NEW RESEARCH: Your Sandbox Is Made of Glass
Read
NHI Management
AI agents, service accounts, API keys, bots — they're multiplying. Trinitite finds every non-human identity and makes sure each one is governed.
847
NHIs Discovered
84%
Governed
46
Shadow Detected
Live
Monitoring
The Vocabulary
NHI governance is how you discover, federate, and control every non-human identity acting without a human in the loop — AI agents, service accounts, API keys, bots. Legacy IAM has SAML, OIDC, and SCIM for people, but no first-class object for “an autonomous agent acting on behalf of an org under a specific governance policy right now.” Trinitite ships that object — and federates it across organizations.
Every call mints a short-lived, just-in-time token — signed, scope-locked, and audience-pinned, alive for minutes rather than months. Rotation is no longer theoretical and revocation no longer breaks production. A leaked token expires almost immediately and can't be replayed against an endpoint it wasn't issued for. These tokens are also the native auth for MCP tool governance.
Each NHI carries a tier graded on training rigor, governance posture, and supply-chain assurance. Bronze is existence with basic provenance and default governance. Silver adds signed training-data provenance, an attached guardian, and a passed eval-harness baseline. Gold adds continuous-attestation evidence, a signed model card, an AIBOM, and SLSA-for-AI level 2 or higher. A receiving org can require a minimum tier for an endpoint; below-tier calls are rejected before the actor sees them — and the tier is the primary input to cyber-insurance pricing.
Every NHI carries a signed provenance chain — references to the guardian, the LoRA, the policy, and the training receipts the agent inherits. The receiving side learns what trained the agent and how it's governed without asking the issuing side to ship extra files, and verifies it all against the issuing org's public JWKS. No security questionnaire required to know what's calling you.
Every NHI is bound to a guardian, and the guardian's policy hash is signed into the receipt on every call. The receiving side knows precisely which governance policy is evaluating the agent's traffic at the moment it acts — and each action is replayable and citable in an audit workpaper.
Workload-IAM and machine-identity platforms — Aembit, Astrix, and the cloud IAMs — are good at workload-to-workload authentication and secretless access, and they federate cleanly into Trinitite's unified registry. They answer “can this workload authenticate?” Trinitite adds the agent-native layer they don't: a continuously re-asserted attestation tier, provenance baked into the token, a guardian binding, and signatures a counterparty can verify in a browser. The difference is “can it authenticate” versus “what trained it, what governs it now, and can you prove it.”
Live Demo
This is what your identity dashboard looks like. Every identity, classified and tracked. No spreadsheets. No guesswork.
Non-Human Identity Posture
0
Total NHIs
Governed
Ungoverned
Shadow
Risk Heatmap — Internal vs Federated
Low
0
0
Medium
0
0
High
0
0
Critical
0
0
Internal
Federated
Anomaly Detection
NHI Anomaly Detection
svc-billing-prod
Normal
agent-claims-03
Normal
api-key-internal-7
Normal
k8s-sa-ingress
Normal
lambda-exec-data
Normal
How It Works
01
Auto-discover NHIs
Trinitite scans your cloud accounts, clusters, and identity providers. It finds every non-human identity — even the ones nobody remembers creating.
02
Federate with your IdP
Link each identity to your central directory. See which ones are managed, which are linked, and which are shadow identities operating outside your control.
03
Assign governors
Give every NHI a responsible owner. Trinitite tracks which identities have human governors and which ones are running ungoverned.
04
Monitor for anomalies
Watch behavior in real time. If an identity starts doing something unusual — like accessing new data or calling new APIs — you know right away.
Capabilities
Auto-Discovery
Scans AWS, Azure, GCP, and Kubernetes. Finds every service account, API key, bot, and agent identity across your entire stack.
Federation Tracking
Shows which NHIs are internal, which are linked to your IdP, and which are shadow identities no one controls. Get to 100% coverage.
Governance Mapping
Maps every NHI to a human governor. See the gap between "managed" and "actually governed" at a glance.
Risk Heatmap
Color-coded severity view across all identities. Spot high-risk NHIs instantly — by type, by cloud, by team.
Anomaly Detection
Behavioral baselines for every identity. When an NHI deviates from normal, you get an alert — not a surprise breach.
Lifecycle Tracking
See when each NHI was created, last used, last rotated, and when it expires. No more forgotten credentials sitting in production.
Proxy Identity Governance
Govern identities that act on behalf of other identities. Know the full chain of who-asked-whom for every action.
IMDS Shield Monitoring
Enterprise
Track access to cloud metadata services. Detect IMDS credential theft attempts before attackers move laterally.
Non-Human Identity Posture
0
Total NHIs
Governed
Ungoverned
Shadow
Risk Heatmap — Internal vs Federated
Low
0
0
Medium
0
0
High
0
0
Critical
0
0
Internal
Federated
Unified Identity Registry
Every machine identity from AWS IAM, Azure AD, GCP IAM, Kubernetes, Okta, Astrix, Aembit — federated into a unified registry. One view, every identity, every provider.
No more toggling between consoles. No more blind spots in multi-cloud environments. One federated registry replaces a dozen dashboards.
Identity Federation
0 identities federated
Unified NHI Registry
0
Machine identities across 6 providers
AWS IAM
Cloud IAM
0
2m ago
Azure AD
Cloud IAM
0
5m ago
GCP IAM
Cloud IAM
0
3m ago
Kubernetes
Service Accounts
0
now
Okta
OIDC Provider
0
15m ago
Astrix
NHI Platform
0
8m ago
Identity Lifecycle
svc-prod-api-key
Created
Mar 1, 09:14
svc-prod-api-key provisioned via AWS IAM
Permissions Granted
Mar 1, 09:15
Assigned to PII Shield governor — s3:read, dynamodb:query
Baseline Established
Mar 4, 09:14
Behavioral baseline computed from 72h observation window
Anomaly Detected
Mar 18, 14:32
Unusual access pattern — 3x normal API call volume to new endpoints
Acknowledged
Mar 18, 15:01
Reviewed by sarah.chen — legitimate batch job spike
Rotated
Apr 1, 00:00
Scheduled key rotation completed — new key active
Chain of Custody
Track every identity from creation to rotation. Permissions granted, baselines established, anomalies detected and acknowledged, scheduled rotations completed. A full chain of custody for every non-human principal.
When an auditor asks what happened to a service account six months ago, you have the answer — timestamped and immutable.
Credential Theft Prevention
AI workloads on cloud infrastructure can access Instance Metadata Service to steal credentials. The IMDS Shield monitors and blocks unauthorized credential access attempts from AI agents in real time.
A critical defense layer for any organization running AI workloads on EC2, GCE, or Azure VMs. Stop lateral movement before it starts.
Available on: Enterprise
IMDS Shield
0 blocked
NHI Economics
Total NHI Cost (30d)
$0
Total Tokens
0.0M
Active Identities
0
Identity
Provider
API Calls
Tokens
Cost
svc-prod-api
AWS
0
0k
$0
▲
billing-agent-key
Azure
0
0k
$0
—
k8s-sa-inference
GCP
0
0k
$0
▲
oauth-slack-bot
Okta
0
0k
$0
▼
research-api-key
AWS
0
0k
$0
—
Identity Cost Intelligence
API calls, token consumption, and compute spend tracked per identity. Allocate costs across teams and identify runaway spending before it becomes a budget problem.
FinOps for machine identities. Every identity gets a cost profile, every team gets an allocation, every anomaly gets flagged.
Available on: Enterprise
FAQ
NHI governance is how an organization discovers, federates, and controls its non-human identities — the AI agents, service accounts, API keys, and bots acting without a human in the loop. Trinitite treats each NHI as a first-class principal: it mints short-lived just-in-time tokens for every call, attests the identity’s tier and provenance, and binds it to a guardian so policy is applied consistently and can be verified by any counterparty.
Attestation tiers grade an agent’s training rigor, governance posture, and supply-chain assurance. Bronze means the NHI exists with basic provenance and default governance. Silver adds signed training-data provenance, an attached guardian, and a passed eval-harness baseline. Gold adds continuous-attestation evidence, a signed model card, an AIBOM, and SLSA-for-AI level 2 or higher. A receiving org can require a minimum tier for an endpoint; below-tier calls are rejected before the actor sees them.
Just-in-time (JIT) NHI tokens are short-lived — minutes, not months — signed, scope-locked, and audience-pinned credentials minted fresh for each call. They replace long-lived service accounts and shared API keys, so a leaked credential expires almost immediately and cannot be replayed against a different endpoint. Rotation and revocation become routine operations instead of production-breaking fire drills.
Workload-IAM and machine-identity platforms answer "can this workload authenticate?" Trinitite answers "what trained this agent, what governs it right now, and can a counterparty prove it?" NHI federation carries a signed provenance chain, a continuously re-asserted attestation tier, and a guardian binding inside every token — verifiable against the issuing org’s public JWKS with no shared secret. Existing identity sources like Okta, Azure AD, Astrix, and Aembit federate into the same registry.
Thirty minutes against your real environment. Leave with every NHI mapped, posture-scored, and ready for your auditor.
Trinitite
AI governance that catches mistakes, proves compliance, and shows the board what it saved—in dollars.
Trinitite is built by Fiscus Flows, Inc.
Products
Products
Solutions
© 2026 Fiscus Flows, Inc. · All rights reserved
Accessibility
The Guardian Standard™