As organizations accelerate digital transformation through cloud migration and rapid AI integration, a growing risk is emerging in the form of unmanaged identities. These include both human and machine identities, like AI agents and service accounts, that operate beyond traditional oversight. Left unchecked, they can be exploited by attackers and lead to serious security, compliance, and operational risks.
While not something that’s historically been a focal point for most organizations, the scale and urgency of this challenge is becoming increasingly clear and has already started to reshape how many businesses think when it comes to identity security. In fact, according to research from Enterprise Strategy Group, 91% of organizational leaders said that as they race to adopt agentic AI solutions, modernizing workforce identity security has become a top priority. What’s more, 87% of organizations are planning to increase their spending on workforce identity security in response to this evolving threat landscape.
As organizations rush to embrace AI and automation, they are finding that identity sprawl is accelerating faster than their traditional controls can keep up. And attackers have realized they no longer need new vulnerabilities to target when they can just exploit forgotten ones. It’s pushing organizations to an inflection point as they recognize the urgent need to take action now to secure all unmanaged identities within their organization.
What are unmanaged identities?
Unmanaged identities are any accounts or credentials that are not tracked, governed, or protected by identity management systems. This can happen accidentally or when gaps in normal identity or security processes leave an identity stranded, like when accounts aren’t properly deactivated after an employee leaves, or when contractors retain temporary access, or when new systems are added without being integrated into centralized identity management.
Once created, these unmanaged identities can take many forms, including:
- An IT admin with excessive permissions and backdoor accounts,
- Developers requiring access to critical systems and data,
- Human users vulnerable to error and exposure due to the increase in remote work, and
- The proliferation of AI or machine identities that can also be compromised.
As a result, many organizations are facing a fast rise in identities with machine identities now outnumbering human ones with many of those non-human accounts granted sensitive or privileged access yet left unmanaged. This imbalance matters because identity-centric attacks are rapidly rising with one study finding that identity-driven threats accounted for 59% of all confirmed cyberincidents in early 2025, a 156% surge since 2023. The more unmanaged human and machine identities exist, the wider the attack surface becomes for cyber criminals to exploit.
In addition, AI-driven phishing is a growing identity threat which underscores how attackers are shifting away from traditional malware toward misuse of credentials leading to the rise of identity-based attacks that are scaling faster than organizations governance controls.
To stay ahead of the shifting threat landscape, organizations must apply the same lifecycle controls, visibility and remediation processes to every identity type, human and machine, to bring unmanaged identities under control before they feed the next wave of breaches.
Why unmanaged identities are a critical risk
Although it may seem self-evident, it’s important for security leaders to understand that unmanaged identities pose one of the greatest risks faced by organizations today. While this may feel like something as mundane as an IT or admin issue, the reality is that every unmanaged identity that isn’t tracked or governed effectively broadens the attack surface, vastly increasing an organizations threat exposure and providing more potential entry points for cyber criminals.
Each one of these identities represents a prime opportunity for credential theft, and should they be compromised, the potential for lateral movement within an organization’s network. Furthermore, incomplete identity inventories go beyond ‘just’ being a cyber security issue as they can open a slew of regulatory and compliance issues, including failures to meet standards such as GDPR, HIPAA, and SOX. Operationally too, the consequences can be just as severe, with unauthorized access or accidental deletions leading to disruptions to business operations, resulting in breaches, financial losses, and diminished customer trust.
What is driving the unmanaged identity problem?
In most cases, control isn’t lost suddenly, it slips away slowly. Every new SaaS app, cloud workload, or AI service creates another set of identities that may not be captured by existing policies. Control is eroded as identities are created faster than they can be tracked, and ownership becomes fragmented across teams and systems.
From there, a range of factors make them difficult to manage, including a lack of centralized visibility and rapid cloud adoption. Gartner recently predicted that 90% of organizations will adopt a hybrid cloud approach through 2027, a shift that means identities will increasingly be created and managed across multiple platforms and providers, making it far harder to maintain a single source of truth.
Beyond cloud adoption, organizational silos are also fueling the problem, with disconnected IT and security functions fragmenting accountability and weakening visibility and control. These fractures only deepen as shadow IT and business-led technology adoption continue to rise, further widening the gap between ownership and oversight.
A Microsoft survey found that 78% of AI users bring their own tools to the workplace that aren’t managed by IT teams, and IBM found that one in five organizations has already suffered a breach tied to shadow IT. These unmanaged identities have already caused disruption for organizations, but it’s not too late for leaders to adopt best practices and avoid these risks.
How to regain control
Addressing this challenge requires both awareness and coordinated action. It’s no longer just a technical issue since unmanaged identities represent an organizational blind spot that demands leadership attention at every level. As such, it’s crucial that everyone in an organization from the C-suite through to the IT team recognizes that a high percentage of their identities within their environment are unknown and therefore unmanaged. So, what can organizations do to tackle this issue?
A few best practices for discovering and managing these identities to keep top of mind include:
- Continuously reviewing and analyzing your identity landscape to identify and log new human and machine identities across your cloud environments
- Implementing advanced tools to manage and secure identities in complex environments
- Automating processes to manage identity lifecycles so that dormant or unused ones are disconnected
- Limiting access rights to all identities, human and non-human, to the minimum necessary and providing access only when needed
- Conducting periodic reviews to ensure compliance and identify anomalies
Redefining control in the age of AI
Unmanaged identities present a clear and growing danger to organizations. They are not just a compliance headache; they are fundamental security and operational exposure points increasing the risk of security breaches, compliance failures, and operational disruptions.
In the ongoing age of digital transformation and AI, the need for visibility and control over all identities is non-negotiable. Security, identity, and business leaders must treat identity holistically, understand all identities in play, govern them with consistent policies, audit them continuously, and adapt controls to match the pace of cloud and AI-driven change. Every agent, bot, and service account must be scrutinized as rigorously as a human user.
Ultimately, identity is the new control plane for enterprise security, and mastering it is no longer optional. Organizations that treat identity discovery and governance as a core discipline will be the ones able to innovate confidently and securely in the era of cloud and AI.
About the Author
Phil Calvin is the Chief Product Officer of Delinea. He brings more than 25 years of software development, technical leadership and entrepreneurial experience to Delinea. His areas of expertise include technical strategy, cloud architecture, and engineering executive management. Prior to Delinea, Phil spent nearly a decade at Salesforce in a variety of architectural and engineering leadership roles, most recently leading the Platform Engineering organization and focusing on making the Salesforce platform trusted, accessible, and scalable. His earlier career includes several startups and engineering roles, including serving as Principal Architect at Citrix after an acquisition of another one of his companies.
Phil can be reached online on LinkedIn and on the Delinea website https://delinea.com/.
