NEW RESEARCH: Your Sandbox Is Made of Glass

Read

Trinitite

PricingResearchBlogPodcasts

NHI Management

See every AI identity. Govern every one.

AI agents, service accounts, API keys, bots — they're multiplying. Trinitite finds every non-human identity and makes sure each one is governed.

847

NHIs Discovered

84%

Governed

46

Shadow Detected

Live

Monitoring

The Vocabulary

What is NHI governance?

What is NHI governance?

NHI governance is how you discover, federate, and control every non-human identity acting without a human in the loop — AI agents, service accounts, API keys, bots. Legacy IAM has SAML, OIDC, and SCIM for people, but no first-class object for “an autonomous agent acting on behalf of an org under a specific governance policy right now.” Trinitite ships that object — and federates it across organizations.

JIT tokens

Every call mints a short-lived, just-in-time token — signed, scope-locked, and audience-pinned, alive for minutes rather than months. Rotation is no longer theoretical and revocation no longer breaks production. A leaked token expires almost immediately and can't be replayed against an endpoint it wasn't issued for. These tokens are also the native auth for MCP tool governance.

Attestation tiers — Bronze, Silver, Gold

Each NHI carries a tier graded on training rigor, governance posture, and supply-chain assurance. Bronze is existence with basic provenance and default governance. Silver adds signed training-data provenance, an attached guardian, and a passed eval-harness baseline. Gold adds continuous-attestation evidence, a signed model card, an AIBOM, and SLSA-for-AI level 2 or higher. A receiving org can require a minimum tier for an endpoint; below-tier calls are rejected before the actor sees them — and the tier is the primary input to cyber-insurance pricing.

Provenance chains

Every NHI carries a signed provenance chain — references to the guardian, the LoRA, the policy, and the training receipts the agent inherits. The receiving side learns what trained the agent and how it's governed without asking the issuing side to ship extra files, and verifies it all against the issuing org's public JWKS. No security questionnaire required to know what's calling you.

Guardian binding

Every NHI is bound to a guardian, and the guardian's policy hash is signed into the receipt on every call. The receiving side knows precisely which governance policy is evaluating the agent's traffic at the moment it acts — and each action is replayable and citable in an audit workpaper.

NHI governance vs. machine-identity platforms

Workload-IAM and machine-identity platforms — Aembit, Astrix, and the cloud IAMs — are good at workload-to-workload authentication and secretless access, and they federate cleanly into Trinitite's unified registry. They answer “can this workload authenticate?” Trinitite adds the agent-native layer they don't: a continuously re-asserted attestation tier, provenance baked into the token, a guardian binding, and signatures a counterparty can verify in a browser. The difference is “can it authenticate” versus “what trained it, what governs it now, and can you prove it.”

Live Demo

Your NHI Posture at a Glance

This is what your identity dashboard looks like. Every identity, classified and tracked. No spreadsheets. No guesswork.

Non-Human Identity Posture

0

Total NHIs

Governed

Ungoverned

Shadow

Risk Heatmap — Internal vs Federated

Low

0

0

Medium

0

0

High

0

0

Critical

0

0

Internal

Federated

Anomaly Detection

NHI Anomaly Detection

svc-billing-prod

AWS IAM

Normal

agent-claims-03

Azure AD

Normal

api-key-internal-7

GCP

Normal

k8s-sa-ingress

Kubernetes

Normal

lambda-exec-data

AWS IAM

Normal

How It Works

Four steps to full NHI coverage

01

Auto-discover NHIs

Trinitite scans your cloud accounts, clusters, and identity providers. It finds every non-human identity — even the ones nobody remembers creating.

02

Federate with your IdP

Link each identity to your central directory. See which ones are managed, which are linked, and which are shadow identities operating outside your control.

03

Assign governors

Give every NHI a responsible owner. Trinitite tracks which identities have human governors and which ones are running ungoverned.

04

Monitor for anomalies

Watch behavior in real time. If an identity starts doing something unusual — like accessing new data or calling new APIs — you know right away.

Capabilities

Everything you need to govern machine identities

Auto-Discovery

Scans AWS, Azure, GCP, and Kubernetes. Finds every service account, API key, bot, and agent identity across your entire stack.

Federation Tracking

Shows which NHIs are internal, which are linked to your IdP, and which are shadow identities no one controls. Get to 100% coverage.

Governance Mapping

Maps every NHI to a human governor. See the gap between "managed" and "actually governed" at a glance.

Risk Heatmap

Color-coded severity view across all identities. Spot high-risk NHIs instantly — by type, by cloud, by team.

Anomaly Detection

Behavioral baselines for every identity. When an NHI deviates from normal, you get an alert — not a surprise breach.

Lifecycle Tracking

See when each NHI was created, last used, last rotated, and when it expires. No more forgotten credentials sitting in production.

Proxy Identity Governance

Govern identities that act on behalf of other identities. Know the full chain of who-asked-whom for every action.

IMDS Shield Monitoring

Enterprise

Track access to cloud metadata services. Detect IMDS credential theft attempts before attackers move laterally.

Non-Human Identity Posture

0

Total NHIs

Governed

Ungoverned

Shadow

Risk Heatmap — Internal vs Federated

Low

0

0

Medium

0

0

High

0

0

Critical

0

0

Internal

Federated

Unified Identity Registry

Every provider. One view.

Every machine identity from AWS IAM, Azure AD, GCP IAM, Kubernetes, Okta, Astrix, Aembit — federated into a unified registry. One view, every identity, every provider.

No more toggling between consoles. No more blind spots in multi-cloud environments. One federated registry replaces a dozen dashboards.

Identity Federation

0 identities federated

Unified NHI Registry

0

Machine identities across 6 providers

AWS IAM

Cloud IAM

0

2m ago

Azure AD

Cloud IAM

0

5m ago

GCP IAM

Cloud IAM

0

3m ago

Kubernetes

Service Accounts

0

now

Okta

OIDC Provider

0

15m ago

Astrix

NHI Platform

0

8m ago

Identity Lifecycle

svc-prod-api-key

Created

Mar 1, 09:14

svc-prod-api-key provisioned via AWS IAM

Permissions Granted

Mar 1, 09:15

Assigned to PII Shield governor — s3:read, dynamodb:query

Baseline Established

Mar 4, 09:14

Behavioral baseline computed from 72h observation window

Anomaly Detected

Mar 18, 14:32

Unusual access pattern — 3x normal API call volume to new endpoints

Acknowledged

Mar 18, 15:01

Reviewed by sarah.chen — legitimate batch job spike

Rotated

Apr 1, 00:00

Scheduled key rotation completed — new key active

Chain of Custody

The full history of every machine identity.

Track every identity from creation to rotation. Permissions granted, baselines established, anomalies detected and acknowledged, scheduled rotations completed. A full chain of custody for every non-human principal.

When an auditor asks what happened to a service account six months ago, you have the answer — timestamped and immutable.

Credential Theft Prevention

Block IMDS credential theft in real time.

AI workloads on cloud infrastructure can access Instance Metadata Service to steal credentials. The IMDS Shield monitors and blocks unauthorized credential access attempts from AI agents in real time.

A critical defense layer for any organization running AI workloads on EC2, GCE, or Azure VMs. Stop lateral movement before it starts.

Available on: Enterprise

🛡

IMDS Shield

0 blocked

NHI Economics

Total NHI Cost (30d)

$0

Total Tokens

0.0M

Active Identities

0

Identity

Provider

API Calls

Tokens

Cost

svc-prod-api

AWS

0

0k

$0

billing-agent-key

Azure

0

0k

$0

k8s-sa-inference

GCP

0

0k

$0

oauth-slack-bot

Okta

0

0k

$0

research-api-key

AWS

0

0k

$0

Identity Cost Intelligence

Know what your machine identities cost.

API calls, token consumption, and compute spend tracked per identity. Allocate costs across teams and identify runaway spending before it becomes a budget problem.

FinOps for machine identities. Every identity gets a cost profile, every team gets an allocation, every anomaly gets flagged.

Available on: Enterprise

FAQ

NHI governance, answered

What is NHI governance?

NHI governance is how an organization discovers, federates, and controls its non-human identities — the AI agents, service accounts, API keys, and bots acting without a human in the loop. Trinitite treats each NHI as a first-class principal: it mints short-lived just-in-time tokens for every call, attests the identity’s tier and provenance, and binds it to a guardian so policy is applied consistently and can be verified by any counterparty.

What are NHI attestation tiers (Bronze, Silver, Gold)?

Attestation tiers grade an agent’s training rigor, governance posture, and supply-chain assurance. Bronze means the NHI exists with basic provenance and default governance. Silver adds signed training-data provenance, an attached guardian, and a passed eval-harness baseline. Gold adds continuous-attestation evidence, a signed model card, an AIBOM, and SLSA-for-AI level 2 or higher. A receiving org can require a minimum tier for an endpoint; below-tier calls are rejected before the actor sees them.

What are JIT tokens for AI agents?

Just-in-time (JIT) NHI tokens are short-lived — minutes, not months — signed, scope-locked, and audience-pinned credentials minted fresh for each call. They replace long-lived service accounts and shared API keys, so a leaked credential expires almost immediately and cannot be replayed against a different endpoint. Rotation and revocation become routine operations instead of production-breaking fire drills.

How is NHI federation different from a machine-identity platform?

Workload-IAM and machine-identity platforms answer "can this workload authenticate?" Trinitite answers "what trained this agent, what governs it right now, and can a counterparty prove it?" NHI federation carries a signed provenance chain, a continuously re-asserted attestation tier, and a guardian binding inside every token — verifiable against the issuing org’s public JWKS with no shared secret. Existing identity sources like Okta, Azure AD, Astrix, and Aembit federate into the same registry.

Stop guessing how many machine identities you have.

Thirty minutes against your real environment. Leave with every NHI mapped, posture-scored, and ready for your auditor.