Service accounts and agent credentials already outnumber the people in most organisations, and almost none of them are governed. The control point is not the login. It is the authority to act at the moment of execution.
Non-human identities, the service accounts, application programming interface keys, and credentials handed to autonomous agents, now outnumber human staff in most organisations and are barely governed. I argue that the real control point is not who logs in, but what authority exists at the moment an action executes, captured in a signed, offline-verifiable record.
Originally published on mickai.co.uk. This is a cross-post; the canonical version, with the full body, footnotes and references, lives on the mickai.co.uk article page.
Top comments (0)