720-891-1663

Alerts

The State of Non-Human Identities

Leave a comment

Cybersecurity firm Cyberark says that “non-human” identities outnumber human identities by more than 80 to 1. This includes machine identities and AI identities.

Riddle me this:

If you have a compromise (or think you do) and you see the “user” is Joe but Joe is logged into 20 virtual machines and has 50 AI driven services running, do you actually know where the compromise is?

If you are in a regulated industry, say finance, where you are required to log and alert on events and there are any number of processes running under a “shared” identity, do you really know how you got compromised.

In the Cyberark study, 88 percent of the respondents say that in their organization, the concept of “privileged user” only applies to humans, so if an AI agent or virtual machine has elevated permissions, the rules regarding how that works do not apply.

68 percent of the respondents say that their organizations lack security controls for identity for AIs.

On the other hand, insurance companies are saying that if you can’t convince them that you have this identity issue under control then either they won’t write the policy or they won’t pay the claim. The first is bad, the second is worse.

The Non-human identity management group (yes, there is such an organization) says this about non-human identities:

  • 97% of NHIs have excessive privileges increasing unauthorized access and broadening the attack surface
  • 92% of organizations are exposing NHIs to third parties, also resulting in unauthorized access if third-party security practices are not aligned with organizational standards.
  • 44% of tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, code commits and more.

In a study from Entro Security Labs, here are some key findings:

  • For each human identity, there are an average of 92 non-human identities.
  • An overwhelming number of non-human identities increases the complexity of identity management and the potential for security vulnerabilities
  • 91% of former employee tokens remain active, leaving organizations vulnerable to potential security breaches
  • 50% of organizations are onboarding new vaults without proper security approval which can introduce vulnerabilities and misconfigurations from the outset
  • 73% of vaults are misconfigured, also leading to unauthorized access and exposure of sensitive data and compromised systems
  • 60% of NHIs are being overused, with the same NHI being utilized by more than one application, increasing the risk of a single point of failure and widespread compromise if exposed
  • 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure
  • 71% of non-human identities are not rotated within the recommended time frames, increasing the risk of compromise over time

As you might see at this point, not only is this a problem now, but it is becoming a bigger problem by the day. If you need assistance with sorting this out, please contact us.

Credit: Cyberark and NHIMG

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 CyberCecurity, All rights reserved. Privacy Policy