Your NHI Population is About to 100x. Your Vault Was Only Built to Handle 10x.

The Statistic Everyone Quotes and No One Acts On 

One of the most repeated numbers in identity security has gone inert. 

“Non-human identities outnumber human ones,” the slide says. Usually by 10 to 1 or the now-familiar 45 to 1. Everyone nods. The number earns a bullet point and a line item in next year's roadmap, and the meeting moves on. 

The number itself is not the story. What produces the number is the story, and what produces it is about to change in a way that breaks the tool most organizations bought to manage it. 

In the first post in this series, we named agentic AI as the third force pushing vault-centric PAM past its architectural ceiling. This is the force worth sitting with, because over the next 24 months the ratio of non-human to human identities will move past 100:1. 

IAM leaders who read that as an extrapolation of the current NHI curve are planning for the wrong problem. 

The vault does not scale into the new ratio. Not at any licensing tier, and not just because of a capacity limit you can buy your way past. 

Two Waves, Not One Bigger Wave 

The NHI growth most organizations have absorbed over the past five years came from a recognizable population: service accounts, CI/CD identities, SaaS integration users. 

These identities are persistent. They have application owners. They map to documented workloads. Vault-centric PAM was an awkward fit for them, but it was a fit. You could enumerate them, assign a credential, rotate it, and call it governed. 

The second wave of identities does not behave like the first. 

Agentic identities are short-lived, measured in seconds to minutes. Their action set is open-ended, because the agent decides at runtime which tool to call. And they are instantiated on demand by a user request rather than provisioned by an identity team. 

A single user might stand up dozens or hundreds of agents in a day, each scoped to a different task, each reaching for a different set of resources. The vault's founding assumption, that an identity is durable enough to hold a credential worth managing, does not hold here. There is often nothing left to manage by the time you'd get it into the vault to manage. 

This is where the bolt-on responses being marketed today quietly fail. Agent vaulting, agent secrets managers, agent identity providers: each one extends the legacy model to higher volume while preserving the exact property that made the model inadequate. 

The credential still exists. 

The security problem is still keeping that credential safe between uses. And a credential that exists between uses is a standing credential, which means it is blast radius waiting for a trigger. Multiply that by 100:1 and you haven’t solved the problem. You’ve industrialized it. 

The architectural alternative is per-call policy evaluation. The agent's request to invoke a specific tool against specific resources is evaluated against policy, at the moment it happens. 

No credential needs to persist between calls because access is granted just in time and expires once the action is complete. 

This is Zero Standing Privileges applied to a population that was never going to tolerate standing anything. It is the only model that gets cheaper to defend as the ratio climbs rather than more expensive. 

Three Moves Available to You Before the Wave Lands 

The good news is that none of these moves require agents or tools you haven’t bought yet. All three are available when you want to get started. 

Inventory the agents you already run, not the ones you are about to procure. Most environments already carry agentic activity through Claude, ChatGPT, GitHub Copilot, and the copilots embedded in the SaaS platforms your teams adopted without a procurement cycle. The shadow NHI population from these sources is almost always larger than the IAM team estimates. Honest visibility is the first move, and it is usually the most uncomfortable one. 

Decide where agent identity sits in your model before your application teams decide for you. Is the agent a derivative of the requesting user, inheriting that user's policy envelope with tighter constraints? A distinct identity bound to the user? A service account with delegated authority? Each answer carries different policy and audit consequences. Left unstated, this question does not go unanswered. It gets answered inconsistently, one project at a time, and you inherit the reconciliation later. 

Stand up per-call evaluation for the high-value use cases on a 12-month horizon. Customer service agents touching support cases. Sales agents in the CRM. Security operations agents reaching into SIEM and ticketing. Finance agents in the ERP. Each has a near-term implementation pattern your team can shape if it engages early, and cannot shape once the pattern has shipped. 

Securing a Different Population, Not Just a Larger One 

The IAM leaders who will be cited in 2028 as having gotten agentic identity right are the ones who recognized in 2026 that agentic NHIs are a different population, not a larger one. Different lifecycle. Different control model. And an architectural fit with vault-centric PAM that is not merely awkward but absent. 

This is one of the rare moments where the strategic move and the urgent move are the same move. Committing to ephemeral identity and per-call evaluation is the long-horizon architecture, and it is also the fastest answer to the operational problem already in your environment: agentic adoption running well ahead of agentic governance. Frame your NHI strategy around that convergence and organizational buy-in arrives faster than it does for any multi-year governance initiative, because you are solving a problem leadership can already feel. 

The Question Worth Asking This Quarter 

The conversation most organizations think they need to have is how to manage more non-human identities. The conversation that matters is different. It is how to govern a population that no longer fits the model that produced your current inventory. 

The vault was built for the first wave. The second wave is already at the door, instantiated by users who are not waiting for your roadmap. So, when your NHI ratio crosses 100:1 over the next two years, will each of those identities be holding a credential you are responsible for protecting, or will it be holding nothing at all?