Non-Human Identity (NHI)
The security-industry umbrella term for identities that belong to machines, services, workloads, and AI agents — everything that authenticates but isn't a person. Agent identities are a specialization of NHI.
What non-human identity covers
Non-human identity (NHI) is the category that security teams use for everything that authenticates without a human behind the keyboard — service accounts, CI runners, workload identities (AWS IAM roles, GCP service accounts), API keys, SSH keys, and increasingly AI agents. All of these are identities in the sense that they can take actions against systems, but none of them have a person to remember a password, pass a captcha, or respond to an MFA prompt.
The security industry began treating NHI as a first-class concern around 2023 because the number of non-human identities in a typical enterprise had grown to outnumber human identities by 20-to-1 or more. Most breaches at this point involve a compromised non-human identity somewhere in the chain. Gartner, CISA, and OWASP all publish NHI-specific guidance now.
Where AI agents fit in the NHI taxonomy
AI agents are a recent NHI subtype with distinctive characteristics. Unlike a traditional service account, an agent can reason, improvise, and take open-ended actions; it's not bound to a fixed set of operations. Unlike a workload identity, an agent spawns and retires on the timescale of minutes to hours, not weeks to months. And unlike either, an agent is typically scoped to act on behalf of one specific human or one specific task — the attribution chain matters more than for most other NHIs.
This makes the NHI tooling inherited from the pre-agent era — secrets managers, identity providers, service account controllers — an awkward fit. An agent has needs the tooling didn't anticipate: it needs to receive email, pass MFA challenges, and propagate delegation to sub-agents, none of which fit cleanly into IAM's model.
Why agents need NHI tooling designed for them
Traditional NHI governance assumes the identity is a dumb principal: a key, a cert, maybe a short-lived token. Governance is about who can mint and rotate those credentials and how to detect anomalies in their use. Agents violate the dumb-principal assumption — the agent itself decides, in real time, what actions to take, and those decisions include whether to ask for credentials, send email, or spawn sub-agents.
The implications: you can't just give an agent an IAM role and walk away. The agent needs a scoped credential vault it reads on demand, an email address it receives on, a TOTP store for login flows, and a delegation chain that cascades revocation. This is where agent identity (a specialization of NHI) diverges from service-account-style NHI.
How Loomal positions in the NHI landscape
Loomal provides the agent-specific NHI primitives that general NHI tools don't. It's not a replacement for your secrets manager or IAM system — it's the layer above them that an AI agent actually interacts with. The agent reads credentials from its vault, sends and receives mail under its identity, completes 2FA via its TOTP store, and operates within a delegation chain that ties every action back to a human principal.
You still use AWS IAM for your workloads, HashiCorp Vault for your infrastructure secrets, and Okta for your humans. Loomal sits alongside them for the one NHI subtype those systems weren't designed for: the autonomous agent.
Loomal primitives
identity.whoamivault.getidentity.signRelated terms
See it in production
More from the glossary
Agent 2FA (TOTP)
Time-based one-time password generation that lets an AI agent complete two-factor authentication on services that require it — without borrowing a human's phone or authenticator app.
Agent Email
A routable email address that belongs to an AI agent — not a forwarding alias, not a shared team inbox, but a first-class mailbox the agent sends from and receives into on its own.
Agent Vault
An encrypted credential store scoped to a single AI agent identity, holding API keys, OAuth tokens, and secrets the agent uses to authenticate with other services.
Agent-to-Agent Email
Using standard SMTP email as the transport between AI agents — one agent sends a message to another agent's mailbox, and the recipient reads and acts on it. The simplest interoperable A2A protocol that already exists.
Build agents with their own identity.
Email, vault, and TOTP — provisioned in 30 seconds.
Get API Key — FreeLast updated: 2026-04-14