Skip to content

Machine-IDs Overwhelm IAM: Ten Times More Non-Human Identities Than Employees

Bottom line: The disparity between machine-IDs and human accounts is growing so dramatically in cloud-native environments that traditional IAM processes are failing, creating security gaps.

In modern infrastructures, there are 10 to 45 non-human identities per employee — APIs, service accounts, OAuth tokens and container secrets proliferate uncontrollably outside established governance. Classic identity-and-access-management systems were not designed for this mass production of machine-IDs.

Telemetry data from CyberArk and analysis from Gartner document a massive quantitative imbalance: while a company manages around 1,000 employee accounts, it simultaneously generates 10,000 to 45,000 non-human identities. These include service accounts, API keys, OAuth tokens, SSH keys, secrets in containers and automated RPA bots. This growth is a direct consequence of modern software architectures: a cloud-native application with hundreds of microservices and serverless functions requires significantly more unique identities than a monolithic legacy application with a single centralized system access.

Classic identity management systems are unprepared for this situation. They are structurally designed to map the lifecycle of humans within the organization — hiring, authentication via password or biometrics, offboarding. For non-human identities, these mechanisms do not apply. An API token has no face, cannot receive SMS-based two-factor authentication and does not go through an HR-managed onboarding process. Often these accounts lack a single human owner: a developer creates a service account for a short-term script, leaves the company or the project is terminated — the account continues running in the background because it generates no interactive login sessions and therefore does not trigger standard anomaly detection.

The governance risk is compounded by decentralized shadow IT: business units use cloud services and low-code platforms (Zapier, Make) as well as AI assistants for automation without involving central IT. To exchange data, users independently generate API keys in internal or external applications. These secrets emerge outside any central control and documentation. CISOs must therefore shift their strategy from pure human identity management to comprehensive machine identity governance — with inventory management, lifecycle management, privileged access management and continuous monitoring of this growing flood of identities.


Source: www.it-daily.net · Published June 3, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.2.9.

Share on: