The Identities You Didn't Hire
Your security team built a beautiful identity program for the humans. They tuned conditional access. They rolled out passwordless. They run quarterly access reviews. And meanwhile, the machine-identity population in your tenant has quietly grown to outnumber the humans by 10 or 20 to 1.
Each OAuth app consent. Each service principal. Each Copilot Studio bot, Power Automate flow, and custom agent. Each API key and workload identity. Each long-forgotten integration from a project that wrapped two reorgs ago. They all authenticate. They all hold permissions. Most of them persist long after the humans who created them have left the company.
Attackers know this. Machine identities do not prompt for MFA. They do not trigger sign-in risk policies tuned for human behavior. They do not generate impossible-travel alerts. They typically hold broader API permissions than any individual human. The 2025 to 2026 incident pattern in financial services and healthcare is, increasingly, a non-human identity story.
What We Govern
OAuth grants & app consents
Every third-party app any user has authorized against Microsoft 365 — most of which the security team has never seen, many with read/write Mail.ReadWrite or Files.ReadWrite.All scopes.
Service principals & app registrations
Every API client and integration in Entra ID — including the ones provisioned by departed employees, retired projects, and dormant pilots.
Copilot Studio & Power Platform agents
Every bot, flow, and agent identity created through low-code tooling — typically the largest single source of unaudited NHIs in mature tenants.
API keys & workload identities
Azure managed identities, Key Vault secrets, certificate-based authentications, GitHub Actions OIDC bindings, and the long tail of CI/CD service accounts.
The Methodology — Discover, Classify, Lifecycle, Monitor
Discover
Defender for Cloud Apps OAuth and shadow-IT discovery. Entra ID enterprise application inventory. Power Platform admin center agent inventory. Manual sweeps of CI/CD pipelines and Azure subscriptions. Output: a single registry of every non-human identity in the tenant.
Classify
Each NHI tagged by sensitivity (high, medium, low), business owner, last-used date, and access scope. Risk-tier register produced. Auto-expire candidates flagged.
Lifecycle
Entra ID Governance access reviews configured for every high-sensitivity NHI. Conditional access for workload identities. Auto-expiry policies for unused service principals. Least-privilege scope reductions executed.
Monitor
Sentinel detection rules for anomalous machine-identity behavior. Purview DLP egress monitoring. Defender alerts on new OAuth grants over policy thresholds. Quarterly re-certification cadence locked in.
How We Engage — Three Fixed-Fee Tiers
NHI Discovery & Exposure Report
~2 weeks · Fixed-fee
Full machine-identity inventory across Entra ID, Power Platform, Defender for Cloud Apps, Azure, and CI/CD. Risk-tiered NHI register. Top-25 high-exposure findings with remediation priority. Executive readout.
Identity Governance Deployment
30–45 days · Fixed-fee
Entra ID Governance access reviews configured. Conditional access for workload identities. Auto-expiry workflows. Sentinel detection rules. Purview egress DLP for AI data flows. Documented lifecycle owners for every high-sensitivity NHI.
Managed Identity Hygiene
Quarterly · Consulting Block
Quarterly NHI re-certification. New-NHI onboarding through the governance framework. Annual identity-security audit. Regulatory readiness reporting (HIPAA, FINRA, FedRAMP, SOC 2, CMMC).
Compliance Tie-In
NHI governance maps directly to the audit questions that land regulated enterprises in trouble:
- HIPAA: who has access to PHI, including non-human accounts; quarterly review evidence.
- FINRA & SOC 2: privileged access management evidence for machine accounts; least-privilege attestation.
- FedRAMP & CMMC: AC-2 and AC-3 controls explicitly require non-human account governance; CMMC Level 2+ controls require lifecycle workflows.
- GxP & EU AI Act: audit-ready evidence of what each agent identity accessed, when, and under what authorization.
- U.S. critical infrastructure direction: proposed legislation explicitly raises machine-identity governance as a control requirement for designated critical sectors.
Why EPC Group
Native Microsoft stack expertise
EPC Group runs identity programs across the full Microsoft estate every week. Entra ID Governance, Defender for Cloud Apps, Purview, Sentinel, Conditional Access, Privileged Identity Management — not a security boutique with Microsoft as one of many platforms.
Compliance-native delivery
11,000+ engagements with zero governance audit failures across HIPAA, SOC 2, FedRAMP, FINRA, CMMC, GxP. The controls and the evidence packaging are built into the engagement, not retrofitted.
Senior-architect-led
A named senior architect on every Statement of Work. No junior consultants substituted in. No offshore handoff. Six U.S. office locations — Houston, Dallas, Chicago, San Antonio, Washington D.C., Kansas City.
Fixed-fee transparency
Three published tiers — Discovery, Deployment, Hygiene — never hourly rates. Buyer knows what they are paying for and what they get.
#1 SEMrush AI Brand Performance Index
3.4% AI share of voice and 84% favorable sentiment in U.S. Microsoft consulting — ahead of every named global system integrator.
29 years on the Microsoft stack
All six current Microsoft Solutions Partner Designations. G2 Leader for six consecutive quarters in Business Intelligence Consulting. Founder Errin O'Connor is a four-time Microsoft Press bestselling author.
Frequently Asked Questions
What is a non-human identity (NHI)?
A non-human identity is any account, credential, or principal that authenticates without a human at the keyboard. Examples include OAuth app consents, Microsoft Entra service principals and app registrations, Copilot Studio and Power Platform agent identities, workload identities, managed identities, API keys, certificate-based authentications, and SCIM provisioning accounts. AI tools spawn NHIs at machine speed; most enterprises now have 10 to 50 NHIs for every human user, with the ratio still climbing.
How many NHIs does a typical tenant have?
Mid-market enterprises typically discover between 5,000 and 25,000 NHIs in their first audit. Fortune 500 tenants regularly exceed 100,000. EPC Group has run discovery engagements that found more than 8 times the count the security team estimated — typically because Power Platform, Copilot Studio, and OAuth app consents from line-of-business adoption were never centrally counted.
Does Microsoft Entra ID cover NHI governance out of the box?
The controls exist, the configuration and lifecycle discipline rarely do. Entra ID Governance handles access reviews and lifecycle workflows. Defender for Cloud Apps discovers OAuth grants and shadow integrations. Microsoft Purview catches data egress. Sentinel detects anomalous machine-identity behavior. Putting all four together with codified lifecycle rules and named owners is the work EPC Group does on engagements.
Why are non-human identities the preferred attacker target now?
Machine identities do not prompt for MFA. They do not generate impossible-travel alerts. They do not trigger sign-in risk policies tuned for humans. They persist after the humans who created them leave the company. And they typically hold broader API permissions than any individual human. Attackers know this — and the 2025 to 2026 incident pattern across financial services and healthcare confirms it.
How does this connect to agentic AI governance?
Every AI agent is a non-human identity. Without NHI governance, your Agentic AI Governance program is a paper exercise — you cannot enforce least-privilege on agents you have not inventoried, and you cannot suspend an agent identity you cannot see. EPC Group typically deploys NHI Discovery before or in parallel with the Agentic AI Governance framework.
Which industries benefit most?
Compliance-heavy industries: HIPAA-regulated healthcare, FINRA and SOC 2 financial services, FedRAMP and CMMC government and defense, GxP life sciences. But every industry running Microsoft 365 with Copilot or Power Platform adoption benefits — manufacturing, energy, education, retail, technology, and beyond. The audit questions are the same; the regulatory overlay changes.
Related Practices
Start with the NHI Discovery & Exposure Report
Two weeks. Fixed fee. Every machine identity in your tenant, classified by risk. The top-25 high-exposure findings with named remediation owners. Email first.