The non-human identity problem: why the agent, not the human, is now the control plane attackers target
Agents create credentials faster than security teams can track them. With many organizations not inventorying AI identities at all, the machine identity has become the soft target.
For two decades, the security perimeter was built around people — passwords, badges, phishing training, the human who clicks the link. That model is quietly breaking. The systems doing real work inside modern companies are increasingly not human at all. They are AI agents, service accounts, and automated workflows, each acting with its own credentials, at machine speed, around the clock. Every one of them is an identity. And attackers have noticed. The uncomfortable truth is that you cannot secure what you cannot uniquely identify and prove. When a workforce of software agents spins up faster than anyone can track, the machine identity becomes the soft target — over-permissioned, rarely rotated, almost never revoked cleanly. This piece looks at why non-human identities now multiply silently, what the 2026 data actually shows, why so many organizations have no inventory of these identities, how the compromises unfold, and what it takes to give each agent a distinct, least-privilege, revocable identity backed by a verifiable record of what it did.
- Every AI agent is a non-human identity, and because agents provision access at machine speed, these identities multiply silently past the reach of human-centric security.
- 2026 reporting shows identity breaches are widespread — Sophos found 71% of organizations breached in the past year — while runtime visibility into agents remains rare, and the Cloud Security Alliance reports more than 16% of organizations do not track AI-identity creation at all.
- The durable fix is distinct, least-privilege, revocable identity per agent plus verifiable attestation of its actions — because you cannot secure what you cannot uniquely identify and prove.
Why every agent is a new identity — and why they multiply silently
An AI agent is not a feature bolted onto an app. It is an actor. To read a database, call an API, or send a message, it needs credentials — a token, a key, a service account. That makes each agent a distinct non-human identity, indistinguishable at the wire level from any other principal asking for access. The difference from a human user is scale and speed: agents spawn sub-agents, request fresh tokens, and provision new access paths without a person in the loop.
The result is silent multiplication. One deployed workflow can generate dozens of downstream identities, each with its own reach, and none of them tied to a face or an offboarding date. Human identity growth is bounded by hiring. Machine identity growth is bounded only by how much you automate — which is to say, effectively unbounded. Security teams built for the first curve are now facing the second, and the gap is where attackers operate.
The 2026 data, by the numbers
The numbers from 2026 reporting tell a consistent story: incidents are common, breaches are widespread, and the visibility needed to catch them is scarce. Read the runtime-visibility figure against the incident rate — that gap is the whole problem in one frame.
The tracking vacuum: many orgs don’t inventory AI identities
You cannot protect what you have never counted. The Cloud Security Alliance reports that more than 16% of organizations do not track the creation of AI identities at all, describing a genuine non-human-identity governance vacuum. That figure is easy to skim past, but sit with it: for one in six organizations, agents are being born into production with no registry, no owner, and no lifecycle. They are invisible by default.
This vacuum compounds everything else. Sophos’ State of Identity Security 2026 found that 71% of organizations suffered at least one identity breach in the past year — and secondary 2026 reporting suggests only around 21% have runtime visibility into their agents. An untracked identity cannot be reviewed, rotated, or revoked, because no one knows it exists. When the inventory is missing, every other control is operating blind, and the attacker’s job is simply to find the identity the defender forgot.
How the compromises actually happen
The attack paths are not exotic. They are the same identity failures that have plagued service accounts for years, now multiplied across a workforce of agents that no one is watching in real time. Three patterns account for most of the damage:
- Over-permissioned credentials — an agent is handed far more access than its task requires, so a single compromise becomes a broad one; the blast radius is set at provisioning time, not attack time.
- Unrotated or leaked secrets — long-lived tokens and keys sit in code, config, and logs, and because no one is tracking the identity, the secret is never rotated and its exposure is never noticed.
- No revocation path — when an agent is retired or turns out to be compromised, there is no clean way to kill its identity, so stale credentials keep working long after they should have gone dark.
From secrets to attestation: giving each agent a provable, revocable identity
The fix is not another dashboard bolted onto an untracked fleet. It is a change in what an identity is. A shared, long-lived secret answers only one weak question — does the caller hold the key. It says nothing about which agent this is, what it is allowed to do, or whether that permission still holds. RankShield’s honest position is that you cannot secure what you cannot uniquely identify and prove, so the starting point is giving every agent a distinct, least-privilege, revocable identity rather than a reused credential.
Attestation goes one step further: a verifiable record of what each agent actually did, where verifiable means independently checkable rather than taken on trust. When identity is distinct, permissions are scoped tight, revocation is real, and actions leave a record anyone can verify, the machine identity stops being the soft target. The tracking vacuum closes because the identity was provable from the moment it was created — not reconstructed after a breach.
See it run — and prove it.
Autonomous, quantum-safe, and verifiable, for enterprise and small business.