Beyond Human: The Next Frontier of Identity Security
In January 2024, attackers exposed 230 million cloud environments through a single compromised AWS access key—one of the largest cloud breaches in history. Three months later, a major satellite network went dark when machine certificates silently expired. These weren’t human errors—they were failures to secure the digital workforce that now powers our world.
It was clear cybersecurity had a blind spot—one that’s continuing to be exploited. While organizations fortify human accounts with multi-factor authentication and security training, a far larger army of digital workers operates in the shadows. These non-human identities (NHIs)—the service accounts, API keys, and machine credentials that enable modern infrastructure—now outnumber human users 50 to one. At Menlo Ventures, this increasing security gap caught our eye early on and eventually led to our investment in Astrix Security*—a pioneer in protecting these critical machine-to-machine connections.
Consider your own enterprise. Every automated deployment, cloud scaling event, security alert—these critical operations are executed by machine identities, not humans. In a typical enterprise, these digital workers perform millions of privileged actions daily, often with minimal oversight or controls.
The stakes are rising. Months before that January 2024 breach, SpaceX’s Starlink network faced widespread disruption when expired machine certificates took down critical systems. These aren’t isolated incidents—they’re harbingers of a new era in which machine identities have become the preferred target for sophisticated attackers.
This shift presents both an unprecedented challenge and a compelling opportunity. As we navigate this new landscape, one thing is clear: The future of cybersecurity depends on how we secure these digital gatekeepers.
The Perfect Storm: Why NHIs Are Exploding Now
The rapid proliferation of machine identities is being driven by three fundamental shifts in enterprise technology:
The Move to Microservices. The shift from monolithic applications to distributed microservices has created an explosion in service-to-service authentication needs. Each new microservice brings its own identity requirements, multiplied across development, staging, and production environments. Multi-cloud deployments further complicate this picture, as organizations must manage identities across platforms with different authentication models.
The DevOps Imperative. Modern development practices prioritize speed and automation, leading to what security teams call “secrets sprawl.” Developers, working under tight deadlines, often create service accounts and API keys with broader permissions than necessary. These credentials frequently end up stored in code repositories, configuration files, or ad-hoc secrets management tools, creating a governance nightmare.
The Dawn of AI Agents. The emergence of AI agents represents a step-change in machine identity complexity. Unlike traditional service accounts, AI agents require dynamic access patterns and often operate with considerable autonomy. Their need to access vast amounts of sensitive data, combined with their unique behavioral patterns, creates novel security challenges that existing tools struggle to address.
The Emergence of a New Category
The current $20 billion-plus identity security market has largely focused on protecting human identities, creating a significant opportunity in the rapidly growing non-human identity segment. Early market signals paint an encouraging picture for both startups and investors. In our conversations with enterprise CISOs, machine identity security consistently emerges as a mounting concern, particularly as recent high-profile breaches underscore the urgency of the problem. The $1.54 billion acquisition of Venafi by CyberArk demonstrates the market’s appetite for meaningful exits, while early adopters of NHI security platforms are showing promising expansion patterns.
The growing recognition of machine identity risks has sparked a wave of innovation in the security vendor landscape. A new category of purpose-built NHI security platforms has emerged, raising large amounts of capital and gaining early enterprise traction.
Companies like Astrix are building comprehensive platforms that handle the entire lifecycle of machine identities. Their solutions typically include:
- Automated discovery and classification of NHIs across cloud and on-premises environments
- Continuous posture monitoring and policy enforcement
- Automated credential rotation and privilege management
- Integration with existing secrets management systems
- Compliance reporting and audit trails
Yet the path to widespread adoption isn’t without its challenges. The category still requires substantial customer education—many organizations understand the risks conceptually but struggle to quantify their exposure or implement comprehensive solutions. Budget allocation presents another hurdle, as NHI security often spans both security and DevOps teams, requiring alignment across multiple stakeholders. Furthermore, any new solution must integrate seamlessly with existing tools and workflows, a nontrivial technical challenge given the complex landscape of enterprise identity management.
Despite these obstacles, the fundamental market dynamics remain compelling. As organizations accelerate their digital transformation initiatives and the number of machine identities continues to grow exponentially, the need for purpose-built security solutions becomes increasingly urgent. The question isn’t whether the market will materialize, but rather which approaches and vendors will emerge as the dominant players in this nascent category.
One of the most intriguing aspects of the NHI security market is its potential intersection with traditional identity and access management (IAM). We’re seeing movement from both directions: Traditional IAM vendors like Veza and ConductorOne are expanding into machine identity protection, leveraging their existing relationships with security teams and understanding of identity governance. Pure-play NHI security vendors are broadening their platforms to include human identity management capabilities, betting that a unified approach will ultimately win. However, the ultimate prize may be larger: creating the next-generation identity platform that seamlessly handles both human and machine identities.
Looking Ahead
As we look to the future, several trends are likely to shape the evolution of the NHI security market. As machine identity breaches continue to make headlines, expect increased regulatory attention. This could accelerate enterprise adoption of NHI security solutions. AI will become essential for managing the scale and complexity of machine identities, particularly in detecting anomalous behavior and automating policy decisions. Lastly, the current fragmented landscape of point solutions will likely consolidate into more comprehensive platforms, either through M&A or organic expansion.
For builders, the NHI security market represents a rare opportunity: a greenfield space with clear technical differentiation, strong market pulls, and the potential for multiple billion-dollar outcomes. The category is still in its early stages, but the foundation for significant value creation is clearly visible.
The winners in this space will likely be those who can:
- Navigate the increasing complexity AI agents introduce (e.g., Anomaly detection for agent vs. human behavior, dynamic permissions scoping, cross-system identity context, etc.)
- Create seamless user experiences that work within existing DevOps workflows; and
- Execute go-to-market strategies that effectively educate and engage both security and development teams
As enterprises continue their digital transformation journeys and the number of machine identities grows exponentially, securing these digital workers will become increasingly critical. The next decade of cybersecurity may well be defined by how effectively we solve this challenge.
*Backed by Menlo Ventures
