The Identity Crisis Your Security Team Didn't See Coming
Forbes Councils Member.
May 20,
2026, 07:00am EDT
Darren Guccione, CEO and cofounder, Keeper Security.
For decades, identity security meant one thing:
protecting the humans who access your systems. You issued credentials, enforced
passwords, deployed multifactor authentication and moved on.
That model made sense when the identities you were
managing were tied to a real person.
That world no longer exists. AI has redefined what an identity is, and most
enterprises are nowhere near catching up.
AI agents don’t wait for instructions from a human to
act. Rather, they operate autonomously and around the clock to execute
transactions, access sensitive systems or interact with external applications.
Every agent requires credentials and access rights to
function. Where a large organization might manage tens of thousands of human
identities, the number of non-human identities (NHIs) can scale far
beyond and outnumber the human workforce across an enterprise ecosystem.
At RSAC 2026, Cisco President and Chief Product Officer
Jeetu Patel said it frankly: When identities operate at machine speed, traditional security models break.
AI agents require a new model for establishing trust, not just a retooled
version of the old model.
The
Scale Problem Is The Easy Part
The harder problem is behavioral. NHIs act nothing like human identities,
and organizations that govern them the same way are creating exposure they may
not recognize until it's too late.
Human accounts have a person behind them, someone who can be questioned,
suspended or fired. NHIs, on the other hand, are frequently created on demand
by developers or automated processes, with no centralized oversight and no
clear owner.
They also don't map onto legacy privileged access management models
designed around human behavior. For example, an employee logging in to an
unusual system at 3:00 a.m. triggers alerts, while an AI agent doing the same
thing looks routine—until it becomes a breach.
The risk is not hypothetical. When AI agent social network Moltbook
launched, a misconfigured database exposed roughly 1.5 million API authentication tokens within
days. Researchers from Wiz found that anyone with those tokens could
impersonate or take control of agents that had access to internal systems like
Slack and email.
In many enterprise environments, machines and NHIs already outnumber
human users 92-to-1, according to my company's survey of 109 cybersecurity
professionals conducted on-site at RSA Conference 2026. That's 92 entry points
for every one that requires compromising a human.
The broader industry is struggling to keep pace. The same survey found
that only 28% of organizations have full visibility into NHIs across cloud,
on-premises and SaaS environments. More than 40% had already experienced a
security incident involving non-human identities or credentials in the past
year. Another 32% weren't sure whether one had occurred—a detection gap that is
itself a problem.
These are solvable problems, but most aren’t solving them fast enough.
Security governance for NHIs needs to move faster, because AI deployment
certainly isn't slowing down.
Where
To Start
Most security teams know they have an NHI problem. Fewer know where to
begin solving it.
The answer starts with visibility: Get a full accounting of your NHIs.
Most organizations have a surprisingly poor picture of how many exist, who
created them and what they can access. Without this visibility, everything else
is just guesswork.
Once you have visibility, the next step is to apply least-privilege
access to NHIs with more discipline than you would normally apply to humans. AI
agents accumulate permissions over time, often far beyond what any single task
requires. Reducing that footprint and automating enforcement will limit the
damage when something goes wrong.
Move away from standing permissions toward a least-privilege model with
just-in-time access. Agents shouldn't hold 24/7 access to systems they use
occasionally any more than employees should. Dynamic, task-specific access is
harder to exploit and easier to audit.
Finally, track down dormant identities. Abandoned service accounts and
unused API keys don't disappear but sit quietly with whatever access they were
originally granted. These "zombie" identities represent risk with
zero operational value. Decommissioning them needs to be a standard practice,
not a once-a-year cleanup project.
Conclusion
NHI security is not an IT hygiene issue. It sits at the intersection of
data security, regulatory compliance and operational risk. Every AI agent your
organization deploys is an identity with access to real systems.
The identity perimeter has already expanded beyond what most
organizations are prepared to govern. The question is no longer whether to
build a framework for NHIs. It's whether your organization will do it
before or after a breach forces the issue.
