There was a time—as recently as a decade ago—when human users far outnumbered non-human identities (NHIs). By 2020, though, cloud-native architectures, DevOps pipelines and widespread automation had gone mainstream, and the average company had 10x more NHIs than human identities. Now, service accounts, bots, API keys, OAuth tokens, digital certificates, secrets and other machine identities may outnumber humans by 50 to 1 in a large organization, and their numbers continue to explode.
Rapid adoption of agentic AI is upping the ante. Gartner predicts that by 2028, at least 15% of daily workplace decision-making will be done by AI agents, and these agents rely on NHIs to access systems and software across the organization—including those housing confidential, sensitive and regulated data. By definition, agents act autonomously, chaining tools together, spawning subprocesses and interacting with other agents, with limited human oversight. While human identities are typically managed through a centralized identity governance and administration (IGA) platform, NHIs are linked to diverse assets across the enterprise technology ecosystem, creating a highly fragmented architecture and making it challenging for security teams to maintain visibility and control.
“Ephemeral identities and those associated with AI agents are directly contributing to the expansion of the attack surface and introducing new risks,” says Brad Bowers, Field Chief Information Security Officer (Global) at SHI. “We expect organizations will move to acquire tools to give them visibility into how these identities are being leveraged, what access they have, and whether or not they’ve been tampered with.”
Today’s most commonly-deployed identity security solutions weren’t designed to discover and manage NHIs at enterprise scale. Although comprehensive lifecycle management is needed to mitigate the growing risks that NHIs pose, no vendor yet offers a single, holistic solution that can enforce best practice-based governance across an organization’s entire NHI ecosystem.
This means that full-lifecycle NHI governance will require integrating multiple existing identity-related solutions, and organizations may need to augment these capabilities with specialized NHI discovery and management tools, too.
NHIs represent a significant—and growing—attack vector
With their recent and rapid proliferation, frequent use of shared or unencrypted credentials and lack of robust governance, NHIs are a highly attractive target for threat actors. Compromising a service account, for instance, can readily enable lateral movement because these accounts often have far-reaching access, elevated privileges and little monitoring by security teams.
NHIs are already been widely exploited by real-world attackers. One recent survey of security leaders found that 40% of organizations had experienced an NHI-related incident within the past year, and—even more worryingly—32% said they could not tell whether they had or not. Large-scale, high-profile breaches involving NHIs include successful attacks on Cloudflare, AWS, Snowflake and the AI development platform HuggingFace.
With agentic AI adoption expected to further accelerate, it’s likely that we’ll see many more of these kinds of incidents in the not-too-distant future.
A mounting wave of investment
Existing cybersecurity vendors and NHI security-focused startups see this challenge as a significant market opportunity. Investors are pouring money into emerging innovators working to develop full NHI-lifecycle management solutions. Secrets management platform GitGuardian was recently awarded $50 million in Series C funding, while the NHI discovery and risk analysis engine Oasis received $120 million in March to expand its product’s capabilities further across the NHI lifecycle.
Major acquisitions also signal that NHI and agentic AI security are now top-tier cybersecurity priorities. The flagship deal in which Palo Alto Networks bought CyberArk for $25 billion dollars in cash and stock options indicates that the industry’s biggest players no longer think of machine identity and agentic AI security as niche concerns.
Analysts predict that 2026 will see more high-profile acquisitions as traditional identity and access management (IAM), privileged access management (PAM) and IGA vendors compete to add more NHI-management capabilities to their platforms.
Boosting NHI security demands a strategic approach
With the NHI vendor landscape increasingly crowded and fast-changing—and no one-size-fits-all solution to be had—there’s strong demand for expertise in integrating NHI governance capabilities across clouds, SaaS ecosystems and cybersecurity tool stacks.
“We already know what identity security best practices are for people,” says Bowers. “Things like multi-factor and passwordless authentication, just-in-time access, and adhering to the least-privilege principle are key. The challenge now is extending these protections to AI agents and other kinds of software, which don’t always behave in the same way humans do.”
In general, security teams should:
- Take an architectural approach to NHI security. This means embedding security controls and mechanisms to enforce policies directly into the foundational fabric of your IT and security infrastructure. You’ll need the right tooling to discover, manage and govern NHIs across your entire technology ecosystem.
- Take advantage of automation as much as you can. Automating NHI provisioning, credentialing and decommissioning can help eliminate “orphan” machine identities, which ensuring that permissions are always revoked when they’re no longer needed.
- Focus on full-lifecycle NHI governance, which will likely require integrations. To gain the capabilities needed to protect NHIs at scale, you’ll almost certainly need to integrate exsiting secrets management, IGA, PAM, IAM and cloud identity and entitlements management (CIEM)solutions with specialized NHI discovery and management tools.
The sheer volume of NHIs, along with the fact that effective governance requires an integrated, end-to-end approach—not just tooling—means that having the right partner, one who can design and operate an identity fabric across your entire environment, is critical for mitigating NHI-related security risk. In particular, someone with expertise across clouds, SaaS, identity security platforms and AI implementation will be able to help you transform the complexities of machine identity security into a set of repeatable processes that can deliver the results you need to satisfy your board, regulators, investors and customers—and set your own mind at ease.
Interested in learning more about today’s biggest cybersecurity challenges and how industry leaders are approaching them? Download SHI and Stratascale’s 2026 Cyber Trends Report today.
