Yesterday was Identity Management Day — an annual event focused on how businesses manage digital access — and the term getting the most attention this year was “non-human identity” (NHI). If you haven’t come across it before, you’re not alone. But there’s a good chance these invisible accounts already exist across your business systems, as highlighted by Cyber Daily.

A non-human identity is any account or credential that isn’t tied to a real person logging in manually. Think of the service account your accounting software uses to connect to your cloud storage. Or the automated script that runs your weekly backup. Or the AI assistant your team recently started using that needs access to your calendar and email. Every one of those is an identity — with permissions, access rights, and often a password that never rotates. According to research cited on Identity Management Day, 75% of machine identities in business environments have no designated owner. Nobody’s responsible for them, nobody’s auditing them, and in many cases, nobody even knows they’re there.

That’s the problem. Attackers know they exist. Compromising a forgotten service account with excessive permissions is often far easier than breaking through multi-factor authentication on a real user account. The practical step here is straightforward: ask your IT provider to audit your service accounts and application integrations. Find out what has access to what, who authorised it, and when it was last reviewed. If the answer is “we’re not sure,” that’s exactly where to start.

This is what’s called identity hygiene, and it’s becoming a core part of good security practice — especially as AI tools and automation become more common in everyday business operations. If you’d like help understanding what non-human identities are running in your environment, get in touch with the All IT Services team, or explore our cybersecurity services.