As automation grows and higher education institutions invest in artificial intelligence for workflow operations, the number of nonhuman identities within an institution’s digital infrastructure rapidly increases. Global security professionals estimate that NHIs currently outnumber human users 82 to 1, according to CyberArk’s “2025 Identity Security Landscape Report.”
Also known as machine identities, NHIs include any application, software component, automated process, machine or network resource that has permission to access data and execute tasks without human intervention.
In higher education environments, an NHI might be used by a system that updates student information across different platforms or a script that automates faculty account provisioning.
Click the banner below to learn more about securing identities on your school network.
Another example: shadow AI that students and faculty use on school infrastructure. These tools may use AI agents and “introduce new machine identities that IT is not aware of,” says Sitaram Iyer, CyberArk’s area vice president of emerging technologies and global architects.
AI agents are a more technologically advanced category of NHIs. These “increasingly autonomous systems” operate more independently, a CyberArk blog explains.
The Security Risks of Nonhuman Identities
NHIs have deep access to critical systems and sensitive data, which can leave universities vulnerable to cyberattacks. Additionally, as essential pieces of an institution’s digital system, NHIs may be taken for granted or overlooked. This, and the sheer number of NHIs that are constantly shifting in the wake of staff turnover and student matriculation, make them a common security risk, Iyer explains.
“Once compromised, these identities can be used to move laterally across an environment without raising the typical security alerts associated with human activity,” he says. “This creates a perfect storm of risk, as they are a high-value target that is often underprioritized in post-breach investments.”
WATCH: Four security trends to pay attention to in 2026.
While securing NHIs is a core part of identity and access management, institutions should be aware that traditional IAM best practices tend to be “insufficient for securing machine identities,” says Iyer.
While human users rely on passwords, biometrics and multifactor authentication, NHIs use different automated methods, such as cryptographic keys and digital certificates, which can require specialized security solutions.
Ways To Reduce NHI Security Risks in Colleges and Universities
Small steps — such as tracking accounts, limiting access and changing passwords regularly — can go a long way in keeping colleges and universities secure, says Ryan Gifford, a senior research analyst at Cloud Security Alliance.
“The risks associated with nonhuman identities are exactly the same as those with human ones; the key difference is familiarity,” says Quint Van Deman, senior principal in the Office of the CISO at Amazon Web Services. To manage this risk, IT leaders need to devote time and training to ensure staff know how to securely work with NHIs.
READ MORE: A comprehensive approach to security can ensure cyber resilience.
Most users today are aware that they shouldn’t give out their login credentials, but it might not be as obvious that an application programming interface (API) key or an access key — which can be used by nonhuman identities — are also types of login credentials. This unfamiliarity can lead to poor cybersecurity practices and exploited vulnerabilities.
The same holds true for permissions. As a security best practice, human users should be granted only the permissions necessary to get their jobs done. “The same approach needs to be taken with nonhuman identities, iterating toward least privilege through regular reviews and access analysis automation,” Van Deman says.
The tools and processes used to assess human identity risks in schools should also apply to nonhuman identities. Ideally, institutions should also provide blueprints and training for staff who deal with nonhuman identities to minimize risk.
82:1
Ratio of machine identities to humans1
Source: 1CyberArk, “2025 Identity Security Landscape,” May 2025
Conduct an NHI Risk Assessment and Manage User Permissions
Higher ed institutions can start assessing risk by taking inventory of every nonhuman account, says Gifford. This includes service accounts, device logins and application integrations, as well as what systems they access.
UP NEXT: Get the latest research on cybersecurity from CDW.
Then, IT professionals should review who owns these accounts, what privileges they have and whether they follow least privilege access guidelines. The biggest red flags are unused, shared or never-rotated nonhuman accounts. Every audit should ensure the identities on the network are appropriate and up to date.
Iyer recommends these best practices for institutions that want to secure NHIs:
- Implement the principle of least privilege. Grant each machine and human identity only the permissions necessary to perform its specific task. Access should be role-based and tied to a specific function.
- Automate credential management. Use a secrets management system to protect sensitive credentials such as API keys and certificates. Automate the rotation of these credentials to prevent them from becoming stale and exploitable. Avoid hard-coding credentials directly into applications.
- Manage the full lifecycle. Establish policies for the entire lifecycle of a machine identity, from automated provisioning to secure decommissioning. This is essential to prevent orphaned accounts, which are an easy target for attackers. Without the processes to expire, rotate and audit these identities, schools can run into the challenge of identity sprawl.
- Monitor continuously. Monitor the behavior of machine identities to detect unusual activity or potential threats.
- Ensure data privacy and compliance. AI agents interact with personally identifiable information, educational records and other sensitive data. Machine identities need governance that ensures agents don’t send data to external large language models.
For critical systems, implementing just-in-time access can also be an effective way to grant permissions for a specific task and limited period. This ensures access is automatically revoked afterward.
