"Security teams can no longer view identity as a human-only challenge." — Shane Barney
Adoption at scale: 93% of organizations are giving AI agent access to sensitive tasks
A recent report found that 93% of organizations already use or plan to use AI agents for sensitive security tasks such as password resets and VPN access. The same study found 74% of respondents believe AI will lead to more attacks on identity infrastructure. In deployment details that underline the operational reach of these systems, 92% of organizations report AI agents are installed on some local machines and possess the ability to access SSH and encryption keys.
Confidence and control gaps: only 32% very confident they could recover from exposed admin credentials
Despite heavy adoption, confidence in recovery is low. The report says that if AI exposed admin credentials, only 32% of organizations globally are very confident in their ability to regain control. Identity registration and governance are uneven: 65% of organizations formally register, authenticate and authorize AI identities in a system, while 6% admit they do not track those identities at all.
Non-Human Identities (NHIs): scale, visibility, and lifecycle problems
Security leaders in the report frame the problem as one of scale and blind spots. Crystal Morin, Senior Cybersecurity Strategist at Sysdig, notes that "humans now make up less than 3% of managed identities in cloud environments," with the remainder belonging to machines that "don’t log off, don’t take breaks, and often operate with elevated permissions." Several contributors emphasized that NHIs — service accounts, API keys, machine credentials, automation scripts, and AI agents — can outnumber human users by dozens or even hundreds to one.
Those leaders say traditional, human-oriented controls are insufficient for machine-speed operations. The report quotes Chandra Gnanasambandam, CTO at SailPoint: "You simply cannot secure what you cannot see," and calls for continuous discovery capable of mapping each agent, the credentials it holds, and every resource it accesses.
Practical prescriptions from named security leaders
- Shane Barney (Keeper Security) urges a shift to identity-centric, zero-trust models where "every identity, whether human or non-human, should be continuously authenticated, authorized and monitored" and where automation enforces policies while humans retain oversight.
- James Maude (BeyondTrust) warns that identity security debt — overlooked combinations of privileges and entitlements — creates easy paths to privilege escalation and lateral movement.
- Elad Luz (Oasis Security) recommends transitioning to cloud-native identities where possible, maintaining good identity hygiene (removing stale NHIs, conducting access reviews), and adopting short-lived credentials, automated rotation, and managed identities.
- Randolph Barr (Cequence Security) and others stress that basic security controls are being skipped to meet product timelines, leaving identity, access, and configuration vulnerable even as organizations begin addressing model protections and data leakage.
- Chandra Gnanasambandam (SailPoint) provides a concrete secrets-governance checklist: discover all secrets across repos, CI/CD, cloud and collaboration tools; add context and ownership; prioritize by actual risk; and flag and rotate idle or orphaned secrets.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Expect to prioritize continuous discovery, least-privilege enforcement, credential rotation, and policy-driven automation for NHIs. Several leaders call for discovery tools that map each agent’s footprint and the credentials it holds.
- Procurement and product teams: The report suggests governance and lifecycle requirements should be built into AI and automation purchases; otherwise engineering shortcuts and unmanaged service accounts risk delivering overprivileged, unmonitored identities into production.
- End users and app developers: As workers adopt AI tools and copilots with enterprise credentials, the findings warn that employees may create new attack paths without security’s knowledge — increasing the need for integration between DevSecOps and identity governance.
The study’s clearest throughline is a practical one: organizations are rapidly giving AI agents keys to the kingdom while governance, discovery and recovery confidence lag. Security leaders in the report converge on the same remedy set — continuous, identity-first controls; least privilege; automated lifecycle management; and human oversight over automated governance — but the data show those practices are not yet universal. The central question left in plain view is whether enterprises will accelerate identity controls to match the speed and scale of their non-human workforce before attackers do the same.
