Governing Machine & AI Identities in Zero Trust Strategies

Key Takeaways

• The new integration introduces a shared control plane for non-human and AI identities across cloud and SaaS environments.
• Rising machine-to-machine traffic and unmanaged AI agents are driving identity risks that traditional security tools have struggled to cover.
• Industry research and security frameworks highlight why lifecycle governance combined with inline enforcement is becoming a strict priority for enterprise security teams.

The announcement from Oasis Security and Zscaler arrives at a moment when many enterprises are trying to understand how machine and AI-driven identities fit into their Zero Trust strategies. Most teams built those strategies around people, not workloads or agents. That gap has been widening as service accounts, API keys, OAuth tokens, secrets, and AI agents multiply across environments. It raises an obvious question: who actually governs these identities once they start interacting with sensitive systems.

In the integration released on June 10, 2026, Oasis Security connects its Non-Human Identity Management and Agentic Access Management capabilities directly into the Zscaler Zero Trust Exchange platform. This forms a shared identity and enforcement layer that covers traffic from Active Directory accounts, workloads, applications, AI agents, and MCP servers. Zscaler provides inspection and inline policy enforcement across traffic paths, while the identity management layer supplies context like ownership, creation source, access rights, and lifecycle status. It creates a loop of ownership that has historically been missing in enterprise architecture.

Most enterprise identity inventories were never designed to handle hundreds of thousands of non-human objects. As a result, they accumulate stale credentials and abandoned service accounts. Industry data shows why this matters. The Verizon DBIR 2024 report notes that more than 77% of basic web application attacks involve credentials. Many come from automated traffic and API misuse. Similarly, the IBM Cost of a Data Breach 2023 study places stolen or compromised credentials as the most common breach entry point, tying directly back to weak identity governance.

A different angle comes from Gartner, which has forecast that machine identities will outnumber human identities by at least three to one by 2027. This trend alone helps explain why more security teams are prioritizing identity-centric controls. When most connections occur without a human behind them, policies that rely solely on user authentication or endpoint trust start to lose effectiveness. That gap is further complicated by AI agents that frequently appear on endpoints with broad access and hardcoded secrets.

The integration lets joint customers discover non-human identities across cloud, SaaS, and on-premises systems, including AI agents and MCP servers identified through the inspection layer. The identity platform then applies ownership mapping and risk scoring. This is followed by lifecycle actions like rotating secrets, narrowing scopes, or decommissioning unused identities. Finally, Zscaler enforces those decisions inline on every connection, establishing a feedback loop where identity informs policy and policy governs identity decisions.

While vendors like CyberArk, Delinea, and BeyondTrust handle privileged access and machine identity elements, those tools primarily focus on vaulting or privilege elevation workflows. The new integration instead targets full lifecycle governance for non-human and AI identities. Linking lifecycle insights directly to an enforcement path strengthens an organization's ability to govern these connections continuously rather than relying on point-in-time audits.

Research bodies and standards groups have also been expanding guidance. The NIST Zero Trust Architecture document SP 800-207 and the NIST Digital Identity Guidelines SP 800-63 both highlight identity-centric controls and continuous verification. While those documents originally focused on human users, the industry increasingly interprets them as relevant for machine and application identities as well. Integrating these frameworks directly into operational tooling reduces the burden on security teams to interpret and enforce them manually.

Not every organization feels the urgency at the same pace. Smaller teams sometimes assume that a handful of service accounts does not justify added governance. However, this assumption often changes once they discover how many keys and tokens their automation pipelines generate over time. Many enterprises, particularly those using multi-cloud and SaaS platforms, find that identity sprawl accelerates rapidly as developers increasingly rely on agents and API-driven automation for daily tasks.

Another ongoing challenge is tool fragmentation. Security teams frequently switch between IAM consoles, cloud provider dashboards, API gateways, and privileged access tools. Each system generates identities, but few provide a unified view. The joint solution presents a break from that pattern, reflecting a consolidation trend that analysts have predicted for several years. While identity unification is an established concept, the explosive growth of machine and AI identities forces the transition to happen faster.

Operational questions remain for organizations adopting these architectures. Security leaders must evaluate how quickly they can map ownership for thousands of existing service accounts, how AI agent identities will evolve alongside increasingly autonomous workflows, and whether teams will treat non-human lifecycle events with the same rigor applied to employee onboarding and offboarding. These challenges require systemic solutions, driving demand for unified governance and enforcement platforms.

The integration is available immediately, giving joint customers an option to link enforcement and governance in a way that addresses current machine identity risks. It demonstrates how Zero Trust architectures must adapt as automation and AI become deeply embedded in enterprise workflows. The combination of inspection, identity context, and lifecycle actions establishes a necessary baseline for enterprises looking for practical ways to manage the rapid growth of machine-to-machine traffic.

In a fast-moving environment where AI-driven systems continually appear in unexpected network segments, establishing clear oversight is critical for mitigating hidden operational risks. Non-human identity governance has decisively shifted from a specialized niche to a mainstream enterprise requirement, requiring security stacks to adapt to a fundamentally new identity landscape.