The AI boom and other ongoing developments in recent years have led to a fundamental shift in the identity landscape. Keeper Security’s recent AI and Non-Human Identities Are Outpacing Security Controls report details a continuing crisis in modern enterprises, based on a survey of 109 cybersecurity professionals at RSA Conference.
According to the report, machine and non-human identities (NHIs) outnumber human users in enterprise environments by a factor of 92 to 1. These NHIs, including AI agents, service accounts, bots, and API keys, are proliferating without a centralized inventory, creating major blind spots and visibility challenges. The speed of AI adoption is structurally outpacing identity governance maturity and introducing outsized risk to organizations.
Privileged Access Policies Weren't Built for Machines
The report shows that 46% of organizations grant AI tools access to critical systems, while only 24% govern those identities under privileged access management (PAM) policies. This means that only around half of organizations providing critical access to AI tools and agents are taking the first step to manage these tools. Even those who do use PAM policies for their AI tools often fall short in properly handling and governing them in ways that work for NHIs.
Over three fourths (76%) of AI identities operate outside proper governance frameworks, contributing to compounding risk that organizations cannot properly visualize or mitigate. Traditional PAM architectures are designed around human user lifecycles, not ephemeral machine credentials. It takes sophisticated identity management measures to account for the evolving risks associated with machine identities.
Visibility Collapse: What You Can't See, You Can't Secure
Only 28% of organizations report full visibility into NHIs across cloud, on-premises, and SaaS environments, along with 37% citing partial visibility, 22% very limited visibility, 4% no limited visibility, and 9% unsure. These statistics demonstrate a severe dearth in NHI management. The lack of visibility into how NHIs are created, used, and managed makes it impossible for organizations to sufficiently understand their own identity landscapes and secure their systems against emerging and evolving threats.
More than half of those surveyed (53%) cite the lack of visibility into AI, automation, and machine access as their top security risk, highlighting the significance of the ongoing NHI crisis. This issue is only compounded by the architecture of modern enterprise environments. Fragmented tooling and siloed ownership leave identity sprawl untracked and ungoverned in many environments.
Incidents Already in Progress
The risk presented by NHI growth and visibility challenges is not a hypothetical one that may become a danger in the future, but a real, current concern. Over two in five organizations (41%) have experienced a security incident tied to non-human identities or credentials in the past year, highlighting the prevalence of the risk presented by these identities. In addition, 32% are uncertain whether an NHI-related incident occurred, which emphasizes a significant detection gap that is as dangerous as the incident itself. Only around one in four (26%) deploy automated detection and response for NHI monitoring, leaving most teams dependent on manual processes that are inefficient and outdated in modern enterprise environments.
It is crucial for organizations to take steps today to mitigate the risks brought on by the AI explosion and accompanying governance and visibility challenges. “As enterprises adopt AI agents and connectors at scale, we need practitioner-led models and guidance that will help security teams understand where to start when governing this new class of NHIs,” says Diana Kelley, Chief Information Security Officer at Noma Security. “Without strategic adoption and governance, organizations risk an explosion of shadow AI, agents, scripts, and connectors operating outside formal oversight, creating blind spots in compliance, data protection, and access governance.”
Rearchitecting Identity Governance for the AI Era
Rethinking the way that identity governance is approached is a necessity for enterprise security in the age of AI. It is crucial to extend privileged access management principles uniformly to human and non-human identities. Organizations must establish centralized visibility and automated lifecycle management as foundational requirements, not future roadmap items. Governance of NHIs should be treated as a board-level risk, not an IT operations problem.
