Unseen & Unsecured: The machine identity threat you can’t ignore

Cybersecurity leaders have spent decades securing human identities through various identity governance measures. Yet, as progress in human identity management becomes clearer, machine identities have emerged as a critical weak point.

A 2024 SailPoint special report, Machine Identity Crisis: The Challenges of Manual Processes and Hidden Risks, reveals that 70% of organisations now manage more machine identities than human ones, yet only 38% have real-time visibility into them. This imbalance presents a growing security risk as machine identities proliferate across enterprise environments.

With Forrester predicting that global cybercrime will cost $12 trillion in 2025, organisations cannot afford to overlook this rapidly growing threat. Digital entities, from service accounts to bots, APIs, and autonomous AI agents, have become a serious concern in enterprise security. Attackers are already exploiting this vulnerability.

Why machine identities are a blind spot for organisations

As automation and AI adoption accelerate, machine identities are projected to grow 30% over the next 3–5 years, far outpacing human identity growth. According to the same report, nearly half of organisations (47%) already manage ten times more machine identities than human ones.

Unlike human users, these digital identities often operate without oversight. This visibility gap is compounded by a lack of ownership, with 75% of machine identities reportedly having no assigned owner. Without clear accountability, these identities drift across digital environments, accumulating unchecked permissions and increasing security risk. Meanwhile, 66% of organisations still rely on manual processes to manage machine identities, heightening the risk of human error and misconfigurations.

Even when security teams identify dormant or unnecessary machine identities, 88% hesitate to delete them for fear of disrupting business-critical systems creating a growing inventory of abandoned but active accounts. 

The consequence of ignoring machine identity security

Failing to secure machine identities poses a direct threat to business resilience and financial performance. Well over half (57%) of organisations admit to having provided inappropriate access to machine identities, creating open pathways for attackers to exploit.

These security failures translate directly to compliance issues – 60% of organisations report facing regulatory challenges tied to machine identities. As the 2023-2030 Australian Cyber Security Strategy recommends and enforces tighter controls around identity security, failing to secure machine identities could result in financial penalties and loss of customer trust.

A stark example of this vulnerability is the MOVEit data breach. MOVEit, a managed file transfer software developed by Ipswitch (a subsidiary of Progress Software), became the target of a major cyberattack when a vulnerability allowed attackers to steal sensitive files through an SQL injection on public-facing servers. The breach exploited a machine-level vulnerability, highlighting how unmanaged machine identities can become a backdoor for attackers to infiltrate and extract critical data.

This risk profile expands with agentic AI. Autonomous agents often hold broad access across systems, making them high-value targets. If compromised, an AI agent could independently escalate permissions, alter business processes, or bypass security controls without triggering traditional alarms.

When machine identities control critical workflows, compromise can lead to catastrophic operational disruptions and reputational damage. The complexity of modern digital ecosystems makes isolating and resolving these incidents incredibly difficult, prolonging the recovery process and increasing financial fallout.

Why responsible AI-driven machine identity security is the answer

Here's where fighting fire with fire becomes essential. While AI may be the source of new threat vectors—from AI-driven impersonation to lifecycle mismanagement of AI agents—it also holds the key to managing these risks effectively.

Securing machine identities requires a fundamentally different approach. While most organisations have well-established frameworks for managing human identities, machine identities operate at a scale and speed that traditional methods simply can't match.

AI offers a powerful solution. It can detect anomalies, flag risky behaviour, and adjust permissions in real-time, enabling policy-aligned decisions on a scale far beyond human capability. When embedded into identity security, AI not only enhances detection and response but also ensures access decisions are explainable, governed, and visible by design.

By treating machine identities with the same rigour as human ones, organisations can transform their greatest vulnerability into a strategic advantage. A zero trust approach—rooted in least privilege—is critical. Machine identities must be continuously verified and granted only the access necessary for their function. As organisations increasingly rely on AI agents, the ability to manage their full identity lifecycle, including enforcing access certifications, becomes essential.

The machine identity attack surface will continue to grow in complexity, but with responsible AI and strong governance, it doesn't have to remain a blind spot. With the proper oversight, organisations can turn a potential vulnerability into a strategic advantage, transforming identity security into a frontline defence in the modern enterprise.