From Cave Guards to Cloud Workloads: Rethinking Non-Human Identity

By: Aiyan Ma
(Author, Identity Security for Software Development)

— A Journey Through Non-Human Identity, From First Principles

If you love someone, send them to do security.
If you hate someone, send them to do security.

That’s how I began a presentation more than twenty years ago. At the time, I was a software security architect at a world-class company. I was younger then, but even at that point, I had learned something that would shape how I approach every system I work on:

To understand a system, you must understand its origin.

Security isn’t just a modern discipline born from cloud platforms and cryptography. It predates software. Wherever humans gather, they protect resources, build trust, and control access. From cave guards to API endpoints, the problems stayed the same. Only the mechanisms changed.

This is why I approach security from first principles—not from products, frameworks, or trendy terms. First principles make us ask uncomfortable but necessary questions: What problem are we solving? What assumptions do we make? What breaks when those assumptions fail?

With this lens, a crucial shift appears. Humans are no longer the main actors in software. Services authenticate to services, pipelines deploy infrastructure, and workloads emerge and vanish in seconds. Yet many security models still center on humans.

It is at this intersection that Non-Human Identity (NHI) enters the picture—not as a new concept invented by cloud providers, but as the inevitable result of scale, automation, and the gradual removal of humans from the execution path.

Why Security Is So Hard to Talk About

In that talk, I highlighted two constant challenges in security:

1. Snake Oil
Products that promise to solve security. Completely. Automatically. Magically.
If it sounds too good to be true, it usually is.

Security has no silver bullets—only tradeoffs, context, and discipline. Yet every generation rediscovers this the hard way.

2. Jargon
Endless acronyms. New terms for old ideas. Language that intimidates rather than explains. We understand that some jargon is necessary, while much of it is not. Too often, it becomes a wall between security specialists and the engineers who actually build systems.

These two forces—snake oil and jargon—are not new. They’ve been with us since the earliest days of computing. And they are very much alive today.

Enter Non-Human Identity

Fast-forward to the present.

Cloud-native systems and LLMs have exploded in scale and complexity. Humans are no longer the primary actors in our systems. Software talks to software. Services call services. Pipelines deploy pipelines.

With this shift in mind, Non-Human Identity (NHI) has quietly become one of the most critical—and most misunderstood—foundations of modern software design.

NHI is not a product category.
It is not a vendor feature. Nor is it a checklist. Instead, NHI compels us to reconsider how trust and identity function when humans are removed from the center.

It is the answer to a simple question:

How does software prove who—or what—it is?

How This Book Approaches NHI and Why It’s Different

When I wrote this book, I made a deliberate choice: No snake oil. No mystique. No excess jargon.

Instead, the book follows a consistent pattern:

• Start from first principles.
• Trace the evolution.
• Understand the problems each stage introduces.
• Examine the solutions—and their tradeoffs.
• Show runnable code and observable results.

Not diagrams alone. Not marketing slides. But real behavior you can see, test, and reason about.

In chapter 1, A Journey Through Time, the tone is set by exploring identity across four eras: the early computing era, the middle era, the modern era, and the near future. As the chapter progresses, identity grows dynamic, automation becomes essential, and old mental models break.

No Abstraction Without Evidence

In the chapters that follow, every concept is paired with:

• Runnable examples
• Clear outcomes
• Observable security properties

No “trust me.”
No “best practice” without context.
No buzzwords without behavior.

If something works, you can see why it works.
If it fails, you can see how it fails.

That transparency is intentional.

Why This Matters Now

Security today is not about building taller walls. It is about correct identity, correctly applied, at machine speed.

Non-Human Identity is not a niche topic. It is the backbone of zero trust, cloud security, and resilient system design. Too often, it’s buried under tools and not taught as a system.

This book exists to change that.

A Final Thought

Security has always been hard. It isn’t mysterious—it’s fundamentally human. We bring our habits, shortcuts, and assumptions into every system we build.d.

Return to first principles. Learn from history, not reinvent jargon. Ground ideas in working systems. This way, engineers can understand security instead of fearing it.

And maybe—just maybe—if you love someone…

You’ll still send them to do security.

But at least you’ll give them better tools. They will have clearer ideas, with fewer illusions.