All posts
June 16, 20263 min read

Non-human identity: what it means for your access reviews

Quarterly access reviews work because you can ask a manager whether someone still needs a permission. Non-human identity has no manager to ask. When access reviews reach the service accounts, CI runners, and agents, the reviewer stares at a row named svc-etl and clicks approve, because nobody can say what would break if they did not. That is the whole problem with access reviews for non-human identity. The control assumes a human in the loop who understands the grant. Machines have outlived the

Free White Paper

Non-Human Identity Management + Access Reviews & Recertification: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Quarterly access reviews work because you can ask a manager whether someone still needs a permission. Non-human identity has no manager to ask. When access reviews reach the service accounts, CI runners, and agents, the reviewer stares at a row named svc-etl and clicks approve, because nobody can say what would break if they did not.

That is the whole problem with access reviews for non-human identity. The control assumes a human in the loop who understands the grant. Machines have outlived the humans who created their access.

Why machine access defeats the usual review

Three patterns make a standing review useless for non-human identities:

  • Orphaned grants. The engineer who created the token left. The grant stayed. No one will revoke it because no one knows what depends on it.
  • Over-broad scope. A pipeline was given db_owner to ship faster on a deadline. It still has it. The review sees a checkbox, not the blast radius.
  • No usage signal. The reviewer cannot see whether the account used its access yesterday or never. Without that, every review is a guess.

Make access reviews evidence-driven

A review is only as good as the evidence under it. For non-human identity, the evidence you want is simple: who is this principal, what can it reach, and what did it actually do. The third item is the one most teams cannot answer, and it is the one that turns a review from theater into a decision.

If you can see that svc-etl connected to exactly one database and ran three read queries last month, you can scope it down with confidence. If you cannot see anything, you rubber-stamp it.

There is a second-order benefit. Once access reviews run on real usage, they stop being a calendar ritual and start catching drift early. An account that suddenly reached a new system, or whose query volume jumped, shows up in the record between reviews, not a quarter later. Evidence-driven reviews shorten the window in which a stale or compromised non-human identity can operate unnoticed.

Continue reading? Get the full guide.

Non-Human Identity Management + Access Reviews & Recertification: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Govern the access path so the review has data

The architectural move is to put machine access through a control point that records it, rather than handing out standing credentials and hoping the review catches drift. That control point is the connection itself.

hoop.dev is an open-source gateway between identities and infrastructure. Service accounts and agents reach databases, clusters, and internal services through it, with access granted just in time and recorded at the command level. Every non-human identity becomes a named principal with a real usage history. When your access reviews come around, you are reading from a record of actual behavior, not a stale grant table.

Just-in-time access changes the review entirely. If a runner gets access only for the window it needs and the grant expires on its own, there is far less standing access left to review. The review shifts from "should this still exist" to "was this use appropriate," which is a question the record can answer. See how grants and approvals are modeled in the getting-started guide.

A practical sequence

  1. Route machine access to sensitive systems through the gateway so each connection is attributed and recorded.
  2. Replace standing credentials with just-in-time grants where the workload allows it.
  3. At review time, pull the per-principal record: what each non-human identity reached and ran, not just what it was permitted.
  4. Revoke anything with no usage and tighten scope on anything over-broad. The record tells you which is which.

This is the difference between an access review that shrinks risk and one that documents it. More on the identity-aware model is on the hoop.dev site.

FAQ

How often should we review non-human identity access?

As often as you review humans, at least. Machines change faster and leave no one to notice. Continuous usage data lets you review continuously instead of quarterly.

What is the most common finding?

Over-scoped service accounts that never used most of their permissions. Usage records make these obvious and safe to trim.

If your access reviews for machines are guesswork, give them real evidence. hoop.dev is open source. Read the gateway and the recording model on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot