Why now — and not five years ago.
Non-human identity has been growing for two decades. The governance gap is not new. What is new is the convergence: AI agents going mainstream, regulators naming the category in law, and breach disclosures attributing incidents to orphaned machine credentials. The window where a CISO could defer this has closed.
Six events. Two years. One inflection.
AI agents go mainstream
ChatGPT, Claude, and Gemini agentic workflows enter enterprise pilots. Frontier-model APIs gain tool-calling at scale. Internal AI agents begin acting on production systems with borrowed credentials.
The non-human identity population begins growing exponentially. No identity layer exists for it.
DORA enforcement begins
The EU Digital Operational Resilience Act enters force on 17 January 2025. Financial entities and their ICT third parties become accountable for continuous identity oversight — explicitly including machine-to-machine identities.
First framework with teeth that names non-human identity governance as a control area.
First public NHI breach attribution
Public disclosures begin attributing breaches to orphaned API keys, expired service-account certificates, and unrotated CI/CD credentials — not phishing, not zero-days. The category gets a name.
Insurance carriers begin asking about NHI controls in renewal questionnaires.
NIS2 enforcement active in EU member states
All 27 EU member states have transposed NIS2 into national law. Operators of essential and important entities now face direct exposure for missing access controls on non-human entities.
European compliance officers begin requesting NHI control mappings as standard.
SEC tightens disclosure expectations
The SEC's 4-day material incident reporting rule (Item 106) is in active enforcement. Public companies are answering investor and regulator questions about identity provenance for AI systems.
Audit committees add machine identity governance to the board-level risk register.
EU AI Act phased enforcement
The EU AI Act enters phased enforcement through 2027. Article 14 explicitly requires human oversight of high-risk AI systems — including identity-level attribution of agent actions.
Identity becomes the substrate of AI governance, not an adjacent topic.
The window for “not yet” has closed.
Every quarter the gap compounds. Every new AI agent enters production with the same credential pattern as the last one. Discovery is the first step.