-optimized.jpg){kind=avatar}
AI will add to the headache of non-human identities, says Callum Evans, Senior Solution Architect at the IT management and consultancy firm SHI.
AI is shaking up the way we handle Non-Human Identities (NHIs), and it’s crucial for organisations to embrace this transformation. Harvard Business School cites estimates that the market could grow from $8bn (£5.9bn) in 2025 to $199bn (£148bn) by 2034 and that its economic contribution could reach $4.4 trillion (£3.3 trillion) annually by 2030. The productivity benefits in personal and professional spheres could be massive. But each agent also needs an identity to authenticate, communicate and get stuff done. This will add to an explosion in non-human identities (NHIs) up until now largely driven by service accounts, bots, API keys, digital certificates, and OAuth tokens.
However, since NHIs are often inadequately managed or not managed at all, this could create a new vulnerability for organisations deploying agents. A recent report reveals that three-quarters (74pc) of organisations are worried that AI will increase the frequency of attacks on their identity infrastructure. More automation, more governance and more security by design are required.
Over-permissioned and under-secured
NHIs are essential for agents to do the job they’re designed for. That is, autonomously think,plan, reason and act to achieve the tasks set for them, interacting with other systems and resources including agents, databases, websites and inboxes. Because they do so with relatively little oversight and move at machine speed across the web, something could gowrong before security teams even realise. Agents are granted elevated privileges for far-reaching access, compounding potential security risks and making lateral movement, data theft and sabotage easier for threat actors.
According to one estimate, there’s been an 89 per cent increase in AI-enabled attacks in the past year. Verizon claims threat actors researched or used AI assistance in 15 documented techniques on average last year, with some using as many as 40 or 50. On paper, setting up NHIs for agents should help improve accountability, policy enforcement and auditing while reducing agent sprawl. But often NHIs are over-permissioned, which increases the potential damage a hijacked or rogue agent could do.
Experts urge organisations experimenting with agents to begin only with “tightly bound pilots.” However, the reality is somewhat different. Research reveals that many are already being used in sensitive security-related helpdesk tasks, where they could access SSH and encryption keys, helping actors at various stages of the cyber-attack kill chain.
A recently observed AI agent powered by a large language model exploited vulnerabilities, moved laterally, and harvested data, completing the entire attack chain in under an hour.
Even benign agents can cause unintended consequences if the right guardrails aren’t in place. In a recent incident, the founder of developer PocketOS claimed a Claude-powered version of AI coding tool Cursor deleted his production database in just seconds. A few months ago, Meta AI safety researcher Summer Yue nearly had her entire inbox deleted after an OpenClaw instance “lost” her original instruction.
Solutions are falling short
Organisations urgently require methods to identify non-human identities within their environment and establish robust governance to reduce risk. This remains a difficult challenge, as current IAM, IGA, and PAM solutions were not developed to manage the scale, distribution, and lifecycle complexity of non-human identities. Consequently, organisations often find it hard to fully discover, assign ownership, and govern these identities across their entire infrastructure, which can create gaps and elevate risk.
The problem is compounded by shadow AI. You can’t govern what you can’t see. Yet unmanaged use of tools by business users is likely to be high. Exactly how high is always difficult to ascertain given the nature of shadow IT. But estimates suggest over 80% of employees are running unmanaged AI in the workplace.
What happens next?
Organisations facing these challenges can’t simply plug in an identity security solution and solve all of their agentic AI problems. There is no silver bullet. But there are some high-level best practices that will help to guide secure deployments.
First, define what NHI means to your organisation. Then try to embed security controls directly into IT and security infrastructure such as cloud workloads, networks, CI/CD pipelines, and app frameworks. Next, consider integrating secrets management, IGA, PAM and cloud identity and entitlements management (CIEM) solutions with specialised NHI discovery and management platforms. That will provide the breadth of functionality needed to manage the risks associated with NHIs including AI agents.
Remember: in this world, automation is an ally. The ratio of non-human to human identities has rapidly expanded beyond early estimates of 50:1, with many organisations now seeing 80:1 or higher, and some exceeding 100:1 and it will continue to grow. Provisioning, credentialling and deprovisioning at this volume cannot be done manually. It will create security gaps and overwhelm security teams. Get automation right and it will streamline NHI lifecycle management, reducing orphan NHIs that present yet another security risk to teams. Such is the scale and complexity of governing NHIs that many organisations will fare best using a trusted partner with deep domain expertise. The most competent will be able to transform complexity into repeatable processes that keep boards, customers and regulators happy. There’s no time to wait.
Photo by Mark Rowe: Street art.
