The broad digital landscape in recent years has seen a massive increase in non-human identities (NHIs), including API and access keys, service accounts, OAuth tokens, and AI agents. These identities now outnumber human users by 100 to 1, introducing outsized risk within enterprise environments. Traditional identity and access management (IAM) architectures were not designed with NHIs in mind, and consequently are unable to discover, govern, or revoke machine credentials at scale. The 2023 Microsoft Exchange Online breach, which compromised 22 organizations and hundreds of individuals globally via exploitation of a machine identity, served as a pre-agentic harbinger of NHI-related threats to come.
Why Agentic AI Turned a Gap Into a Crisis
The IAM gap caused by widespread proliferation of NHIs already existed prior to the rise of AI agents, but agentic AI technology has massively exacerbated the issue. AI agents are granted broad, persistent permissions and privileges within internal systems and third-party services by design, giving them the ability to carry out a wide range of actions and access significant amounts of sensitive data.
Execution at machine speed means that compromised agentic credentials can cause damage much faster than suspicious or harmful activity can be detected by a human. Shadow agents—unsanctioned deployments outside of IT visibility—compound the governance deficit, creating additional areas of sensitive activity that cannot be effectively visualized and monitored.
Astrix’s Bet and the Category it Built
NHI security startup Astrix Security was founded in 2021, before NHI security was a recognized category, and was iterated from software-as-a-service (SaaS) visibility to full-stack lifecycle management. The platform’s scope covers real-time NHI inventory, privilege remediation, secrets management, Model Context Protocol (MCP) server discovery, and agentic threat detection. This enables Astrix to offer thorough visibility and security in NHI-heavy enterprise environments.
The company’s total of $85M in funding, which includes a significant amount contributed by Menlo Ventures’ Anthropic-backed Anthology Fund in a 2024 Series B round, serves as both a market signal and a strategic alignment. Leading investors placing faith in a startup like Astrix demonstrates major trends in where threats lie in modern environments and what the industry sees in the path forward. Cisco’s recent announcement of intent to acquire Astrix for $400M is another indication of where the market’s priorities lie.
What Cisco’s $400M Validates—And What it Reveals
According to Cisco’s own data, as detailed in the Cisco AI Readiness Index, only 24% of organizations worldwide have functional guardrails in place to effectively control and secure agentic AI activity. The governance and visibility that more than three in four companies lack at this time is an absolute imperative for safe deployment of AI agents and management of NHI-heavy environments. The Astrix acquisition is a step toward taking the zero-trust approach and applying it to the growing mass of NHIs.
The planned path for integrating Astrix’s functionality into Cisco Identity Intelligence, Duo, Secure Access, and Splunk is an effort to extend NHI governance into SOC and zero-trust workflows. This is Cisco’s second AI acquisition in a matter of weeks, coming on the tails of the April acquisition of Galileo for multi-agent observability. This signals a deliberate agentic security platform build-out as Cisco attempts to expand capabilities for the AI era.
The Governance Imperative for Security Teams
The growth of Astrix and its acquisition by Cisco demonstrate the ongoing importance of ensuring effective governance of AI agents and other NHIs in modern enterprise environments. It is crucial for security teams to invest in measures for visibility, monitoring, and management of NHIs and their activity. Provisioning controls, such as short-lived credentials, just-in-time access, and least-privilege scoping at agent creation, are essential.
It is also necessary to implement sufficient lifecycle enforcement, as NHI decommissioning practices are the critical failure point that most teams currently lack. There is a widening gap in organizational readiness for the era of agentic AI, spelling trouble for enterprises that are still treating NHI security as a problem for the future.
The Structural Implication: Zero Trust Must Cover Machines
Zero trust, a fundamental pillar of security in many organizations, is a human-centric model that enterprise security must now work to extend to non-human actors. Cisco’s move to acquire Astrix, signaling a shift toward consolidation, is likely an accelerant for competitive responses from IAM incumbents. The NHI security category, built from scratch by Astrix before the world caught up, will be what defines the next phase of enterprise identity strategy.
