The subject of non-human identities (NHIs) has flooded security circles lately. Not because they are new—NHIs (service accounts, application accounts, bots, scripts, machine identities, API keys, etc.) have been part of modern operations for a long time.
The reason for the attention now is agentic AI.
Agentic AI is a generic term for intelligent systems capable of autonomous decision-making and problem-solving—systems that can perceive context, adapt, and execute actions without human intervention.
According to Deloitte’s State of AI in the Enterprise 2026 report, 74% of companies plan to deploy agentic AI within the next two years. That number will likely increase, as nearly every software vendor and enterprise development team rushes to incorporate task-specific AI agents into their apps.
Agentic AI represents a fundamental transformation in how applications are written, in how systems operate, and in how work gets done. From what we have seen so far, the technology is remarkable. But for the security community, it’s also concerning.
The “Shadow Identity” Problem
The cybersecurity landscape is always evolving. Adversaries are creative at exploiting vulnerabilities, aided by AI-driven bots capable of continuous scanning, adapting, and probing for weaknesses. Security teams need to be diligent, minimizing attack vectors as much as possible.
Identities are a prime target for attacks. By taking over a valid identity, adversaries allow them to operate within the bounds of the compromised identity’s permissions, abusing credentials for nefarious purposes. Credential abuse is the most common access vector for breaches today, resulting in 22% of all breach incidents.
This is one reason why identity security is so critical. Ever since the breakdown of the traditional network boundary, identity has become the perimeter, giving rise to the need for Zero Trust security architectures.
Zero Trust is built on the premise that no identity (human or non-human) is allowed access to resources without continuous verification. Success depends on visibility.
This is where the trouble lies: older non-human identities were often created through IT-managed processes. Security teams were aware of them. AI agents, on the other hand, introduce a new level of autonomy, launching jobs, accessing APIs, interacting with applications and databases, and expanding the number and variety of non-human identities, some of which may land in security blind spots.
If not addressed, agentic AI can create a “shadow identity” problem. Like the “shadow IT” issue before, where cloud and SaaS adoption created unsanctioned applications that security teams were unaware of, agentic AI can create unsanctioned (and unmanaged) identities.
Unmanaged identities increase the risk of excessive access, credential misuse, and orphaned accounts. The OWASP Non-Human Identities Top 10 lists the most common security risks of NHIs.
Identity & Access Management Gaps Exposed
Today, non-human identities far exceed human identities. Estimates range from 25-50:1, even 500:1 in some development-heavy environments. That ratio is set to explode as agentic AI scales.
If organizations have shortcomings in their current identity and access management (IAM) tools and processes, now is the time to address them. Some common problems include:
- Lack of visibility / blind spots
- Unclear ownership and accountability
- Credentials and secrets with long lifespans
- Excessive privileges and overprovisioned access
- Inconsistent (or nonexistent) deprovisioning policies
- Incomplete audit trails
Security leaders should review their IAM capabilities for each stage of the security lifecycle, especially as they relate to NHIs:
- Discovery: What non-human identities exist?
- Ownership: Who is responsible for each identity?
- Approval: Who is authorized to create AI agents or service accounts?
- Access: What systems, data, and tools can they reach?
- Monitoring: How is activity logged and reviewed?
- Credential management: How are secrets rotated and limited?
- Deprovisioning: How are inactive or unnecessary identities retired?
What CISOs Should Ask Now
Like it or not, change is coming fast. And your tools and processes will have to keep pace. Gartner estimates that by 2028, 70% of CISOs will use identity visibility and intelligence capabilities to shrink the IAM attack surface and reduce the risk of credential compromise.
For CISOs to prepare, here are some key questions to ask your team:
- Do we know how many non-human identities exist across our environment?
- Can we detect AI agents created outside formal IT processes?
- Do we know who owns each non-human identity?
- Are access privileges tied to least privilege?
- How often are credentials rotated?
- Can we audit activity by identity?
- Do our current identity, PAM, secrets management, and monitoring tools cover AI agents?
- Do we have a deprovisioning process for non-human identities?
Can your current identity, access, visibility, and lifecycle controls govern this new class of non-human identities? Answering these and other questions will shed light on your current capabilities and help you develop a plan to move forward.
To learn more about how ePlus can help you with your AI Security journey, please visit www.eplus.com/what-we-do/secure-it-all or contact an ePlus AI Security expert today.