In the ever-evolving landscape of cybersecurity, the proliferation of machine identities has outpaced human counterparts by a staggering 109 to 1. This disparity, as highlighted by Palo Alto Networks' 2026 Identity Security Landscape report, underscores a critical challenge: the growing complexity of managing AI agents and their associated identities. While organizations manage an average of 109 machine identities for every human identity, the oversight of non-human identities by C-suite executives often leads to a disconnect with security teams' experiences. This gap in understanding is a significant hurdle, as it can result in inadequate security controls and a lack of visibility into the permissions and activities of AI agents and machine identities.
One of the key issues is the absence of robust controls for AI agents. Many organizations struggle to define the scope of AI agent access, the mechanisms for revoking permissions, and the systems that can inherit that access. This lack of control is particularly concerning given that AI agents already have access to sensitive areas such as financial records, personally identifiable information, operational technology, and core business systems. The principle of least privilege, which restricts access to only what is necessary, is often overlooked, leading to excessive or misused access and potential security risks.
The issue of privilege sprawl further exacerbates the identity gap. Human identities, while still important, represent a smaller share of total identities across enterprise environments. Individual accounts can control a growing number of workflows, applications, and systems, making them attractive targets for attackers. The fragmentation of controls across identity, privilege, endpoint, and machine identity systems adds to the operational pressure, as organizations often grant broad access early in deployment cycles and remove permissions later, leading to a lack of visibility and control.
Authentication, traditionally viewed as the primary security control, falls short in addressing post-login abuse. Single sign-on and multi-factor authentication (MFA) help secure logins, but they do not control what users, tokens, connectors, or automated systems can access after authentication. The lack of visibility into permissions and activities of service accounts and machine identities further compounds the problem, as organizations struggle to consistently enforce least privilege access across various environments.
The trust model in machine-driven environments is also under scrutiny. Static trust models and login-focused defenses are increasingly recognized as inadequate, as attackers leverage AI to gather open-source intelligence and create synthetic identities. Hard-coded secrets, OAuth tokens, certificates, and machine credentials, when overexposed or overtrusted, can remain active long after their operational need expires, creating operational strain and security vulnerabilities.
The regulatory landscape, including NIS2 and DORA, is also influencing identity security practices. Compliance requirements and cyber insurance expectations are driving organizations to invest in identity security measures. However, the widening gap between automated attacks and human response times poses a significant challenge. AI models can identify vulnerabilities, map attack paths, and generate exploit code faster than many security operations can respond, making identity controls one of the few defenses capable of responding in real-time when vulnerabilities remain unpatched.
In conclusion, the proliferation of machine identities and the associated challenges of managing AI agents and their identities demand a reevaluation of security practices. The gap between leadership's understanding of security controls and the experiences of security teams highlights the need for a more holistic approach to identity security. By addressing the issues of privilege sprawl, fragmented controls, and the limitations of traditional trust models, organizations can better protect their systems and data from the ever-evolving threats in the digital landscape. Personally, I think that the future of identity security lies in the integration of advanced AI-driven solutions that can provide real-time visibility and control over machine identities, ensuring that the trust model remains robust and resilient against emerging threats.
