The Machine Identity Era Has Already Started

Cybersecurity spent thirty years building an entire architecture to protect humans. While it was busy doing that, machines quietly became the dominant users of enterprise infrastructure — and almost nobody built anything to protect them. In the second week of August 2025, something quietly catastrophic happened to a piece of enterprise software almost nobody outside a sales department had heard of: Drift, an AI chatbot built by a company called Salesloft. Nobody phished an executive. Nobody cracked a password. A threat cluster researchers would later name UNC6395 got hold of OAuth tokens — the small digital credentials that let one piece of software talk to another without a human in the loop — and used them to walk into the Salesforce environments of more than 700 organizations, Google's Threat Intelligence Group later confirmed . The list of confirmed victims reads like a cybersecurity who's-who: Cloudflare, Google itself, Palo Alto Networks, Proofpoint, Zscaler, Tanium, Fastly, Toast, Dynatrace. These are not careless organizations. Several of them sell security software for a living. None of it mattered, because the attackers weren't going after employees — they were going after the credential of a machine. By the time Salesloft and Salesforce revoked the tokens on August 20, the attackers had spent ten days running automated queries against Salesforce's API, scraping support tickets for the one thing they actually wanted: more machine credentials. AWS keys. Snowflake tokens. VPN secrets, sitting in plaintext inside customer support cases, waiting to be found . This is what a 2025 breach looks like now. And almost nothing in how the cybersecurity industry talks about itself — its conferences, its budgets, its org charts, its awareness training — has caught up to that fact. Here is the sentence underneath everything that follows in this piece: cybersecurity spent thirty years protecting humans while machines quietly became the dominant users of enterprise infrastructure. Not the network. Not the endpoint. Not even the human sitting at the keyboard. The machine identity — the API key, the service account, the OAuth token, the autonomous agent acting on someone's behalf at 3 a.m. — is the thing actually running the modern enterprise now, and it is the thing actually getting breached. It's worth giving that shift a name, because unnamed trends are easy to nod along with and just as easy to forget. Call it Identity Gravity : the enterprise's center of mass pulling steadily away from the human at the keyboard and toward the machines acting on their behalf. For three decades, security programs have run on what amounts to Human-Centric Security — an architecture built almost entirely around verifying, training, and monitoring people. Identity Gravity is the force quietly making that architecture insufficient, one orphaned service account and one autonomous agent at a time. It doesn't announce itself with a single breach. It shows up as a slow, compounding mismatch between where an organization's defenses point and where its actual risk now sits. I'll go one step further, with the obvious caveat that nobody gets to predict the future with certainty: my own bet is that five years from now, security teams will talk about phishing roughly the way they talk about floppy-disk viruses today — not gone, not irrelevant, but no longer the problem that defines the job. The problem that defines the job will be Identity Gravity: the slow, largely invisible transfer of trust from people to machines, and the attackers who noticed it years before most defenders did. \ The numbers nobody can quite agree on, and why that's the point Walk into almost any enterprise security program built in the last two decades, and you'll find the same skeleton underneath it. Passwords. Multi-factor authentication. Phishing simulations. Privileged access reviews. Insider threat monitoring. Even Zero Trust, the architecture that was supposed to throw out the old assumptions entirely, still mostly asks one question over and over: is this human who they say they are? That question made sense when humans were the dominant actors inside enterprise systems. They no longer are. CyberArk's 2025 Identity Security Landscape — a survey of 2,600 security decision-makers across 20 countries — put the ratio of machine identities to human identities at more than 80 to 1. Entro Labs, working from telemetry rather than survey responses, found something even starker in cloud-native environments: a 144-to-1 ratio, up 56% in a single year . Veza puts the average at roughly 82 machine identities for every employee, climbing as high as 40,000 to 1 inside heavily cloud-native shops. A separate analysis cited by the Cloud Security Alliance found one Fortune 500 financial institution running 4.2 million non-human identities against roughly 50,000 human accounts . Different methodologies, wildly different precise numbers — and that disagreement is itself the most interesting data point in this entire story. When a discipline can't agree whether the ratio is 50-to-1 or 144-to-1, that's not a measurement problem. That's a sign nobody has been counting at all until very recently. Every one of these numbers is pointing the same direction, and pointing there fast. CyberArk's research found that 68% of organizations admit they lack identity security controls for AI , and 47% say they cannot secure the shadow AI usage already happening inside their own walls. Clarence Hinton, CyberArk's Chief Strategy Officer, framed the shift bluntly in the report's release: the rush to embed AI everywhere has created a set of identity risks centered on unmanaged machine access, and the privileged reach of AI agents amounts to an entirely new threat vector. That's not a vendor talking up a market. It's a description of what the Drift breach, and a string of incidents before it, already proved in production. \ Why didn't anyone notice? This is the question that actually matters more than any of the ratios above, and it's the one the industry has been slowest to ask out loud: how did a trillion-dollar discipline, staffed by genuinely smart, well-resourced people, fail to notice Identity Gravity pulling its risk somewhere else for this long? The honest answer isn't a single cause. It's five or six reinforcing ones, each individually reasonable, that added up to a collective blind spot. Vendors built products around humans because humans bought the products. Identity and access management as a software category grew up solving a specific, fundable problem: employee onboarding, single sign-on, password resets, access certifications for an audit. There was a buyer — an IT director with a headcount budget — and a clear ROI story. Service accounts didn't have a buyer. They were something a developer spun up between sprints, with nobody in procurement ever asked to sign off. Compliance frameworks measure what's easy to measure, and human accounts are easy. SOC 2 and ISO 27001 access reviews are built around named individuals with job titles and managers — a structure auditors can walk through in an interview. A non-human identity has no manager to interview and often no name beyond a string of characters in a config file. Audits, by design, gravitate toward what can be cleanly sampled and signed off on. Machine identities, almost by definition, resist that. Security awareness training is entirely a human-behavior discipline, and it's where the budget visibly goes. Phishing simulations, social engineering drills, password hygiene campaigns — these exist because human error is legible, trainable, and reportable to a board in a single slide. There is no equivalent training program for a service account, because a service account can't sit through a webinar. The entire muscle of "security awareness" as a function was built around a kind of actor that machine identities simply aren't. Board reporting metrics follow the same bias. CISOs report MFA adoption percentages, phishing click rates, and employee security training completion — because those are the numbers a board already knows how to interpret. Almost no board deck in the last decade has asked "How many service accounts do we have, and who owns them?" If a metric never appears on the board slide, it rarely gets the budget line either. And underneath all of it, the threat genuinely was smaller for a long time. Ten years ago, the ratio of machine identities to humans was real but modest — cloud adoption, DevOps automation, and now agentic AI are what turned a manageable footnote into the dominant population. The industry's blind spot was a known unknown for years before it became consequential, which is exactly the kind of risk organizations are worst at prioritizing: not the dramatic threat that's obviously growing, but the quiet one that's been compounding in the background the entire time. Put those five things together and you get an industry that wasn't negligent so much as structurally unable to see the problem until the breach data forced it to. Nobody built the product, measured the risk, trained for the behavior, or reported it to leadership — not because anyone decided machine identity didn't matter, but because every incentive in the system pointed somewhere else. \ A history nobody connected the dots on The Salesloft breach wasn't an aberration. It was the latest entry in a pattern that's been building since at least 2023, and most of the entries got covered as isolated stories rather than symptoms of the same underlying disease. In late November 2023, Cloudflare disclosed that a nation-state actor had used credentials stolen in an earlier, unrelated breach of Okta to get into its internal Atlassian server — not by phishing a Cloudflare employee, but by reusing a service token and an account that had survived a supposed full credential rotation. In 2024, the Snowflake breach showed the same pattern at industrial scale: attackers didn't break Snowflake's platform at all. They harvested credentials — many stolen by commodity malware months or years earlier — from customer accounts that had no multi-factor authentication enabled, because nobody had built MFA enforcement around those non-interactive accounts in the first place. AT&T, Ticketmaster, and dozens of other Snowflake customers ended up notifying regulators because a machine-facing credential had quietly never been brought under the same controls as a human login. Then, in March 2025, came an attack that should have been a watershed moment for the entire DevOps world: a popular open-source GitHub Action called tj-actions was compromised using a single stolen personal access token. The attacker injected code that silently exfiltrated secrets from the build logs of more than 23,000 repositories before anyone noticed. One compromised machine credential, one popular automation tool, tens of thousands of downstream victims — and barely a ripple outside the security trade press. Add to that the repeated exposure of secrets and access tokens out of Hugging Face repositories, the steady drip of AWS environments compromised through exposed .env files sitting in public S3 buckets, and the Shai-Hulud worm that spread through compromised npm packages by hijacking developer credentials rather than targeting any single application's code — and you start to see the actual shape of modern breach activity. It isn't malware executed by a careless employee. It's stolen, reused, over-permissioned machine credentials moving laterally through systems that were never built to notice them. \ Why machines break every assumption the human model relies on The reason this keeps happening isn't incompetence. It's architecture. Identity security, as a discipline, was built around a small set of assumptions that simply don't hold for machines. A human identity has an owner — HR creates the account when someone is hired, and disables it when they leave. A service account, by contrast, is usually created ad hoc by a developer trying to ship a feature on a deadline, with no equivalent offboarding trigger when that developer moves teams or leaves the company entirely. Entro's research found that nearly half of all non-human identities are over a year old , with some persisting for a decade or more — quietly retaining access long after anyone remembers why they were created, let alone who's accountable for them. A human identity authenticates through something layered: a password plus a second factor, ideally tied to a physical device. A machine identity authenticates with a static key, token, or certificate — and multi-factor authentication, the single most effective control the industry has against credential theft, simply doesn't apply. When that credential leaks, there's no second gate to stop it. The attacker inherits whatever access the credential held, instantly and completely. And a human identity tends to be reasonably scoped — most employees can only reach the systems their job requires, at least in a well-run organization. Machine identities are almost never scoped that tightly, because nobody wants to be the developer whose over-cautious permission request breaks a production deployment at 2 a.m. The result, according to Microsoft's own telemetry as reported by Veza , is that fewer than 5% of the permissions granted to non-human identities ever actually get used — while more than half of those unused permissions are classified as high-risk. In cloud environments specifically, an estimated 99% of service accounts carry more access than they need, frequently at the administrative tier. Entro's own audit work found a similar story: 97% of non-human identities carry excessive privileges , and 44% of the access tokens it scanned were sitting exposed in plain sight — pasted into Slack messages, Jira tickets, and Confluence pages, simply because that's the fastest way for two busy engineers to hand off a credential. Verizon's 2025 Data Breach Investigations Report named credential abuse the single most common way attackers get their initial foothold — and a growing share of that abuse runs through exactly this kind of machine-to-machine credential, rather than a human's stolen password. None of this is exotic. None of it requires a novel zero-day or a nation-state budget. It requires only that the defenders keep treating non-human identity the way they've always treated it: as an operational afterthought rather than a security perimeter. \ Then the agents arrived If static service accounts and API keys were already an unmanaged mess, the arrival of autonomous AI agents has poured accelerant on it — not because agents are uniquely malicious, but because of what they're structurally allowed to do. A traditional service account does one narrow thing, repeatedly, in a way that's relatively easy to baseline. An AI agent is built to chain tools together, call other agents, write and execute its own code, and request new permissions at runtime based on a goal rather than a fixed task list. Microsoft Copilot Studio users alone have collectively built more than one million such agents , and Salesforce reported roughly $440 million in revenue tied specifically to agentic AI products in 2025. Gartner expects agentic AI capability to be embedded in a third of enterprise software by 2028, up from essentially none in 2024. The OWASP Foundation took this seriously enough to publish, in December 2025, the first peer-reviewed security framework built specifically for autonomous agents rather than chat-style language models — naming categories like Agent Goal Hijack, Tool Misuse, and Agent Identity and Privilege Abuse as the recurring failure patterns the industry needs a shared vocabulary for. The Cloud Security Alliance, in research published this April with Token Security, found that 65% of organizations had experienced at least one security incident tied to an AI agent operating on their network in the past year, with the large majority of those incidents traced back to exactly the failure mode this article keeps returning to: agents holding more standing access than their job required. The World Economic Forum's own 2025 analysis found that 51% of organizations have no clear ownership model for their AI identities at all — nobody specific accountable for what a given agent can touch, what it has touched, or what happens when it's retired. That's the orphaned-service-account problem from a decade of cloud sprawl, except now the orphan can reason, act, and chain its own permissions across a dozen systems before a human ever notices. Lavi Lazarovitz, vice president of cyber research at CyberArk Labs, has made the comparison directly: for years, attackers who wanted to bypass authentication targeted a human's browser session cookie — the small token that keeps someone logged in without re-entering a password. The non-human equivalent is the API key or access token an agent carries, and it functions the same way : steal it, and you don't need to defeat any authentication at all. You just walk in with the keys someone already cut for you. \ A thought experiment worth sitting with None of what follows has happened. Treat it as a thought experiment, not a prediction — but it's worth walking through carefully, because every individual step in it is already technically possible today, separately, somewhere in production. Imagine it's several years from now. A large company suffers the most expensive breach in its history. No employee clicks a phishing email. No ransomware gets deployed. No laptop gets infected. Instead: an autonomous procurement agent, using entirely legitimate, currently-valid credentials, calls a second agent to verify a vendor record. That second agent, also acting within its granted permissions, requests elevated access to resolve what looks like a routine data mismatch. The elevated request exposes an internal API that nobody had flagged as sensitive, because it was never meant to be reachable by anything outside one narrow workflow. The API leaks a set of credentials into a log file. A third, unrelated automation process — built by a different team, for a different purpose — ingests that log file as part of its normal operation and inherits the leaked credentials without anyone designing it to. At every step, every authentication succeeds. Every access request looks legitimate, because it is legitimate — each agent is doing precisely what it was authorized to do. No alarm fires, because nothing in the chain violates a rule anyone wrote down. The breach isn't caused by malware, or a stolen password, or a careless click. It's caused by trusted software behaving exactly as it was allowed to behave, at a speed and across a number of hops no human reviewer was ever positioned to catch in real time. That scenario isn't science fiction. It's a description of what happens when you connect agentic systems with the same standing-privilege, ownerless-credential patterns already documented in the Drift breach, the tj-actions compromise, and the Snowflake incident — and then let the chain run one or two hops longer than a human is watching. The components all exist right now. Nobody has had to build anything new for that story to become possible. Someone just has to connect three systems that were each, individually, considered reasonably secure. \ The market already smells it Whatever you think of the hype cycle around agentic AI generally, the money tells a more sober story about where the security industry believes the real risk sits — and it has been moving with unusual speed. On July 30, 2025, Palo Alto Networks announced its intent to acquire CyberArk, the dominant player in privileged access and identity security, for approximately $25 billion in cash and stock — the second-largest acquisition in the history of the cybersecurity industry. The deal closed in February 2026. CEO Nikesh Arora was explicit about why: the rise of AI and the explosion of machine identities, he said, made clear that the next phase of security has to be built around the idea that every identity, human or otherwise, needs the right level of privilege control. That's not a company quietly hedging a side bet. That's the largest network security vendor on the planet putting a quarter of its market cap behind the bet that Identity Gravity is real and still accelerating. It wasn't alone. Secrets-management platform GitGuardian closed a $50 million Series C on the strength of exactly this problem, and Oasis Security — a non-human identity discovery and risk platform — raised $120 million in March 2026 to build out its product across the AI and cloud identity lifecycle. Industry analysts now expect 2026 to bring a wave of further acquisitions as traditional identity, privileged access, and governance vendors race to bolt machine-identity capability onto their existing platforms before a competitor does it first. Brad Bowers, Field CISO at SHI, put the diagnosis plainly in commentary on the trend: ephemeral identities and the ones tied to AI agents are directly contributing to the expansion of the attack surface and introducing risk categories the industry hasn't fully named yet. His broader point is the uncomfortable one: organizations already know what good identity security looks like for people — multi-factor authentication, just-in-time access, least privilege. The actual challenge now is stretching those same principles onto software that doesn't behave the way people do, and was never asked to. \ The pushback worth taking seriously It would be dishonest to write this piece as pure alarm, because there's a credible, well-sourced counter-current running through the same body of research — and an experienced reader should hear it. Everything above is a well-supported argument, not a settled fact, and it's worth being honest about that distinction before going further. Gartner's own June 2025 forecast predicts that more than 40% of agentic AI projects will be canceled by the end of 2027 — not because the security risk is unmanageable, but because most of what's being marketed as "agentic" right now is what analyst Anushree Verma calls agent washing: existing chatbots, scripts, and robotic-process-automation tools rebranded with a hotter label, with the early-stage hype outrunning the actual maturity of the technology. Gartner estimates only around 130 of the thousands of vendors claiming agentic capability are doing anything genuinely autonomous. If a meaningful share of "AI agent risk" reporting is actually measuring glorified scripts that were already covered by ordinary service-account governance, then some of the loudest numbers in this space may be inflated by definitional sloppiness rather than a genuinely new category of threat. There's a second, more structural objection worth sitting with: maybe this isn't a new discipline at all, just an overdue extension of the old one. Privileged access management, secrets rotation, and least-privilege enforcement aren't new ideas — they're decades-old IAM principles that organizations have simply never bothered applying consistently to service accounts, because service accounts didn't used to be where the interesting money or attention was. Under that reading, the "machine identity crisis" isn't a paradigm shift so much as a long-overdue bill finally arriving for technical debt the industry has been carrying since the first CI/CD pipeline shipped a hardcoded API key. That's a less dramatic story, but it may be the more accurate one — and it would mean the fix isn't a wholesale reinvention of identity security, but the unglamorous, expensive work of actually enforcing the rules everyone already wrote down years ago. Both things can be true at once: the threat is real and growing, and some of the noise around it is market positioning dressed up as a crisis. Reasonable security leaders are holding both ideas simultaneously right now, and that tension is, if anything, the most credible signal that something genuine is underway. \ What the people doing this work are actually telling each other to do Strip away the hype on both sides and the practical guidance converges from CyberArk, the Cloud Security Alliance, SHI, and the OWASP working groups onto roughly the same handful of moves. Build the inventory first. You cannot govern what you haven't counted. KPMG's 2026 cybersecurity report, built on interviews with cyber leaders across Google, Microsoft, Palo Alto Networks, and ServiceNow, lists non-human identity inventory as a top-eight priority precisely because most organizations are trying to design controls for a population whose actual size they're guessing at. Every agent, service account, and API key should have a registered owner, a documented purpose, and a defined lifecycle endpoint before it's anything else. Move toward ephemeral, scoped credentials by default. The static, long-lived API key is the single biggest structural liability in this whole picture — it sits in a config file or a chat message for months, with permissions nobody revisits, until it leaks. The direction the more mature parts of the industry are converging on is short-lived, narrowly scoped tokens issued just-in-time for a specific task, expiring the moment that task ends — closer to how a building's keycard system works than how an old-fashioned office key did. Treat the agent's blast radius, not its stated purpose, as the real risk boundary. An agent's permissions — not the use case description in the product pitch — define the worst thing it can do if compromised, manipulated, or simply confused. Security teams that audit what an agent could do, rather than what it's supposed to do, catch problems the product roadmap never will. Hunt for zombies on a schedule, not a hunch. Scan regularly for service accounts and tokens that haven't been used in 90 days and revoke them by default rather than waiting for someone to ask. The dormant, forgotten credential is consistently the one that ends up in a breach report years after anyone remembers creating it. Put a non-human identity metric on the same board slide as the human ones. If MFA adoption and phishing click rates earn a line on the quarterly security update, so should the count of unowned service accounts and the percentage of machine credentials that have been rotated in the last 90 days. What doesn't reach the board doesn't reach the budget. None of this is glamorous. It's closer to the unsexy discipline of inventory management and access reviews than it is to a thrilling new product category — which is exactly why it's been neglected for a decade while attention and budget went elsewhere. \ The question worth asking now None of this means humans stop mattering, or that phishing and credential reuse disappear as a category of risk. People remain, and will remain, a primary target. But Identity Gravity has moved the center of mass, and the data — not a single vendor's data, but the convergent picture from CyberArk, Entro, the Cloud Security Alliance, Gartner, Verizon, and Microsoft's own telemetry — says it moved years ago, quietly, while almost every security awareness budget kept pointing at the human inbox. The next major breach making headlines is less likely to start with someone clicking a bad link than with a forgotten service account, an over-permissioned agent, or a token sitting in a support ticket exactly the way it did at Salesloft, Cloudflare, Toast, and Fastly in August 2025. The organizations that get ahead of this aren't the ones with the most AI ambition. They're the ones willing to ask a less exciting but far more useful question than "how do we deploy more agents" — namely, who actually owns every credential, human or otherwise, currently running loose inside our walls — and would we notice if one of them started acting strange? For most enterprises today, the honest answer is still no. Cybersecurity isn't entering the AI era. It's entering the machine identity era — it just hasn't finished admitting it yet.