Non-human identities: Are we sleepwalking into a security crisis?

In today’s hyper-connected world, businesses are scaling faster than ever before. Cloud infrastructure, AI-driven automation, APIs, IoT ecosystems, and containerized applications have become the norm. This acceleration is reshaping digital environments into complex, interdependent systems where machines routinely interact with other machines, often without human oversight.

But in this machine-first reality, most organizations are still looking in the wrong direction when it comes to securing their systems. Identity and access management (IAM) strategies overwhelmingly focus on protecting human users, even though the majority of activity inside modern IT environments is driven by non-human identities (NHIs).

According to CyberArk’s 2025 Identity Security Threat Landscape Report, NHIs now outnumber human identities by 82 to 1. At the same time, IBM’s latest X-Force Threat Intelligence Index reports that identity-based attacks now comprise one-third of all intrusions. We are sleepwalking into a security crisis, one where attackers don’t need to phish an employee to gain access. They just need to find a forgotten service account or a misconfigured API.

It’s time we recalibrate our security mindset because the next insider threat isn’t human.

What are NHIs?

An NHI is any digital entity that authenticates, communicates, and performs actions inside IT systems - but, as the name suggests, isn’t a person. This includes service accounts, scripts, APIs, containerized microservices, IoT devices, and, increasingly, autonomous AI agents.

These entities have become integral to the functioning of modern enterprises and can connect services, access sensitive data, and trigger business processes. APIs power customer experiences. IoT devices report real-time operational data. Cloud workloads communicate constantly to deliver services. All of these depend on authenticated machine-to-machine (M2M) interactions that are invisible to the average user - but critically important to the system’s integrity.

And unlike human users, they don’t clock off in the evening or forget their passwords. They operate 24/7 with potentially unlimited reach, making them both essential and dangerous.

The risks lurking in machine-first environments

Most non-human identities are created for specific use cases such as connecting an app to a database, allowing a workload to pull data, or enabling a device to sync with the cloud. But once created, these identities often remain untouched for months or even years. They’re authenticated using static credentials - like embedded API keys or long-lived tokens - that are rarely rotated or monitored.

Worse still, these identities are frequently over-privileged. A service account meant to access one dataset may also have admin privileges across other systems, simply because it was easier to configure that way. This "set and forget" approach introduces massive risk.

Machines also don’t behave like humans. They don’t log in through a user interface. They don’t generate typical usage patterns. They don’t get flagged by traditional anomaly detection tools. This makes auditing and visibility particularly challenging. If an API client or AI agent is compromised, it can move laterally across systems, escalate privileges, exfiltrate data, or disrupt services - all while appearing to behave normally. In particular, the rise of AI agents introduces new complexity, as these entities may learn, adapt, and take actions in unforeseen ways, making behavioral baselines harder to define.

Attackers are well aware of these blind spots. NHIs are the ideal entry point for lateral movement, privilege escalation, and stealthy persistence.

How to secure NHIs

The good news is that cloud platforms and modern identity frameworks provide built-in tools to secure non-human identities - if organizations are willing to use these tools properly, they can make a huge difference.

But first, it’s important to recognize that machine identities need to be treated as distinct and interchangeable from human identities, not indistinguishable from them; this differentiation allows for better security models tailored to machine behaviors.

1. Embrace workload identity federation - Eliminate static credentials. Major cloud providers offer ways to provide identities for workloads without hardcoded secrets. There are also standards, such as SPIFFE, to create federated workload identity systems across clouds. However, this is just the first step.
2. Use workload identities to obtain OAuth tokens - By using the workload identities to obtain tokens from an OAuth server, it is possible to build a solid token-based architecture that not only identifies non-humans without static credentials, but also provides the necessary context for the system to know what it should be allowed to do.
3. Least privilege by default - Every non-human identity should have the bare minimum permissions. Starting with OAuth lets organizations design and manage clusters of workloads the same way. OAuth tokens describe the base for what the workload may access, and when combined with authorization schemes such as ABAC or PBAC the possibilities are endless.
4. Monitor and audit machine interactions - Just because an identity is non-human doesn’t mean it should be invisible. By using the same token mechanism as for humans, auditing becomes uniform and straight forward. This lets organizations log and monitor all M2M interactions with certainty on which identity did what, human or non-human. An API that suddenly starts accessing large datasets outside of its normal pattern should raise an alert, just as it would for a human user.

Don’t stop at authentication

Even when a non-human identity is authenticated securely, that’s only the first half of the equation. Authorization - the rules governing what the identity is allowed to do - is just as critical.

Too often, once a machine identity is authenticated, it has access to everything its credentials permit. But just like human users, machine users should face context-aware authorization checks.

For example, an API client might be allowed to fetch transaction records - but only from a specific database and only during business hours. Or a service workload might be authorized to write to a log file, but not to alter system configurations. These business rules can be encoded and enforced dynamically using policy-based access control (PBAC) or attribute-based access control (ABAC).

This level of contextual control ensures that even if an identity is misused, its impact is tightly constrained.

A call to action

Organizations must stop thinking of identity management as a human-only problem. The explosion of non-human identities is not a niche technical issue. It’s a strategic security concern.

In many environments, the number of machine identities has already far surpassed the number of employees. And unlike humans, these entities rarely follow best practices unless we design systems that enforce them. Security must evolve. It must be machine-native, context-aware, and built on zero trust principles that apply equally to people and programs.

Ultimately, the focus should not be on traditional privileged access management (PAM) or identity governance and administration (IGA), but on recognizing and securing the distinct identities of machines in ways that reflect their unique behaviors and risks.

The next insider threat isn’t human. But it is already inside your systems. That means it’s now really time to pay attention.