RSAC 2025: How Workday Implemented NHI Security
AI might be dominating the headlines, but at this year’s RSA Conference, one theme rose to the top – non-human identities. In a joint session, Astrix CEO Alon Jackson and Workday’s Director of Identity Security, Albert Attias, explored how the rise of autonomous systems is transforming the identity landscape – and how Workday built their NHI security program for the AI era.
Welcome to the era of Artificial Identities
Alon kicked off the session by reframing the current identity security conversation. While AI takes center stage, there’s a quieter revolution happening under the hood – AI agents and automations acting on our behalf. These “virtual employees,” as Alon calls them, now carry out tasks from writing code and sending emails to managing production workflows.
And these AI-driven automations aren’t just scripts – they’re learning, evolving, and choosing their own tools. “That’s what makes this moment so exciting, and so risky,” said Alon. “We’ve entered a world where you can’t treat these agents like static processes. You have to treat them like identities.”
The problem? Unlike human employees, these identities can’t be held accountable. They don’t log in with a face or fingerprint. And when something goes wrong – an API key exposed, a token misused – there’s no one to blame. “We’ve seen breaches where a single key, a single overlooked NHI, led to billions of records leaking,” said Alon.
Real-world lessons from Workday
Albert then took the stage to share how Workday has been tackling this problem for over three years, well before most organizations started using the term “NHI.”
“We had mature controls around human identities,” he explained, “but there were blind spots: OAuth tokens, personal access tokens, random service accounts no one remembered creating.” The team quickly realized that visibility was the foundation. “You can’t manage what you don’t know exists.”
Workday’s journey started with discovery: mapping out every service account, token, and credential across SaaS apps, cloud environments, and code repos. The goal wasn’t just to see them – it was to bring them back under human ownership and apply lifecycle management.
That included onboarding processes, expiration rules, and deprovisioning – everything we expect for human users, now extended to their digital counterparts.
Watch the full presentation to dive deeper into Workday’s approach and how Astrix is helping enterprises lead the way in NHI security:
The human behind the non-human
Alon pointed out an important nuance: every NHI is tied to a human – someone created it, approved it, or benefits from it. “But when that human leaves or forgets about it, the NHI keeps living, and that’s where the risk creeps in.”
Albert echoed this with a common scenario: an engineer leaves, but the service account they owned – called something like svc-10.23– remains active. “No one knows what it does. And no one wants to delete it in case it breaks something.”
That operational fear, combined with lack of ownership, leads to what Albert calls “zombie credentials” – undead NHIs with dangerous permissions and no oversight.
Third-party risks and the AI multiplier
As AI accelerates, NHIs are becoming more autonomous, more connected – and harder to track. “Generative AI agents are really just clusters of NHIs,” Alon explained. “They connect to Salesforce, GitHub, cloud environments, often with powerful permissions.”
And many of these identities belong to third-party vendors. “It’s not just about who you trust – it’s about how they behave,” said Alon. Workday, for instance, avoided a potential supply chain attack by proactively removing an unapproved integration before the vendor was breached.
“Security teams are used to thinking in response mode,” said Albert. “But with NHIs, prevention becomes possible – and necessary.”
Astrix as the NHI control plane
So how do you actually manage this complexity? Alon described Astrix as “an Active Directory for non-human identities” – a central place to see, understand, and govern all NHIs across the enterprise.
It’s not just visibility. It’s behavior analysis, anomaly detection, ownership mapping, and secure access enforcement. Think MFA and VPNs, but for agents and tokens, not just humans.
Albert highlighted Astrix’s impact on Workday’s security posture: “We use it to track every NHI’s lifecycle, tie it to a human owner, and ensure permissions stay in check.”
Looking ahead: governance, automation, and KPIs
Governance is still catching up to this new reality. As Albert put it, “No one’s reporting to the board that they’ve got a billion NHIs – it’s about showing how you control them.” That means setting success metrics, like reduction of unknown tokens, increase in owned NHIs, or faster deprovisioning cycles.
He also hinted at the next frontier: access certifications for NHIs. “Yes, I said it,” he laughed. “But we need to start validating if these identities are still in use, who owns them, and what business need they serve.”
Final Takeaways
- Visibility first
You can’t reduce risk if you don’t know what exists. - Treat NHIs like employees
Onboarding, ownership, offboarding, and monitoring all matter. - Automation ≠ predictability
AI agents act independently, so security needs to be dynamic. - Vaults are helpful – but not enough
Secrets may live in a vault, but copies can still roam free. - Prevention is power
Securing NHIs proactively reduces both incident volume and impact.
Alon wrapped it up best: “The AI wave is here, and NHIs are the glue holding those processes together. If you’re not managing them, you’re not securing your enterprise.”
—
