Preparing for the next wave of machine identity growth

Machine identities are multiplying fast, and many organizations are struggling to keep up. In this Help Net Security interview, Wendy Wu, CMO at SailPoint, explains why machine identity security matters, where most companies go wrong, how automation can help, and what the rise of AI agents means for the future of identity management.

Why has machine identity security become such a critical component of cybersecurity strategies in recent years?

The simplest answer is that while machine identities like service account, RPA, IoT devices, bots, have existed for a long time, the number in use has exploded in recent years. In fact, while estimates vary, some experts believe the average enterprise has roughly 45 machine identities in use for each human one. That sounds like a lot, but it shouldn’t come as a shock—after all, today’s businesses use more applications, more software, and more data than ever before. While there’s debate around whether the number is officially more or less than 45, one thing we do know is that machine identities are growing faster than all other identity types, according to our recent Horizons of Identity Security report.

The real problem is that many businesses have yet to fully secure their human identities, let alone their machine identities—and attackers know it. Identities were targeted in an astonishing 60% of all cybersecurity incidents last year, and adversaries increasingly recognize that machine identities tend to be more vulnerable than their human counterparts. Our own research backs this up: in a recent study, we found that 57% of organizations reported that a machine identity has been granted access to sensitive data—and another 16% couldn’t say for sure whether it has happened or not. That underscores the growing concern over the vulnerability of machine identities and the lack of effective protection.

The good news is that organizations now have options, with the ideal state being a broader, more unified approach to managing both human and non-human identities. Increased awareness of the threat posed by poor machine identity management is driving innovation.

What are the most common blind spots organizations have when it comes to managing and securing machine identities? How can CISOs address them?

Frankly, the biggest challenge organizations face right now is discovery, but more on that in the next section. First, let’s talk about the problem of ownership. Even organizations that have conducted a thorough inventory of the machine identities in their environments often lack a clear understanding of who is responsible for managing those identities. In fact, 75% of the organizations we surveyed indicated that they don’t have assigned ownership for individual machine identities. That’s a real problem—especially since poor (or insufficient) governance practices significantly increase the likelihood of compromised access, data loss, and other negative outcomes.

Another critical blind spot is around understanding what data each machine identity can or should be able to access—and just as importantly, what it cannot and should not access. Without clarity, it becomes nearly impossible to enforce proper security controls, limit unnecessary exposure, or maintain compliance. Each machine identity is a potential access point to sensitive data and critical systems. Failing to define and control their access scope opens the door to serious risk.

Addressing the issue starts with putting a comprehensive machine identity security solution in place—ideally one that lets organizations govern machine identities just as they do human identities. Automation plays a critical role: with so many identities to secure, a solution that can discover, classify, assign ownership, certify, and manage the full lifecycle of machine identities significantly streamlines the process. Classification must include understanding not only the function of the identity but also the sensitivity of the data it can interact with—and set boundaries accordingly. Ownership should be assigned based on both the identity’s role and the criticality of the data it can access.

Without clear ownership, machine identities become a serious governance gap—and a potential compliance risk. Establishing strong ownership practices helps eliminate one of the most dangerous blind spots organizations face today.

What challenges do organizations face in discovering and inventorying all their machine identities, especially across hybrid and multi-cloud environments?

Just 38% of organizations say they have access to an accurate, real-time list of all active machine identities, which means 62% are effectively flying blind. And at the risk of invoking a cliché, you can’t secure what you can’t see. Organizations that lack visibility into the full spectrum of machine identities spread across Active Directory, Microsoft Entra, cloud services, and other digital environments are leaving themselves dangerously exposed. It’s one thing for machine identities to be poorly managed or overprovisioned, but it’s another thing entirely to not know they exist in the first place. Look at it this way: if an organization had no idea how many human identities were present in its systems, that would be an all-hands-on-deck problem. Why should machine identities be treated any differently?

Part of the challenge here is that organizations overwhelmingly rely on manual processes to manage machine identities—but conducting discovery manually is an arduous, painstaking process. Security teams without a comprehensive machine identity solution at their disposal may find themselves manually combing through thousands of lines of spreadsheet data and conducting complex cross tabulations just to determine which identities are human and which are machines—and that’s before even getting into the problem of provisioning them. Worryingly, 66% of organizations say managing machine identities requires more manual intervention than human identities. With the number of machine identities climbing each year, the need for automation is increasingly clear.

How important is automation in managing machine identities at scale, and what are best practices for doing it securely?

Manually managing human identities is already borderline impossible in today’s increasingly complex digital environments. If there really are 45 times as many machine identities as human identities, it goes without saying that manual management isn’t an option. Automating this process isn’t just helpful—it’s essential.

Modern machine identity solutions can walk organizations through the step-by-step process of securing their machine identities—and they can do it much more accurately and efficiently than human operators ever could. Automating the discovery process alone can save hundreds of hours, and it can also provide peace of mind that no identities have been overlooked. Following discovery, the identities can be classified by type (service account, bot, RPA, etc.) and then grouped by application or service. From there, each group can be assigned an owner who will provide oversight if there are any questions about the functionality (or necessity) of each identity. Once an owner is assigned, access certification can begin, with permissions being assigned or revoked as needed for each role/responsibility.

Some of these processes may still require manual intervention—ultimately, it depends on the quality of the data the machine identity solution receives from the source. But in most cases, the discovery, classification, ownership, and assignment processes should have a high degree of automation, allowing organizations to quickly and easily process and secure thousands (even tens of thousands) of machine identities. Given today’s volume of machine identities, the time and effort savings are substantial.

As machine-to-machine communication becomes more pervasive (e.g., in IoT, Kubernetes, serverless), how is the landscape of machine identity security evolving?

The explosion of IoT devices, Kubernetes clusters, and serverless architecture has caused a surge in machine identities — and with it, a pressing need for stronger machine identity security. Yet many organizations are still grappling with the scale and complexity of managing these machine identities effectively.

Now, the landscape is shifting again. A new class of identity has emerged: AI agents. Unlike machine identities, AI agents are autonomous systems that don’t just communicate with other systems; they act independently on behalf of organizations, accessing sensitive data, making decisions, and executing mission-critical tasks. Securing these AI agents requires more than traditional identity management. Organizations must now ensure fine-grained entitlement control over AI agents — not just granting access to applications but governing their actions down to individual data fields and functions. Without this level of governance, enterprises risk exposing their most critical assets.

Security platforms that combine deep intelligence and extensive library of out-of-the-box connectors for systems like mainframes, SAP, Oracle, will be best positioned to secure this new generation of both human and digital identities, including AI agents. Organizations that invest now will be better equipped to protect their operations and digital autonomy continues to expand.