The Story Behind Snowflake’s Push to Rein in Non-Human Identities

Inside Snowflake's NHI Security Playbook.

Snowflake has built its reputation as one of the world’s most recognizable cloud data platforms – designed to help organizations centralize and analyze vast amounts of information across regions, clouds, and teams. But as the company grew, so has the scale and complexity of its IT infrastructure.

Cameron Tekiyeh, who leads Snowflake’s global security analytics team, saw a familiar issue emerge inside that growth. The number of non-human and workload identities – applications, AI agents, and services – had quietly overtaken the number of employees.

It was not unique to Snowflake. Most large enterprises face the same trend. But left unaddressed, it introduced risk: hardcoded credentials, mismanaged service accounts, manual provisioning, and inconsistent controls across the environment.

“We first saw the number of non-human identities far outnumbered the number of human identities,” Cameron explained in a recent webinar. “And so really what this meant was the problem we had to solve for non-human identities and the opportunity there was going to be a lot larger.”

Snowflake had dealt with identity sprawl before – on the workforce side. Several years earlier, the company prioritized tightening human identity controls, rolling out MFA, eliminating static passwords, and expanding its Okta deployment across the organization.

That effort paid off: Support tickets decreased, credential resets became rare, and employees spent less time troubleshooting access. The experience of interacting with everyday applications and systems went from frustrating to “delightful.”

“We made our employees’ lives easier, but also more secure as a result,” Cameron said.

The security team knew the same approach wouldn’t apply directly to non-human identities. The scale, the architecture, and the operational realities were different. But the goal – reducing risk while improving the day-to-day experience for users (in this case, developers and engineers) – remained the same.

Recognizing the Risk Beyond Users

Snowflake runs 300 to 400 SaaS, cloud, and custom-built applications, with more added continuously. As AI integrations and automated processes expanded, so did the footprint of non-human identities.

Cameron’s team saw credential reuse, service accounts handled inconsistently, and manual provisioning processes creating both exposure and operational drag. “They kind of get the short end of the stick… having to manage and rotate all these credentials,” Cameron said, describing how DevOps teams were left with a thankless job and constant churn.

The workforce identity project had proven that strong controls could reduce friction, not add to it. But unlike human identity, the existing tools didn’t scale the way Snowflake needed.

Replacing Static Credentials with Real-Time, Policy-Based Access

The team adopted workload IAM from Aembit to automate authentication for non-human identities without long-lived credentials. Cameron describes it as “MFA for machines” – a model where credentials are issued dynamically during authentication, based on policy and environmental signals from Snowflake’s broader security stack.

Before landing on that approach, however, the team methodically evaluated the options already on the table. None proved fruitful.

  • Governance tools provided visibility into the problem but did not automate credential issuance or reduce manual overhead for DevOps teams.
  • Cloud provider tools worked for isolated platforms but couldn’t scale across Snowflake’s diverse application environment.
  • Secrets managers introduced an anti-pattern by keeping long-lived credentials in circulation, with potential for hardcoding, leaks, or human error.

The team wanted to move beyond visibility and short-term fixes – and avoid adding manual tasks to teams already stretched managing infrastructure.

The first deployment targeted internal security-owned applications connecting to Snowflake’s security data lake. It eliminated static credentials, reduced manual overhead, and simplified audit processes by providing clear, centralized logs.

From there, Snowflake extended the approach to CI/CD pipelines and other core workflows, securing access across GitLab, Jira, Confluence, AWS, Azure, and beyond.

Scaling Security Without Slowing Teams Down

Technical validation was one part of the process. Driving adoption across teams required trust, especially in an environment where the security team owns little directly but remains accountable for the broader posture.

“When we went to our partners and other organizations, other teams, that was feedback we could give and say, ‘We’ve lived this solution. We’re not asking you to do something we haven’t done before,’” Cameron said.

The project followed a pattern Snowflake had seen before: identity challenges surface quietly, but left unsolved, they grow in complexity and operational cost. By removing static credentials, automating access, and applying consistent controls to both human and non-human identities, the security team reduced risk without adding unnecessary steps for the groups building and running Snowflake’s infrastructure.

Snowflake’s experience reflects a measured, data-driven approach to managing non-human identities at scale. By applying identity principles they had already proven with the workforce – and combining that foundation with real-time automation – the team lowered risk, reduced operational overhead, and improved audit readiness.

For organizations facing similar challenges, the takeaway is this: Solving non-human identity is not just about visibility or credential management. It requires removing static secrets, automating authentication, and building alignment between security and the teams that keep IT infrastructure and product building and moving.

Snowflake approached the problem with that balance in mind and left themselves better positioned to scale, without introducing new complexity along the way.

Watch Cameron’s full conversation in this exclusive webinar.

You might also like

AI agents are changing how identity and access work but most teams are unprepared.
Follow this hands-on walkthrough to create a GitHub App, generate installation tokens, and swap fragile PATs out of your workflows.
In distributed, cloud-native environments, long-lived credentials have become a growing source of risk, operational friction, and compliance failure.