is just the enterprise security term for something you already deal with every day. The apps you've connected to your Microsoft 365 tenant, the integrations your team has asked for, the automations that run in the background — these all have persistent identities with persistent access. They accumulate. They drift. They get forgotten.
The enterprise security world has been working on this problem for years. It's time the rest of us had the tools to address it too.
If you manage Microsoft 365 and you're curious what's actually in your tenant, Hakona Govern is free to start. No credit card, no security team required.