ARKION
Scan
NHI Governance · v.2026

Identity governance for AI agents and machines.

Rogue agents are the symptom.
Ungoverned machine identity is the disease.

Governthe Agents.Then the Estate.

The Non-Human Identity Governance platform for AI agents — and every robot, drone, POS terminal, and machine workload in your enterprise.

Built by the team behind Difenda’s exit. Authors of the NHIG Standard.

0×
Non-human identities per human
0%
Cloud intrusions · identity-based
0%
NHI credentials · no rotation policy
0.0%
Compliance, cryptographically attested
§ 01 · What Arkion does

Three verbs. One governed estate.

Stage I

Discover.

Every AI agent, bot, certificate, and machine identity in your environment — read-only, no agents installed.

Stage II

Govern.

Each one gets a named human owner, a scope, an expiry, and an audit trail. Inside a verified circle of trust.

Stage III

Revoke.

When an agent is retired or has gone rogue, its access dies with it — across the entire estate, at the click of a button.

↓ Five pillars below — the full lifecycle Arkion governs.

§ 00.9 · The Non-Human Identity Gap

The Non-Human Identity Gap.

For every human in your organization, there are 82 machines, agents, and services with identity credentials.

  • None of them are in Okta.
  • None of them are in Workday.
  • None of them are in your IAM governance program.

This is the blind spot that ate enterprise security in 2025. It is the category we built Arkion to govern.

Ratio · Enterprise avg.
80:1
Non-human identities per human · Source: Cloudflare / CyberArk, 2026
§ 00 · The Blast Radius

It starts with
one agent.

AI AGENT
SERVICE ACCOUNT
CERTIFICATE
WORKLOAD
mTLS TUNNEL
5 non-human identities · no owner · no score · no rotation policy
0IDENTITIES

That is five non-human identities before breakfast — none of them owned, scored, or rotatable.

Day 0101
0
AI agent deployed
Month 0102
0
Derived non-human identities
Quarter 0103
0
Across workloads & certs
Year 0104
0
Governed or ungoverned — your choice

This is the blast radius of a single agent — compounded by every deploy, every rotation deferred, every team that shipped and moved on. It is not a security gap. It is an identity lifecycle debt that accrues interest.

§ 00.5 · What's in your environment right now

You can't govern
what you can't see.

A redacted simulation of an Arkion ledger. Every row below is a non-human identity event — provisioned, scored, rotated, or quietly expiring — across the clouds where your agents already run.

Scored · live9,428
Expiring · 7d89
Orphaned · total2,471
Time
Cloud
Identifier
Status
14:32:07
AWS
prod-ml-training-7f3a
EXPIRING · 6d
14:32:11
Azure
agent-finetune-runner-a1
ORPHANED
14:32:19
GCP
langchain-prod-x2
ROTATED
14:32:24
AWS
mtls-internal-4b2c
PROVISIONED
14:32:31
on-prem
ops-bot-0091
SILENT EXPIRY
14:32:38
Azure
agentic-eval-pipeline
OWNED · g.s@co
14:32:45
GCP
orchestrator-east-0f
SCORED · 92.4
14:32:52
AWS
api-gateway-north-11
REVOKED
Streaming · redacted simulation
Arkion Ledger · v.2026
§ 01 · The cost of doing nothing

Identity
lifecycle
debt.

A named liability. Quantifiable. Enterprise-owned. Non-optional.

Every agent you deploy issues credentials that outlive the deployment. Every service principal spawns a certificate that outlives the service. Every rotation you deferred is an orphaned identity with production authority — and no owner.

Zero
Enterprise NHIG platforms before Arkion. The category didn’t exist.
0–40%
More NHIs than most enterprises expect to find in a first scan.
0min
To complete the estimator and see your personalised exposure.
The Cost of Inaction

$4.45M average cost of a credential-related breach. $0 of which is recoverable from cyber insurance if the credential had no owner.

See the cost-of-inaction breakdown

Human IAM governs employees. It does not — and was never designed to — govern the machine estate beneath them. The gap between identity deployment and identity authority is not a security gap; it is a governance one.

§ 02 · The Platform

A central source of identity for every non-human entity acting on your behalf.

Arkion is the central source of identity for every AI agent and non-human entity acting on behalf of your enterprise. We issue, rotate, and revoke those identities at machine speed.

With Arkion deployed, you can separate authorized AI agents from unauthorized ones, operate inside a verified circle of trust, and block any agent that has gone rogue or is no longer needed — at the click of a button.

M-05 · The Reframe

“Rogue agents are the symptom. Ungoverned machine identity is the disease.”

§ · Five faces of a non-human

You probably recognize at least one of these in your environment.

01
The AI Coding Agent

Claude Code, Copilot, or Codex deployed across 600 engineers. Holds an OAuth token with production write access. No expiry. No rotation. Currently un-owned.

02
The RPA Bot

A UiPath bot processing supplier invoices. Built in 2022 by a contractor who has left. Still authenticating to SAP every night.

03
The Service Account

An AWS IAM role with s3:* on every bucket. Created during a migration four years ago. Used by something. Nobody remembers what.

04
The IoT Endpoint

A POS terminal in a retail store. Holds a 2019 certificate. Ships payments to the gateway every minute. Auto-renewed once and never since.

05
The Forgotten Cert

An mTLS certificate on the broker between two payment systems. Expires in 6 days. Nobody on payroll today knew it existed.

§ · How Arkion governs them

Five pillars. One governed estate.

Pillar I

Discover

Continuous, agentless discovery of every non-human identity across cloud, on-prem, and SaaS — the orphaned, the unowned, the silently expiring.

Capabilities
  • Multi-cloud scan
  • Orphan detection
  • Estate-wide visibility
§ · What you see on day one

Every non-human entity gets an identity card.

The same way every employee in your company has a badge — issued, scoped, expired, revoked. Arkion gives every agent, bot, and workload the same structure.

AGT-AI-7821NHI · Class A
Claude Code — Engineering Agent
OWNER
Manoj Arora
ISSUED
Apr 12, 2026
EXPIRES
May 12, 2026
ROTATION
30 days · auto
SCOPE
repo:read · prod:read-only
AUTHORITY
Arkion CLM
POLICY
v2.1 · reviewed quarterly
CIRCLE OF TRUST
✓ inside
HEALTHY · last seen 2m ago
Rotate nowRevokeView ledger

Illustrative · not a customer record

Now multiply that across every non-human in your estate.

Every cert, every API key, every service account, every workload identity — each one with an owner, a scope, a rotation policy, and a revoke button. All inside the same governed estate.

AI agents (Claude Code, Copilot, Codex, Vertex)
RPA bots (UiPath, Automation Anywhere, Blue Prism)
Service accounts & IAM roles
API keys & OAuth tokens
TLS / mTLS certificates
Kubernetes workload identities
IoT / POS / industrial endpoints
FOR THE ARCHITECT
§ · Where Arkion sits

Arkion is a Certificate Lifecycle Management platform at its core — the same primitive that has powered cert issuance, rotation, and revocation for the SSL/TLS web. Built for a different workforce: AI agents, RPA bots, service accounts, machine workloads, and IoT.

The CLM you may already own was designed for web servers, load balancers, and mobile devices. Arkion was designed, from the first commit, around the identity an AI agent represents — its owner, its scope, its authorization, and its revoke button.

§ · What it plugs into

Read-only on day one. No agents installed.

Arkion connects with read-only credentials and returns a complete inventory of every non-human identity in the environment. No production change. No procurement cycle. From first call to first finding: 90 minutes.

Live today
AWS
IAM, STS, Secrets Manager, ACM
GCP
IAM, Service Accounts, Workload Identity

Read-only IAM, STS, service-account, secrets, and certificate telemetry. Discovery, ownership mapping, and risk scoring run against your existing infrastructure — no agents installed, no data leaves your environment.

On the roadmap
AzureGitHubGitLabKubernetesHashiCorp VaultOktaMicrosoft EntraVertex AIAnthropic APIOpenAI APIVenafiDigiCert

Roadmap items are scheduled, in scoping, or in private preview. Speak to engineering for the current quarter’s priorities.

§ · What your auditors get

A signed, exportable record of everything that happened.

Every Arkion estate produces a cryptographically signed attestation — board-presentable, audit-grade, accepted by cyber insurance carriers. Maps directly to DORA, NIS2, ISO 27001, and SEC Cyber-Disclosure. No screenshots. No spreadsheets.

See a sample attestation + the Compliance Crosswalk
§ · Five questions every CISO should ask

Five questions every CISO and CIO should be able to answer in five seconds.

  1. 01Can you produce a list — by name — of every AI agent and non-human entity acting on behalf of your enterprise?
  2. 02Does each one have a named human owner who is accountable for what it does?
  3. 03Can you tell, in seconds, whether a given agent is authorized to be in production today — or has gone rogue, been retired, or was never approved?
  4. 04When an agent is retired or compromised, can you revoke its access across the entire estate at the click of a button — and prove it cryptographically?
  5. 05Do you operate inside a defined circle of trust — where every authorized agent is known, scoped, and accounted for, and everything else is blocked by default?

If any answer is “no,” “we’d need a project for that,” or “ask the team that owns it” — you have an Arkion-shaped gap.

Cyber Insurance

Carriers are asking too.

Cyber insurance carriers increasingly require non-human identity governance for policy renewal — and refuse to cover breaches caused by orphaned credentials. Arkion produces the evidence carriers ask for: ownership for every identity, rotation cadence on every credential, signed event logs for every lifecycle change.

See the Compliance Crosswalk
THE DASHBOARD

Your estate, at a glance.

A single pane of glass across every non-human identity in your organization. Risk, compliance, ownership — continuous, cryptographic, unambiguous.

ARKIONGOVERNANCE DASHBOARD
LIVE
Governed Estate14,291identities
Orphaned247down 12% this week
Compliance Score97.2%enterprise-wide
Governance by Environment
82%AWS
91%GCP
74%Azure
68%K8s
Governed
Orphaned
Expiring
Recent Events
00:14:22cert rotated · api-gateway-prod · SHA-256 · 90d TTL
00:11:07orphan detected · svc-analytics-03 · owner: unassigned
00:08:33agent provisioned · ml-pipeline-v2 · scope: read-only
00:03:19expiry warning · k8s-ingress-west · 6 days remaining
§ 03 · Capabilities

Everything your IAM missed.

WEDGE · DISCOVERY01 / 02

Every certificate, discovered.

Including the ones your team forgot they issued. Passive log analysis and TLS telemetry surface every X.509 across your estate — known, unknown, and orphaned — with cryptographic ownership intact.

  • Read-only enumeration · zero agents
  • CT logs · TLS handshake · IAM API
  • Owner inferred · risk scored · time-bound
GROWTH VECTOR · IDENTITY02 / 02

Every AI agent, credentialed.

We don't just track AI agents — we mint the cryptographic identities they run on. From deploy-time provisioning through revocation, every agent in your estate carries an owner, a scope, and a cryptographic boundary.

  • Deploy-time issuance · scoped credentials
  • Tracked · revocable · auditable
  • Built for autonomous & multi-agent systems
POLICY ENGINE

Workload trust, enforced.

Governed agents talk on mTLS. Rogue agents don't talk at all. Every identity is owned by a named human — no orphaned authority in production.

LIFECYCLE GOVERNANCE

Lifecycle, never a fire drill.

Automated rotation before expiry. Owner-notified. Zero downtime. Every lifecycle event signed, timestamped, retained — DORA, NIS2, and SEC evidence is the ledger.

REAL-TIME MONITORING

Risk, continuously scored.

Certificate health. Rotation state. Ownership. Behavioral anomaly. Four signals, one score, every identity — updated continuously across the estate.

§ 04 · Live Walkthrough

See it in action.

A live walkthrough of the Arkion CLI. Watch a real scan, ownership lookup, and certificate rotation play out — no signup required.

arkion@demo · live walkthrougharkion sandbox · v0.demo
Live walkthrough · Looping demo · Numbers are illustrative
§ 05 · The Process

From zero to
governed estate.

Four steps. One environment at a time. Every identity named, scored, and governed before the next begins.

Step 01
Read-only

Discovery Scan

We run a read-only scan of one environment — log analysis, TLS telemetry, and IAM APIs. No agents installed. No traffic intercepted. Results delivered to your inbox once the scan completes.

Step 02
Senior engineer

Engineering Findings Call

A senior Arkion engineer walks through every identity found: named, risk-scored, and specific to your infrastructure. You see the full blast radius before committing to anything.

Step 03
Policy · Lifecycle · Audit

Governance Policy Deployment

We deploy lifecycle policies, ownership assignments, and rotation schedules across your estate. Certificate issuance and mTLS enforcement activate within 14 days.

Step 04
Continuous · Real-time

Continuous Governed Estate

Real-time risk scoring, automated rotation, and immutable audit trails run continuously. Your non-human identity estate is permanently governed.

§ 06 · AI Identity Provisioning

Identity at the speed
of autonomous systems.

Your AI agents don't wait for provisioning tickets. Arkion doesn't either. Every agent receives a governed identity before it touches your infrastructure — not after an incident surfaces it.

Traditional CLM manages certificates in isolation. Arkion governs the full non-human identity lifecycle — discovery, ownership, rotation, and revocation — making it the first platform to treat NHI as a first-class governance primitive.

Proactive Bootstrap01

When a new AI agent is deployed, Arkion provisions its identity before the first API call — certificate-bound, owner-mapped, lifecycle-enrolled. No retroactive discovery required.

Out-of-Band Control Plane02

Arkion operates outside your workload runtime. No sidecar. No agent binary on your nodes. Governance is applied from above the estate — read-only telemetry in, policy enforcement out.

Autonomous Lifecycle03

AI agents scale faster than any human team can track. Arkion matches that velocity — auto-rotating credentials before expiry, flagging orphaned identities the moment an agent is decommissioned.

EveryAIagentthattouchesyourproductioninfrastructurecarriesacryptographicidentityprovisionedatdeploy,scoredinrealtime,rotatedbeforeexpiry,revokedoncommand.Nosharedsecrets.Nostatickeys.Nogovernancegaps.

THE GOVERNANCE PROMISE
§ 07 · The Difference

Every current platform has a structural ceiling.

CapabilityHuman IAM PlatformsOkta · Entra · Ping · ForgeRockArkion NHIG
AI Agent Identity Governance
Architecturally excluded
Certificate-based, full lifecycle
Certificate Lifecycle Management
Not supported
Issuance · Rotation · Revocation
Orphaned Identity Detection
Manual audit only
Passive · log analysis + network
NHI Identity Registry
No NHI model
Owner-mapped, lifecycle-tracked
mTLS / TLS Telemetry
Not in scope
Passive handshake monitoring
Human SSO / MFA
Core capability
Not our space

Human IAM governs your employees. Arkion governs your agents. This is not a gap they can close with a product update — it is an architectural mismatch.

§ 07.5 · Risk Estimator

Before you scan, estimate.

Two minutes. Seven questions. A directional estimate of how many non-human identities are currently operating outside any governance boundary in your environment. No data leaves your browser until you submit.

Run the Risk EstimatorAnonymous · 2 min · no account required
Signals weighed04 / 04
  • 01
    Employees
    Set your headcount band
  • 02
    Cloud estate
    AWS / Azure / GCP / on-prem
  • 03
    AI agents
    None → autonomous multi-agent
  • 04
    Rotation
    Automated → rarely / never
Ready · waiting on first signal
§ 08 · Beliefs

What we
believe.

01

Machines cannot use passwords.

Every human IAM control — MFA, rotation prompts, session timeouts — assumes a person at a keyboard. Non-human identities require a different substrate.

02

Certificates are the only governable primitive.

Cryptographically bound, time-limited, programmatically rotatable, instantly revocable. No other credential type satisfies all four properties.

03

Discovery must be read-only.

A platform that writes to your infrastructure to discover identities has already failed its first trust test. Arkion never modifies the estate it governs.

04

Every identity needs an accountable owner.

An orphaned agent is a standing privilege with nobody responsible. Ownership mapping is not a nice-to-have — it is the precondition for governance.

05

Compliance is continuous, not quarterly.

ISO 27001:2022, NIST CSF 2.0, DORA, NIS2, SEC cyber-disclosure — each demands evidence of identity governance. Arkion produces immutable, cryptographically attested audit trails in real time, not spreadsheets before a review.

06

Governance must be provable.

An assertion is not evidence. Every lifecycle event in Arkion is signed, timestamped, and retained in an immutable ledger. When the auditor asks, the answer is already waiting.

Field Note No. 02·7 min read
From the Research Desk

The Trust
Boundary Problem.

Legal accountability for downstream agents now flows upward. The technical authority to govern them does not.

Every prime contractor, parent bank, and hospital network is legally responsible for agents acting under their authority — and operationally unable to revoke them at machine speed. CMMC, OSFI B-13, and NIS2 are converging on the same requirement: technical authority must match legal accountability. Existing IAM cannot deliver it. We're researching what does.

Read the Field Note
§ 09 · Discovery Scan

See your
governed estate.

Read-only. One environment. We come back with every non-human identity found — named, scored, and specific to your infrastructure.

No agents installed · No traffic intercepted · No commitment required

NDA Protected
Read-only Access Only
Results Delivered to Your Inbox
No Sales Call Required
0–40%
NHIs found vs. what teams expect
Read-only
No agents installed
0d
To full governed estate
Speak to Engineering