You run attestation campaigns for your human identities. It’s time your NHIs got the same treatment.
Enterprise Security for AI Agents & Non-Human Identities
You Already Know How This Works
If you’ve been in IAM for any amount of time, access review campaigns are part of your routine. Every quarter, every year, you scope a population of human identities, push review tasks to the right managers, track who’s acted and who hasn’t, and certify or revoke access at the end.
Now ask yourself this: when did you last run that same process for your service accounts, API keys, and machine tokens?
For most teams, the honest answer is never. Not in any structured way. NHIs get reviewed reactively, when something breaks, when an audit flags them, or when a departing employee’s offboarding surfaces a token that’s been sitting active for two years. There’s no campaign. There’s no owner workflow. There’s no audit trail.
That’s the gap Entro Campaigns closes.
Campaigns for NHIs: Same Concept, a Harder Problem
Entro Campaigns works on the same principle as an access review campaign, but built for the reality of non-human identities. You scope a population of NHIs based on a specific risk profile, take action on what you can directly, and push accountability to the owners of everything else. Every action is tracked. Nothing falls through the cracks.
The reason this is harder for NHIs than for humans is that NHI ownership is messier. A service account doesn’t have a manager in your org chart. An API key doesn’t appear in your HR system. Finding who’s actually responsible for a given token, and getting them to act on it, has historically required manual investigation and a lot of Slack messages. Campaigns turns that into a structured, trackable workflow.
How It Works
Start With a Risk-Based Scope
Every campaign begins with a clear scope. Choose from seven pre-built templates, each targeting a specific NHI risk pattern, or build your own using custom filters including account type, risk severity, usage patterns, and compliance violations:
- Orphaned NHIs — active identities with no accountable owner
- Idle NHIs — tokens that haven’t been used and may no longer be needed
- High-Risk NHIs — elevated risk based on exposure, permissions, or behavior
- Non-Expiring NHIs — credentials that never rotate, posing a long-term risk
- Former Employee NHIs — active tokens still tied to people who’ve left
- Enabled Exposed NHIs — live credentials that have been exposed and may be compromised
- Permissions Right-Sizing — NHIs holding sensitive permissions they don’t use
Pick your template or define your own scope, name the campaign, assign an owner, and you have your working list.
Admin Takes the First Pass
Before anything goes to NHI owners, the campaign admin has full visibility and control.
For every identity in scope, you can take direct action: rotate credentials, disable the NHI, approve a change, or reassign ownership.
Entro gives you provider-specific steps for each action, a direct link to the right place in the provider console, and a checklist to make sure nothing is missed.
Where Entro has the necessary permissions, it guides you through the process. Where it doesn’t, it gives you exactly what you need to do it yourself. No guessing, no searching documentation.
Push to Owners, With Context
For the NHIs you haven’t actioned directly, Campaigns lets you notify the responsible owners. Each owner receives a targeted view of only their NHIs, with a live preview of the campaign, a custom note from the admin explaining what’s needed, and clear instructions on what to do next.
They’re not looking at a full dashboard of 500 identities. They see exactly what’s theirs and exactly what’s expected of them. That specificity is what actually gets things done.
Track It All in One Place
The campaign dashboard gives admins a live view of progress. Every NHI in the campaign has a status — Pending, Awaiting Action, or Remediated — and every action taken is logged. When an auditor asks what happened and when, you have a clean, complete record. Not a spreadsheet. Not a reconstructed timeline from Slack. An actual audit trail.
The Bottom Line
Access review campaigns are one of the most mature, well-understood workflows in IAM. The problem is they’ve only ever applied to humans. Meanwhile, NHIs have multiplied across clouds, SaaS tools, and CI/CD pipelines, and nobody has been running the same disciplined review process on them.
Entro Campaigns change that. It takes a workflow IAM teams already trust and extends it to the identities that have been outside that governance model until now. Same rigor. Same accountability. Built for the scale and complexity of a non-human identity environment.
Entro Campaigns are available now. Explore the documentation to get started, or book a demo to see it in action with your team. Remediation Campaigns is available now in Entro. Explore the full documentation to get started, or book a demo to see it in action with your team.
