Do your machines have an identity? Why NIS2, DORA and ISO 27001 lead to workload identity

Every company has a process to give people an identity: badges, accounts, MFA, offboarding. Almost none has the same process for machines — microservices, containers, scripts that talk to APIs and, increasingly, AI agents acting autonomously. Yet it is a control that ISO 27001, NIS2 and DORA, applied consistently, take for granted.

The problem nobody counts

In modern infrastructures, non-human identities outnumber human ones by orders of magnitude. They are among the main exposure surfaces: API keys in source code, long-lived tokens, credentials in configuration files. A stolen credential opens the door to an attacker who moves "from inside", undisturbed.

The first question of a serious audit is not which technology you use. It is: how many non-human identities do you have, and who governs them? In most cases the answer is "we don't know". And that is already a finding.

The answer: give machines a verifiable identity

The principle is simple: every machine, service or agent receives a cryptographically verifiable identity, issued and renewed automatically, instead of static secrets that never expire. The reference standard is SPIFFE (a CNCF project): it builds on the PKI you probably already have — it doesn't replace it, it extends it to machines. The point, for those dealing with governance, is not the technology: it's the model. Short-lived, self-rotating identities reduce dependence on secrets and make revocation almost unnecessary, because the certificate expires before it can be misused.

Why it is a compliance matter, not just architecture

Here is the point for anyone who has to answer an auditor or a regulator. Workload identity is not a new, separate technical obligation: it is a concrete way to apply, also to non-human identities, controls the frameworks already require around identity, authentication, access control and traceability.

ISO/IEC 27001:2022. It maps onto controls the organisation must already oversee — identity lifecycle management (A.5.16), authentication information (A.5.17), access control and rights (A.5.15 / A.5.18) — extended to machines, not just people.

NIS2 (Art. 21.2). The minimum risk-management measures include access control, cryptography and strong authentication. Workload identity is a technical way to apply them also to system-to-system communication, not only to human access.

DORA. In the financial sector, the ICT-risk RTS (Commission Delegated Regulation (EU) 2024/1774) require identity management with unique identification and authentication of natural persons and systems, least privilege and accountability: machine identity is the part that often remains uncovered.

The frontier: the identity of AI agents

There is a reason this topic is exploding now. Autonomous AI agents are, in effect, non-human identities that act: they call tools, APIs, other agents. Without a verifiable identity it is impossible to build accountability and an audit trail of "who did what" — exactly what ISO/IEC 42001 and, for high-risk systems, the AI Act (logging obligations) expect. Before you can say what an agent is authorised to do, you must be able to prove who it is.

This is ground where we have direct experience: in the agentic architectures we design, every software actor receives a verifiable, short-lived identity. Agent governance starts there.

Not a silver bullet

It must be said honestly: giving machines an identity also introduces new risks. The system that issues the identities becomes critical — if unavailable it stalls renewals, if compromised it can issue fraudulent identities — and must be protected like a backup system or an IdP. In risk-management language: you mitigate a relevant set of risks (static secrets, lateral movement, lack of audit trail) and you govern the residual risk, documenting and consciously accepting it. There is no security without residual risk: there is governed risk.

In summary

Machine identity is not a technical choice to delegate to the infrastructure team: it is the application, to non-human identities, of controls that NIS2, DORA and ISO 27001 already require — and with AI agents it becomes the foundation of AI governance itself. The question to bring to your next risk assessment is simple: do our machines — and our agents — have a verifiable identity, or are we still authenticating them with secrets that never expire?

Sources

• SPIFFE / SPIRE — official overview (spiffe.io)
• Directive (EU) 2022/2555 (NIS2), Art. 21 — EUR-Lex
• Commission Delegated Regulation (EU) 2024/1774 (DORA ICT-risk RTS) — EUR-Lex
• ISO/IEC 27001:2022 — Annex A
• Regulation (EU) 2024/1689 (AI Act), Art. 12 — record-keeping for high-risk systems