Three years ago, five of my VC friends encouraged me to start my own NHI security company with substantial amounts of seed funding. To them, with my experience in #IdentitySecurity, having led #secretsmanagement at CyberArk, workloads and servers IAM at IBM, I had a natural founder-market fit. I declined all five of them.
The Flaw in the General "NHI" Approach
My thesis back then was somewhat simple. The NHI moniker is far too broad and fraught with diverse, fragmented use cases. The problem to solve there begins with solving it well for machines - for workloads, for servers, for endpoints, for serverless systems. And I think our friends at Gartner, CyberArk, SailPoint and many other industry visionaries would agree with me. Most NHI startups back then were largely offering solutions to discover, manage, secure and detect service accounts, tokens, certificates and the like. And now many of them are pivoting to agentic identity security. There are so many problems yet to be solved in the machine identity space and the noise is just resulting in many of them losing focus. And focus is what solves real world problems.
The Importance of Focus: Machines vs. Agents
Agents, to me, are an entirely different constituency of identities in the modern enterprise. Today, we have a wide array of identities in the human space across employees, contractors, customers, etc. The spectrum of identities in the machine space spans across workloads, servers, endpoints, etc. Similarly, we should expect to see a considerable specialization and broad spectrum of identities in the Agents space. Lumping them under a moniker, indiscriminately called NHI is unfortunately not doing Agents justice, nor does it solve the problem for customers in this market.
The Diversity of the Agent Lifecycle
Interestingly, this is the topic du jour - I’ve had this same conversation 1-1 with industry visionaries and experts like Phil Venables, Manoj Apte, Kevin Skapinetz, Kashyap Ivaturi and others in the last two weeks. The first step to solving the identity security problem is to understand how the identities ‘live out’ their existence in the enterprise. There will be ephemeral agents. There will be persistent agents. There will be highly specialized sales agents dealing with specific tasks. There will be multi-agent systems achieving complex outcomes. There will be agents inside the walled gardens of SaaS. There will be agents inside Workflow and Agent builders. There will be agents built by developers and deployed in IaaS. There will be Langraph agents, CrewAI agents. And there will be agents that exist on the endpoint, and in the browser.
Solving for a New Era of Identity Security
The answer to solving the agentic identity security problem is not reducing them to service accounts, secrets and certificates. The answer is to treat them as a new constituency, a constituency that has never before existed in the history of #moderncomputing. And with every new constituency, comes complexity and diversity of use cases.
