When CISOs talk about identity, the conversation usually starts with passwords. MFA rollouts. SSO consolidation. Passkey migration timelines. These are real problems, but they are human problems — and humans are no longer the majority of identities on your network.
CyberArk's 2025 research puts the ratio at 80 machine identities for every human. Sysdig measured 40,000 to 1 in containerized environments. Entro Labs tracked the average enterprise going from 50,000 machine identities in 2021 to 250,000 in 2025. And now AI agents are creating new identities faster than any human provisioning workflow can track.
If your IAM strategy is still organized around people, you are managing the minority.
The Identity Explosion Nobody Planned For
Every API key, service account, OAuth token, container workload, CI/CD credential, and cloud IAM role is a machine identity. They authenticate, they authorize, they access sensitive data. But unlike human identities, most of them were never provisioned through your IAM platform. They were created by developers in a sprint, hardcoded into a config file, and forgotten.
GitGuardian's 2026 State of Secrets Sprawl report found 29 million hardcoded secrets exposed on public GitHub in 2025 alone — a 34% year-over-year increase. More alarming: 64% of secrets leaked in 2022 were still valid in early 2026. Nobody rotated them. Nobody even knew they existed.
Inside the enterprise it is worse. 32% of internal repositories contain at least one hardcoded secret. These are not hypothetical attack vectors. They are live credentials sitting in source control, waiting.
When Machine Identities Go Wrong
This is not theoretical risk. The pattern repeats across major breaches.
Okta (October 2023) — Attackers compromised a service account stolen from an employee's laptop. The account had excessive permissions and was classified as non-human, so it was not monitored for anomalies. Customer data was exposed because nobody was watching the machine identity.
CircleCI (January 2023) — Malware on an engineer's laptop led to compromise of a service account with machine-level access rights. Attackers stole production environment variables and API tokens across customer environments.
Codecov (2021). A hardcoded non-human identity in the Bash Uploader script gave attackers access to CI secrets across hundreds of downstream customers. One orphaned credential created a supply chain breach.
The common thread: over-provisioned machine credentials with no lifecycle management, no rotation, no monitoring. The exact identity hygiene we enforce for humans does not exist for the machines that outnumber them 80 to 1.
AI Agents Make Everything Harder
The machine identity problem was already unmanageable. Agentic AI is accelerating it.
Traditional IAM answers a simple question: does this identity have permission to access this resource? But AI agents do not behave like traditional services. The OpenID Foundation's 2025 whitepaper on AI agent identity highlights the structural problem: agents explore available API options to fulfill their goals. An agent with access to a sensitive API will eventually use it, not maliciously, but because its objective function found a path through it.
OAuth and API permissions answer "can the agent call this?" but not "should the agent, given business policy, compliance, and data boundaries?" This is a different authorization problem. It requires runtime governance, continuous evaluation of what an agent is doing, not just what it is allowed to do.
Every autonomous agent your organization deploys is a new non-human identity that needs provisioning, scoping, monitoring, and eventual decommissioning. Most organizations have no process for any of this.
Where Identity Management Is Heading
The IAM market is projected to hit $77.9 billion by 2034. That growth is being driven by four shifts that CISOs need to understand.
Workload Identity Becomes Infrastructure
SPIFFE, the Secure Production Identity Framework for Everyone, graduated from the CNCF in 2022 and is now running at hyperscale. Uber issues SPIFFE credentials across 4,500 services and multiple clouds. ByteDance runs it across one million nodes. This is not experimental, workload identity is becoming as fundamental as DNS. If your containers and microservices do not have cryptographic identity, you cannot do zero trust at the infrastructure layer.
Non-Human Identity Gets Its Own Category
A wave of startups is building NHI-specific governance platforms because the incumbents cannot solve this with bolt-on features. Oasis Security raised $120 million for NHI lifecycle management. Astrix Security raised $85 million and is reportedly in acquisition talks with Cisco at a $250-350 million valuation. Clutch Security raised $20 million focused on zero-trust ephemeral credentials for machine identities. These companies exist because Okta and Microsoft Entra ID were built to manage humans, not the 250,000 machine identities sprawling across your environment.
Passwordless Crosses the Tipping Point
On the human side, passkeys have gone mainstream. 45% of organizations have deployed passkeys, with another 27% in planning. NIST has elevated phishing-resistant MFA as the baseline, and regulatory deadlines are forcing the issue, the UAE mandated it by March 2026, India by April 2026, and the EU Digital Identity Wallet is arriving by year-end. The death of passwords is no longer a prediction. It is a compliance requirement.
Identity Becomes the Zero Trust Control Plane
Zero trust without strong identity is just network segmentation with extra steps. The convergence of workforce IAM, customer IAM, and workload identity into a unified identity fabric is the architectural direction. Siloed identity systems, one for employees, another for customers, another for services, create gaps that attackers exploit. The organizations getting this right are consolidating identity into a single control plane that governs humans, machines, and agents with consistent policy.
What to Do Next
If you are a CISO reading this, here is where to point your team.
Inventory your non-human identities. Most organizations cannot answer "how many service accounts do we have?" Start there. Map API keys, OAuth tokens, service accounts, and CI/CD credentials. You will find orphaned credentials that should have been revoked years ago.
Implement secrets rotation. If a credential has been static for more than 90 days, it is a risk. Move toward ephemeral credentials where possible, short-lived tokens that expire automatically.
Evaluate workload identity. If you are running Kubernetes or microservices at scale, SPIFFE/SPIRE should be on your roadmap. Workload identity is not optional in a zero trust architecture.
Build an AI agent identity framework now. Before your organization deploys autonomous agents at scale, define how they will be provisioned, scoped, monitored, and decommissioned. Bolt-on governance after deployment is how breaches happen.
Consolidate your identity platforms. Every separate identity silo is an attack surface. The trend toward unified identity fabrics is driven by security reality, not vendor marketing.
The Home User Perspective
If you are managing your own infrastructure at home, a homelab, self-hosted services, a NAS, the machine identity problem exists at your scale too. Every API token for your self-hosted apps, every service account for your automation, every webhook credential is a machine identity. Use a secrets manager. Rotate credentials. Do not hardcode tokens in Docker Compose files.
On the human side, enable passkeys everywhere you can. Your password manager is still essential, but passkeys eliminate phishing entirely. Apple, Google, and Microsoft all support them natively now. If a service offers passkey authentication, use it.
The Bottom Line
The IAM industry spent two decades solving the human identity problem. Passwords, MFA, SSO, federation, we have mature tooling for managing people. But people are now the minority on your network. Machine identities outnumber humans by orders of magnitude, AI agents are creating new identities faster than any governance process can track, and the breaches are already happening because of credentials nobody knew existed.
The next chapter of identity management is not about better password policies. It is about governing the machines.