The non-human identity problem: why the agent, not the human, is now the control plane attackers target
Agents create credentials faster than security teams can track them. With many organizations not inventorying AI identities at all, the machine identity has become the soft target. Here is the 2026 data, how the compromises unfold, and the fix.
For two decades, the security perimeter was built around people, with passwords, badges, phishing training, and the human who clicks the link. That model is quietly breaking. The systems doing real work inside modern companies are increasingly not human at all. They are AI agents, service accounts, and automated workflows, each acting with its own credentials, at machine speed, around the clock. Every one of them is an identity. And attackers have noticed. The uncomfortable truth is that you cannot secure what you cannot uniquely identify and prove. When a workforce of software agents spins up faster than anyone can track, the machine identity becomes the soft target, over-permissioned, rarely rotated, almost never revoked cleanly. This piece looks at why non-human identities now multiply silently, what the 2026 data actually shows, why so many organizations have no inventory of these identities, how the compromises unfold, and what it takes to give each agent a distinct, least-privilege, revocable identity backed by a verifiable record of what it did.
Why is every AI agent a new identity that multiplies silently?
An AI agent is not a feature bolted onto an app. It is an actor. To read a database, call an API, or send a message, it needs credentials, a token, a key, a service account. That makes each agent a distinct non-human identity, indistinguishable at the wire level from any other principal asking for access. The difference from a human user is scale and speed: agents spawn sub-agents, request fresh tokens, and provision new access paths without a person in the loop.
The result is silent multiplication. One deployed workflow can generate dozens of downstream identities, each with its own reach, and none of them tied to a face or an offboarding date. Human identity growth is bounded by hiring. Machine identity growth is bounded only by how much you automate, which is to say, effectively unbounded. Security teams built for the first curve are now facing the second, and the gap is where attackers operate.
What does the 2026 non-human identity data actually show?
The numbers from 2026 reporting tell a consistent story: incidents are common, breaches are widespread, and the visibility needed to catch them is scarce. Read the runtime-visibility figure against the incident rate, because that gap is the whole problem in one frame.
What does the identity gap look like in one downloadable picture?
It looks like a chasm between what is happening and what defenders can see. The infographic below puts the two sides next to each other: near-universal incidents and widespread breaches on one side, scarce runtime visibility and a real tracking vacuum on the other. Download it for your next security review.
Why do so many organizations fail to track their AI identities?
You cannot protect what you have never counted. The Cloud Security Alliance reports that more than 16% of organizations do not track the creation of AI identities at all, describing a genuine non-human-identity governance vacuum. That figure is easy to skim past, but sit with it: for one in six organizations, agents are being born into production with no registry, no owner, and no lifecycle. They are invisible by default.
This vacuum compounds everything else. Sophos’ State of Identity Security 2026 found that 71% of organizations suffered at least one identity breach in the past year, and secondary 2026 reporting suggests only around 21% have runtime visibility into their agents. An untracked identity cannot be reviewed, rotated, or revoked, because no one knows it exists. When the inventory is missing, every other control is operating blind, and the attacker’s job is simply to find the identity the defender forgot.
The reasons the vacuum forms are ordinary, which is exactly why it is so common. Agents are created by developers and platforms in the flow of building features, not by an identity team following a provisioning process, so there is no natural checkpoint where a new identity gets registered and assigned an owner. Many are spun up by other agents, one layer removed from any human decision at all. And because a working agent looks like productivity rather than risk, no one has an incentive to slow down and catalog it. The result is that the inventory gap is not a single oversight to fix once; it is a structural byproduct of how fast automation ships, which is why closing it requires making identity a property an agent is born with rather than a record someone remembers to create afterward.
How do non-human identity compromises actually happen?
The attack paths are not exotic. They are the same identity failures that have plagued service accounts for years, now multiplied across a workforce of agents that no one is watching in real time. Three patterns account for most of the damage:
- Over-permissioned credentials: an agent is handed far more access than its task requires, so a single compromise becomes a broad one; the blast radius is set at provisioning time, not attack time.
- Unrotated or leaked secrets: long-lived tokens and keys sit in code, config, and logs, and because no one is tracking the identity, the secret is never rotated and its exposure is never noticed.
- No revocation path: when an agent is retired or turns out to be compromised, there is no clean way to kill its identity, so stale credentials keep working long after they should have gone dark.
What makes machine identities harder to secure than human ones?
It comes down to four differences, and each one bends a control that was designed for people. The first is scale: machine identities already outnumber humans by a wide margin, with CyberArk’s 2025 research putting the ratio near 82 to 1, so any process that assumes a reviewable number of accounts is immediately swamped. The second is speed: humans are onboarded in days and offboarded on a known date, while agents appear and provision access in seconds and often have no offboarding date at all, so the lifecycle controls that work for employees never get a chance to run. The third is attribution: a person is behind one identity, but an agent can spawn sub-agents and delegate, so a single action at the end of a chain may trace back through several machine identities to an original principal that no one recorded, which is exactly where confused-deputy attacks live.
The fourth, and the one that ties the others together, is proof. When a human does something questionable, there is usually a trail: a login, a device, a session. When an agent does something questionable and its identity was a shared, long-lived secret that many callers hold, there is often no way to say which agent did it or whether it was even authorized. That absence of proof is what turns an untracked machine identity from an inconvenience into a genuine soft target, because the attacker who rides it leaves no more trace than the legitimate agent would have. Securing machine identity is therefore less about adding another gate and more about making each agent uniquely identifiable, tightly scoped, cleanly revocable, and provable after the fact, which is the opposite of the shared-secret status quo. The same shift is covered from the agent-runtime angle on AI agent security.
How do you give each agent a provable, revocable identity?
The fix is not another dashboard bolted onto an untracked fleet. It is a change in what an identity is. A shared, long-lived secret answers only one weak question, whether the caller holds the key. It says nothing about which agent this is, what it is allowed to do, or whether that permission still holds. RankShield’s honest position is that you cannot secure what you cannot uniquely identify and prove, so the starting point is giving every agent a distinct, least-privilege, revocable identity rather than a reused credential.
Attestation goes one step further: a verifiable record of what each agent actually did, where verifiable means independently checkable rather than taken on trust. When identity is distinct, permissions are scoped tight, revocation is real, and actions leave a record anyone can verify, the machine identity stops being the soft target. The tracking vacuum closes because the identity was provable from the moment it was created, not reconstructed after a breach. See how this is delivered on agent passports and the attestation API.
How exposed are your own machine identities?
Run the quick check below. It scores your posture against exactly the failure modes the 2026 data reveals: untracked creation, over-permissioning, missing revocation, and no verifiable record. The point is to find the gaps while they are cheap to close.
Questions, answered.
What is a non-human identity (NHI)?
A non-human identity is any identity that is not a person: an AI agent, a service account, an automated workflow, a bot, or an application that authenticates and takes action on its own. Each holds credentials such as a token, key, or certificate, and to a system it is indistinguishable from any other principal requesting access. The category matters because these identities now vastly outnumber human ones and are governed far more loosely, which is why they have become a primary attack surface.
Why are non-human identities a bigger risk than human accounts now?
Because they are more numerous, provisioned faster, and governed less. Machine identities outnumber humans by a wide margin, with CyberArk’s 2025 research putting the ratio near 82 to 1, and they appear at machine speed without the hiring-and-offboarding rhythm that bounds human accounts. Combined with over-permissioning, unrotated secrets, and no clean revocation, that makes an untracked machine identity a pre-positioned foothold, one that leaves little trace when abused because it looks exactly like the legitimate agent.
What does the 2026 data say about AI identity breaches?
It is consistent and uncomfortable. Sophos’ State of Identity Security 2026 found 71% of organizations suffered at least one identity breach in the past year. The Cloud Security Alliance reports that more than 16% of organizations do not track AI-identity creation at all. Additional 2026 survey reporting indicates around 88% of enterprises experienced an AI-agent security incident while only about 21% have runtime visibility into their agents, figures we flag as directional. The through-line is that incidents are common while the visibility to catch them is rare.
Why can’t you just monitor agents with existing tools?
Because most security tooling was built to watch humans: logins, devices, phishing, endpoints. A machine identity quietly assuming broad access, requesting fresh tokens, and spawning sub-agents does not trip those alarms. And you cannot monitor what you never inventoried, which is the core problem when a share of organizations do not track AI-identity creation at all. Effective coverage requires treating each agent as a first-class, tracked identity with its own scope and lifecycle, not an anonymous process inside a trusted network.
What does "distinct, least-privilege, revocable" identity mean in practice?
Distinct means each agent has its own identity rather than sharing a credential, so actions can be attributed to it. Least-privilege means it is granted only the access its task requires, so a compromise has a small blast radius. Revocable means you can cleanly and immediately kill that identity when the agent retires or is compromised, so stale credentials do not keep working. Together they replace the shared-secret model, where possession of a key equals trust, with a model where identity, scope, and lifecycle are explicit and enforced.
How does verifiable attestation help with non-human identities?
Attestation records what each agent actually did as an independently checkable, tamper-evident receipt, so "which agent did this and was it allowed" has a provable answer rather than a guess. That closes the tracking vacuum from the other end: instead of reconstructing events after a breach from logs you have to trust, you have proof generated at the time the action happened. Paired with distinct, least-privilege, revocable identity, it is what turns the machine identity from a soft target into an accountable one.
References
Make every AI action provable.
RankShield is the verifiable, quantum-safe AI security platform — protection you can check, not just trust.