Machine Identity Bankruptcy: The Identity Crisis No One Is Talking About

In the digital landscape of 2026, a quiet revolution has reached its breaking point. For decades, cybersecurity was a human-centric discipline. We obsessed over Multi-Factor Authentication (MFA), password complexity, and user behaviour. But while we were watching the front door, a silent army of bots, service accounts, and AI agents moved in through the vents.

Today, the statistics are staggering. According to Entro Security’s NHI & Secrets Risk Report, non-human identities now outnumber human employees at a ratio of 144 to 1 — a 56% jump from the 92:1 ratio recorded in H1 2024. ManageEngine’s Identity Security Outlook 2026 found that nearly half of surveyed organisations report machine-to-human ratios above 100:1, with some sectors reaching 500:1.

This explosion has led to a state of Identity Bankruptcy — a critical threshold where an organisation’s identity sprawl has become so complex that it is mathematically and operationally impossible to audit, manage, or secure. In this article, we explore the mechanics of the crisis, the danger of “Lenient IAM,” and why your machine accounts are now the primary targets for lateral movement.

---

The Great Inversion: Why Machines Won the Numbers Game

To understand Identity Bankruptcy, we must first understand how we got here. In 2020, the average machine-to-human ratio was roughly 5:1. By H1 2024, it had climbed to 92:1. Entro Security’s mid-2025 data places it at 144:1, with no signs of slowing. That 44% year-over-year growth in NHIs is driven by three primary catalysts.

The Microservices Explosion. A single monolithic application once had one identity. Today, that same application is broken into dozens of microservices, each requiring its own workload identity to communicate with databases, caches, and other services. A single deployment pipeline can create more machine identities in 20 minutes than an entire company has human users.

The Rise of Agentic AI. We no longer just use AI — we deploy AI agents. These agents perform tasks autonomously: booking travel, managing cloud infrastructure, triaging code, pulling customer records from Salesforce, committing to repositories. Microsoft Copilot has access to your SharePoint. GitHub Copilot can commit to your repos. Each agent requires a set of permissions — tokens, API keys — that act as its digital ID. CyberArk’s 2025 Identity Security Landscape report found that 68% of organisations lack identity security controls specifically for AI, and AI is expected to drive the creation of the greatest number of new identities with privileged and sensitive access in 2025.

Ephemeral Infrastructure. In a cloud-native world, servers live for minutes, not months. Every time a Kubernetes pod spins up during auto-scaling, a new identity is born. Every GitHub Actions workflow generates tokens. Every Terraform run provisions service principals.

---

The Anatomy of a Machine Identity

Unlike a human user, a machine identity — often called a Non-Human Identity (NHI) — doesn’t have a face, a physical location, or a predictable 9-to-5 schedule. It consists of:

• Secrets: API keys, OAuth tokens, and SSH keys.
• Certificates: TLS/SSL certificates used for encrypted communication.
• Service Principals: Cloud-native identities used by applications to access resources like AWS S3 or Azure Key Vault.

These identities persist indefinitely unless explicitly revoked. Unlike employees, they lack natural lifecycle triggers — no resignation, no retirement, no HR offboarding process. Entro’s research found that nearly half of all NHIs are over a year old, and 7.5% are between five and ten years old. One in every thousand NHIs is over a decade old, often outliving the developers who created them.

---

Defining “Identity Bankruptcy”

Identity Bankruptcy is the point of no return for a security team. It occurs when the volume of identities and the complexity of their permissions exceed the organisation’s capacity to verify them.

When an organisation reaches this threshold:

Auditability is lost. Ask “Who has access to our customer database?” and the answer is a list of hundreds of human users and tens of thousands of service accounts. You can audit the humans. You cannot manually audit the bots.

Visibility is fragmented. Identities exist in silos — AWS, Azure, GitHub, Salesforce, internal Kubernetes clusters — with no single source of truth. ManageEngine’s 2026 report found that 70% of respondents say identity silos are a root cause of organisational cybersecurity risk.

Governance is bypassed. Developers, under pressure to ship code, create “temporary” service accounts with Admin rights that are never deleted. Veza’s research measured over 230 billion permissions across enterprise datasets, a volume that creates persistent blind spots. Permissions classified as safe and compliant dropped from 70% in 2024 to just 55% in 2025, with ungoverned permissions rising from 5% to 28% of the total in the same period.

Privilege is catastrophically concentrated. Entro’s data reveals that just 0.01% of machine identities — approximately 2,188 accounts in their dataset — control 80% of cloud resources. Compromise one of those accounts and an attacker effectively owns the entire environment.

“When non-human identities outnumber humans by orders of magnitude, traditional governance approaches collapse. Organisations must fundamentally rethink how they manage and secure these identities before the scale becomes completely unmanageable.” — Ramanathan Kannabiran, Director of Product Management, ManageEngine

---

The “Lenient IAM” Trap: The Attacker’s Playground

The most dangerous byproduct of this crisis is Lenient IAM — Identity and Access Management practices that sacrifice security for uptime.

Machines don’t complain when they can’t access a file; they break the entire deployment pipeline. To avoid “permission denied” errors that stall production, many organisations default to over-permissioning. Entro Security’s 2025 State of Non-Human Identities report found that 97% of NHIs have excessive privileges — an almost universally broken baseline.

The contrast between how organisations treat human versus machine identities is stark:

Feature	Human Identity	Machine Identity (NHI)
Typical Permissions	Restricted (Least Privilege)	Broad (Often ‘Owner’ or ‘Admin’)
Authentication	MFA / Biometrics	Static Secrets / Tokens
Lifecycle	Onboarded/Offboarded by HR	Created by Script / Often Orphaned
Monitoring	High (UEBA / Behaviour tracking)	Low (Often ignored in logs)
Rotation	Regular password resets	71% not rotated within recommended timeframes

Attackers have realised that breaching a human user protected by MFA is hard. But a service account is a goldmine — always-on, often over-privileged, and rarely scrutinised.

---

The Scale of Secrets Exposure

The problem is not just that machine identities exist — it’s that their credentials are being mishandled at scale.

Entro’s 2025 research found that 44% of all tokens are actively exposed in the wild, circulating through platforms like Microsoft Teams, Jira tickets, Confluence pages, and code commits. While source code remains the leading source of exposed secrets at 57%, nearly half of all exposed secrets now surface outside code repositories: 26% from CI/CD workflows, and another 14% from collaboration and messaging tools.

The March 2025 compromise of the popular tj-actions GitHub Action illustrated this perfectly. Attackers used a stolen personal access token to inject malicious code that silently exfiltrated secrets from CI/CD logs across more than 23,000 repositories. The root cause was an unmanaged, under-monitored machine identity.

Over 80% of organisations have experienced a cyber incident due to compromised machine identities. Yet the lessons are not being applied fast enough.

---

The Lateral Movement Kill Chain

In 2026, the attack kill chain has fundamentally shifted. Attackers no longer need to phish a CEO. Instead, they target a developer to gain access to a CI/CD pipeline or a code repository. Once inside, they hunt for machine secrets.

Stage 1: Secret Discovery. Automated tools scan for hardcoded API keys in code, environment variables, or misconfigured secret stores. With 62% of all secrets duplicated and stored in multiple locations, attackers have multiple opportunities to find them.

Stage 2: The Bot Hijack. The attacker finds a service account used for “logging.” Due to Lenient IAM, this logging account also has Read access to an S3 bucket containing sensitive customer data — a classic case of privilege creep that nobody ever noticed.

Stage 3: Lateral Movement. Using the hijacked machine identity, the attacker moves sideways through the network. Machine-to-machine traffic is rarely scrutinised for anomalous behaviour with the same rigour as human traffic, allowing exfiltration or privilege escalation with minimal detection risk.

Real-world consequences are now measured in hundreds of millions of pounds. The breaches at Jaguar Land Rover and Marks & Spencer in 2025 both originated through compromised non-human identities in partner systems — service accounts, API keys, and third-party access tokens that had never been properly governed, rotated, or monitored. The JLR incident forced a complete global production shutdown lasting over four weeks.

OWASP has taken note. Its Top 10 Non-Human Identity Risks for 2025 ranks improper offboarding as the number one risk — reflecting the fundamental gap: organisations have no systematic process for deprovisioning machine identities when services are deprecated or integrations discontinued.

---

Beyond Human-Centric Security: The 2026 Framework

If the majority of your identities are machines, your security strategy must reflect that reality. We must move past the “User-First” mindset and adopt Machine Identity Management (MIM) as a core pillar of the security programme.

1. Shift to Zero Standing Privileges (ZSP)

Static API keys are the passwords of the machine world, and they must be retired. Leading organisations are moving to Just-in-Time (JIT) machine identities — a bot is granted a token valid for exactly 60 seconds to perform its task, after which the token expires automatically. This eliminates the concept of an always-on credential that can be stolen and reused indefinitely.

2. Machine Behaviour Analytics

Just as UEBA systems flag a human user who suddenly logs in from a foreign country, we must track when a machine identity starts calling APIs it has never used before. If a Printing Service starts requesting Database Delete permissions, the system should auto-isolate that identity immediately. CyberArk’s 2025 landscape report confirms that AI-powered anomaly detection is now a critical differentiator for organisations managing NHI sprawl.

3. Ruthless Lifecycle Management

OWASP’s top-ranked risk — improper offboarding — is entirely preventable. Every machine identity must have an assigned human owner. When that owner leaves, the identity must be flagged for review. Automated tools should run continuous sweeps to identify and quarantine orphaned accounts, focusing first on those with administrative or wildcard (*) level permissions.

4. Identity Inventory Automation

You cannot secure what you cannot see. Recovery from Identity Bankruptcy starts with an automated inventory across three phases:

• Discover: Scan every cloud and on-premises environment for NHIs, including shadow identities created outside official processes.
• Classify: Determine what each identity does, what it accesses, and who owns it.
• Clean: Delete orphaned identities and enforce rotation policies. 71% of NHIs are currently not rotated within recommended timeframes — this number needs to fall to near zero.

5. Shift Secrets Left — But Not Halfway

43% of all exposed secrets surface outside source code. Integrating secret scanning into CI/CD pipelines is table stakes, but organisations must extend that coverage to collaboration tools, messaging platforms, and anywhere else developers share context. Jira tickets, Slack messages, and SharePoint documents are actively leaking credentials.

---

Is Your Organisation Already Bankrupt?

Review the following indicators to assess your current risk level:

• [ ] Do you have more service accounts than employees?
• [ ] Are more than 10% of your API keys permanent (no expiration date)?
• [ ] Can you identify the human owner of every service principal in your cloud?
• [ ] Do you have secret scanning integrated into your development pipeline and your collaboration tools?
• [ ] Is machine-to-machine traffic included in your security monitoring and anomaly detection?
• [ ] Do you have a formal deprovisioning process for machine identities when projects end or developers leave?

If you answered yes to three or more of the risk indicators, you are likely operating in a state of Identity Bankruptcy.

---

Conclusion

The numbers are no longer abstract. Machine identities outnumber human employees by ratios that were considered absurd five years ago. Nearly every NHI in the average enterprise carries excessive privileges. A handful of accounts controls the vast majority of cloud resources. Real breaches with nine-figure price tags are now being traced directly to unmanaged service accounts and expired credentials nobody thought to rotate.

The weakest link in the modern enterprise is no longer the employee who clicks a phishing link. It is the forgotten service account, the hardcoded API key, the AI agent granted admin access on a deadline, and the orphaned token that has been quietly accumulating access for a decade.

To survive the identity crisis of 2026 and beyond, organisations must treat machine identities with the same rigour — and arguably more — as human ones. The keys to the kingdom are no longer held by people. They are scattered across thousands of lines of code and automated pipelines. It’s time to take them back.

---

Sources: CyberArk 2025 Identity Security Landscape; Entro Security NHI & Secrets Risk Report H1 2025; ManageEngine Identity Security Outlook 2026; Veza Permissions Report 2025; CSO Online; OWASP Non-Human Identity Top 10 (2025).