The Credential Explosion No One Planned For
Enterprise security programs were built around a simple premise: a user logs in, authenticates, and gets access. For decades, that model worked. But somewhere between the shift to microservices, the explosion of cloud-native workloads, and the proliferation of AI agents and automation bots, the assumption that “user” means “human” quietly broke down.
Today, the typical enterprise runs 82 machine identities for every single human employee. That figure comes from CyberArk’s 2025 Identity Security Landscape report, based on a survey of 2,600 cybersecurity decision-makers across 15 countries. The machine identities in question include service accounts, API keys, OAuth tokens, certificates, SSH keys, robotic process automation (RPA) bots, and — increasingly — AI agent credentials that must authenticate to dozens of downstream services to complete a single task.
The sheer scale of this proliferation is staggering. An enterprise with 10,000 employees may be managing 820,000 machine credentials. A mid-size company with 500 staff could have 41,000. Most were provisioned with minimal oversight, granted broad permissions “for convenience,” and never rotated. Many are completely undocumented. Entro Security’s 2025 measurement of the ratio came in even higher — at 144 machine identities per human — suggesting that CyberArk’s figure may be conservative for mature cloud-native environments.
Why Machine Credentials Are the Fastest-Growing Attack Vector
Attackers have noticed. When 42% of machine identities hold privileged or sensitive access — and 61% of organizations lack identity security controls for cloud infrastructure — machine credentials represent a category of target that is simultaneously high-value and low-detection-risk.
Three structural factors make machine credentials uniquely dangerous:
1. No MFA, no behavioral baseline. Human accounts can be protected with multi-factor authentication and anomaly detection (unusual login time, atypical location). Machine identities typically cannot be enrolled in MFA workflows and rarely have behavioral baselines established. An API key stolen from a CI/CD pipeline can be used from any IP address without triggering an alert.
2. Credential sprawl and shadow access. According to the CyberArk survey, 70% of organizations identify identity silos — fragmented credential stores across cloud providers, on-premise directories, and SaaS platforms — as a root cause of cybersecurity risk. This fragmentation makes it nearly impossible to maintain a complete inventory of active machine credentials, let alone enforce least-privilege consistently.
3. AI agents multiply the problem. Every AI agent deployed in an enterprise requires credentials — typically multiple API keys, database connection strings, and service account tokens. CyberArk’s research found that more than two-thirds of organizations remain unprepared for threats targeting AI agents specifically. A CyberArk Labs case study illustrated how an AI agent built for a narrow task (listing orders) was provisioned with unnecessary invoice access. A single prompt injection attack enabled an attacker to extract sensitive vendor data by exploiting that over-provisioned credential — without any traditional intrusion indicator.
Advertisement
The Breach Reality: 87% Already Hit Twice
The consequences of this credential gap are not theoretical. The CyberArk survey found that 87% of organizations experienced at least two successful identity-centric breaches in the past 12 months. Half of respondents reported security incidents or breaches stemming specifically from compromised machine identities. And 72% of organizations experienced at least one certificate-related outage over the same period — a common indicator of machine identity sprawl, where expired or misconfigured certificates cause unexpected service failures.
The IBM X-Force 2026 Threat Intelligence Index reinforces this picture from the attacker’s side: credential harvesting now accounts for 26% of observed attack impacts, and 32% of all incidents involved stolen or misused credentials as the initial access vector. The index also tracked nearly 40,000 vulnerabilities in 2025, 56% of which required no authentication to exploit — a reminder that machine identities running on unpatched software are doubly exposed.
Across the threat intelligence landscape, one pattern is consistent: attackers are not trying to break authentication. They are stealing the keys. Infostealer malware was responsible for exposing over 300,000 ChatGPT credentials on dark web marketplaces in 2025 alone — credentials that include API keys and service tokens embedded in developer tools, not just user passwords.
What Enterprise Security Teams Should Do About It
1. Build a Complete Machine Identity Inventory Before Anything Else
You cannot govern what you cannot see. The first step is a comprehensive discovery exercise that enumerates every service account, API key, certificate, SSH key, and OAuth token across all environments — cloud, on-premise, SaaS, and developer toolchains. Security teams should expect to find credentials they did not know existed: old automation scripts, decommissioned pipeline tokens still active in the identity provider, certificates managed outside IT. CyberArk’s Privilege Cloud and similar NHI platforms can automate discovery using API integrations with cloud providers, but the process must also include manual review of CI/CD configurations, infrastructure-as-code repositories, and developer secret managers (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) to capture credentials that live outside central directories.
2. Apply Least Privilege to Machine Identities the Same Way You Do to Humans
Once inventory exists, enforce the same least-privilege discipline to machine credentials that mature security programs apply to human privileged accounts. The CyberArk case study is instructive: the AI agent needed to list orders. It should only have had the permission to list orders. The principle sounds obvious, but 75% of organizations in the CyberArk survey admit they prioritize business efficiency over robust security — meaning permissions are routinely over-provisioned because restricting them requires coordination with developers and slows delivery. Security teams must build privilege review into sprint processes, not treat it as an annual audit item.
3. Rotate Credentials Automatically — Treat Static Secrets as Technical Debt
Static API keys and long-lived service account passwords are the credential equivalent of default passwords. They never change, which means a credential stolen from a breach two years ago may still work today. Automated rotation — where credentials are cycled on a defined schedule and injected into applications dynamically via a secrets manager — eliminates this exposure class entirely. The target rotation frequency depends on the credential’s sensitivity and exposure surface: privileged service accounts should rotate every 24-72 hours; less-sensitive application tokens every 30-90 days. Organizations with immature secrets management should start with the highest-privilege, highest-exposure credentials and expand coverage iteratively.
4. Instrument AI Agent Credentials With Behavioral Monitoring
As AI agents move from pilots to production, they must be treated as privileged identities with full behavioral visibility — not as background processes operating outside the security perimeter. This means logging every API call made by an agent credential, establishing what a normal call pattern looks like, and alerting on deviations. It also means scoping AI agent permissions to the minimum required for each task and re-evaluating those scopes as the agent’s function evolves. The 68% of organizations that currently lack identity security controls for AI have a narrow window to build this capability before AI-targeted attacks become routine.
5. Enforce Certificate Lifecycle Management to Eliminate Outages and Blind Spots
Certificate-related outages — reported by 72% of organizations — are not just operational nuisances. They signal that the organization does not have comprehensive visibility into its machine identity landscape. Every expired certificate represents a machine identity that was provisioned, used, and then forgotten. Certificate lifecycle management tools (CLM) track issuance, expiry, and renewal automatically, providing both reliability (no surprise outages) and security (no zombie certificates that could be exploited). Organizations running PKI at scale should consider integrating CLM with their secrets management platform to create a unified machine identity governance layer.
The Bigger Picture: Identity as the New Perimeter
The 82-to-1 ratio is not just a staffing problem — it represents a fundamental architectural shift in what the enterprise security perimeter looks like. Traditional perimeter security assumed that the boundary between “inside” and “outside” could be enforced at the network edge. Zero-trust architectures extended that logic to humans: verify every user, every time, regardless of network location.
Machine identities require the same extension, but the tooling maturity is five to seven years behind. The security industry is aware of the gap: Palo Alto Networks completed its acquisition of CyberArk in 2026 explicitly to consolidate machine identity security within its AI-driven security platform — a signal that the market considers NHI protection a foundational security layer, not a niche product. Organizations that treat machine credential governance as a 2027 problem are building their zero-trust programs on a foundation with a structural hole. The attacker community has already identified it.
Frequently Asked Questions
What exactly is a non-human identity (NHI)?
A non-human identity is any credential or authentication token used by software rather than a person — including API keys, service accounts, OAuth tokens, SSH keys, TLS certificates, and AI agent credentials. Unlike human identities, NHIs typically cannot enroll in multi-factor authentication, do not have behavioral baselines, and are often provisioned and forgotten. According to CyberArk’s 2025 research, NHIs outnumber human identities in the typical enterprise at a ratio of 82 to 1.
Why are machine credentials more dangerous than human credentials to leave unmanaged?
Machine credentials are dangerous because they are invisible by default. Human accounts show up in HR systems, require regular password resets, and trigger alerts when used from unusual locations. Machine credentials can sit in a CI/CD pipeline, a developer’s local environment, or a cloud configuration file — unrotated for years — and will work silently from any location without triggering standard security controls. The IBM X-Force 2026 index found that 32% of breach initial access vectors involved stolen or misused credentials, and infostealer malware specifically targets machine credentials embedded in developer tools.
How should a mid-size enterprise with limited security staff prioritize NHI governance?
Start with discovery, not tooling. Before purchasing a purpose-built NHI platform, conduct a manual inventory of your highest-risk credential categories: administrative service accounts, API keys with write access to production systems, and certificates expiring within 90 days. Address these three categories first with automated rotation and least-privilege enforcement. Then expand coverage to lower-risk credentials. This phased approach delivers risk reduction immediately without requiring a full platform procurement cycle.
—
Sources & Further Reading
- Machine Identities Outnumber Humans 80-to-1: CyberArk 2025 Identity Security Landscape — CyberArk
- IBM X-Force 2026 Threat Intelligence Index: Credential Harvesting at 26% of Impacts — IBM
- AI Agents and Identity Risks: How Security Will Shift in 2026 — CyberArk
- The Cybersecurity Market Is Telling You Where It’s Going: Follow the Money in 2026 — Aegis Intel
- 9 Identity Security Predictions for 2026 — The Hacker News
- Palo Alto Networks Completes Acquisition of CyberArk — Palo Alto Networks
