Invisible access, visible risk

Technological transformation, powered by AI and automation, delivers speed, insight, and competitive advantage. As digital platforms and ecosystems expand, non-human identities (NHIs) now outnumber human users by 82 to 1¹. These entities act autonomously and access critical systems at machine speed, often without human intervention. This evolution has created invisible and rapidly expanding attack surfaces, challenging conventional security models and governance.

Thus, embedding security and privacy into every stage of the lifecycle, proactively governing machine identities, and leveraging standards and AI guardrails to manage risk and maintain trust have become imperatives for cyber professionals.

What are NHIs and why do they create new frustrations and threats?

The evolving enterprise identity landscape, combined with the emergence of agentic AI, is accelerating the proliferation of NHIs at an unprecedented pace. Beyond employees and contractors, organisations now rely on a vast, largely invisible layer of NHIs, such as API keys, service accounts, Open Authorisation (OAuth) tokens, machine credentials, and autonomous AI agents, which enable critical systems and workflows. These identities operate continuously across SaaS, cloud, on-premises, and third-party integrations, often with privileged access and minimal oversight.

The scale of the issue is significant as machine identities now outnumber human identities manifold, creating several blind spots and a large, unmanaged attack surface. This proliferation results in an unmanageable stream of authorisation requests, increasing security risks from reflexive approvals. Unlike human users, NHIs lack intent, context, and lifecycle governance, making them prime targets for credential theft, lateral movement, and large-scale data exfiltration.

Why act now?

Compromised NHIs already feature prominently in major breaches, from exposed tokens and bot accounts in Continuous Integration/Continuous Delivery or Deployment (CI/CD) pipelines to over‑privileged OAuth applications exploited for email and data access. These issues are amplified by agentic AI systems, which, unlike traditional automation, act autonomously at machine speed — creating, modifying, and using credentials without human intervention. These systems can spawn new identities, chain tools across trust domains, and execute non-deterministic actions, often requiring broad permissions to achieve business outcomes.

Such autonomy introduces novel attack vectors and governance challenges that traditional IAM (Identity and Access Management) frameworks, designed for human users, are ill-equipped to address. It also significantly lowers the barriers to compromise, enabling attackers to orchestrate sophisticated, multi-layered campaigns with speed and precision.

As AI adoption accelerates, the oversight gap widens, making proactive measures critical. Acting now with continuous discovery, enforcing least-privilege, and maintaining secrets hygiene can transform NHIs from invisible risk into governed assets that enable secure innovation.

The implications extend beyond technical risk. Failure to act can result in severe business consequences, loss of trust, financial penalties, and reputational damage that may take years to repair. Proactive NHI management has become foundational to regulatory compliance as boards and regulators increasingly demand accountability for machine-to-machine and agentic interactions, mandating effective oversight.

The proliferation of machine identities is creating new risks and challenges that traditional security models can’t address. At CyberArk, our strategy is to empower security teams to automatically discover every machine identity, analyze their risk in real time, and take swift, automated action to remediate threats. Together with leading global systems integrators such as KPMG, we’re helping our customers transform machine identities from invisible risks into governed assets — enabling secure innovation at scale.

Peter Beardmore

CyberArk’s Director of Product Marketing

Key questions for Cyber leaders:

To build resilience against this evolving risk, cyber leaders can start by asking the right questions.

Do we have visibility into all NHIs across our environments?

How are we governing AI agents and their access to sensitive systems?

Are our IAM and PAM (Privileged Access Management) frameworks equipped to manage machine identities at scale?

What controls exist to detect and remediate anomalous NHI behavior?

Tackling the Problem: Embedding NHI Governance into Enterprise Identity Strategy

To strengthen enterprise identity programs, organisations can embed robust governance for NHIs as a foundational element. Establishing a governance framework that defines clear standards for NHI creation, usage, and retirement, helps in making NHI security a core pillar of identity, risk, and compliance frameworks.

Discovery of all NHIs across environments, followed by risk assessment and enforcement of least-privilege are crucial for NHI security. Aligning NHI management with other cybersecurity solutions, such as Identity and Access Management (IAM), Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and Identity Threat Detection and Response (ITDR) and centralising visibility into a single source of truth across identities, secrets, and integrations, helps eliminate silos across environments. Policies should be tied to measurable outcomes such as reducing the attack surface, accelerating incident response, and ensuring audit readiness.

Looking ahead, governance should anticipate the rise of agentic AI by enforcing policy controls and continuous monitoring to ensure autonomous agents operate strictly within defined boundaries. Complementary guardrails for AI agents should reinforce NHI governance by enforcing safe operational limits and masking sensitive data during model interactions. By integrating these measures, enterprises can future-proof their identity strategy, balancing innovation with security and compliance. Continuous discovery, least‑privilege enforcement, and rigorous secrets hygiene can transform NHIs from invisible risks into governed assets that enable secure innovation.

Cyber leaders can start by implementing these three foundational steps for effective NHI management…

1. Continuously discover and inventory NHIs:

Scan systems and cloud platforms for all agentic and non-human identities
Build comprehensive inventories that capture ownership, privilege, credential status, and telemetry data for monitoring and attestation

2. Assess and prioritise risk:

Rank NHIs by access level, scope, and potential impact
Correlate identity and secrets intelligence to identify and remediate high-risk, orphaned, or misconfigured identities
Apply rigorous least-privilege principles and maintain enriched audit trails for compliance and incident response

3. Govern and control:

Distinguish agent actions via delegated authority and on-behalf-of flows
Automate de-provisioning, and ensure obsolete/compromised identities are removed
Use technical guardrails, such as policy-as-code and credential rotation to enforce usage boundaries and detect anomalies in real time

Securing non-human identities is no longer optional — it is now a core pillar of enterprise cybersecurity. Treating NHIs as first-tier identities in IAM is critical for building trustworthy autonomous systems and resilience as well as maintaining competitive edge in a digital economy.

¹ CyberArk, “Machine Identities Outnumber Humans by More Than 80 to 1: New Report Exposes the Exponential Threats of Fragmented Identity Security,” 2025.