AI agent and NHI growth is outpacing manual IAM governance

At a glance

What this is: Clarity Security argues that 2026 IAM programs will be shaped by rapid NHI growth, AI-driven attack velocity, and the limits of manual identity governance.

Why it matters: For IAM and NHI practitioners, the core issue is not just more identities, but more identities that outlive their purpose, widen attack paths, and strain review and remediation processes.

By the numbers:

• Non-human identities, including service accounts, bots, and AI agents, have increased to a 144:1 ratio, marking a 44% increase from 2024 to 2025.
• AI-powered cyber attacks increased 47% globally throughout 2025.
• 78% of CISOs reported AI threats are having a significant impact on their businesses.

👉 Read Clarity Security's analysis of 2026 IAM trends for NHI and AI risk

Context

Non-human identity sprawl is the point where service accounts, bots, API-driven workflows, and AI agents begin to outnumber the controls designed to govern them. In IAM terms, the problem is not only scale but lifecycle drift, because machine identities are often created quickly and then left with access that no one revisits.

Clarity Security frames 2026 as a year when identity governance has to handle both more machine identities and faster adversaries. That combination is especially relevant to NHI governance because the same accounts that enable automation can become long-lived, over-privileged, and difficult to inventory if teams rely on manual review cycles.

The article's starting position is typical of what many enterprises are now seeing: identity teams feel the pressure first, while the rest of the business notices the issue only after access sprawl is already embedded.

Key questions

Q: How should security teams govern non-human identities at enterprise scale?

A: Security teams should govern non-human identities with the same lifecycle discipline they expect for human users, but with tighter automation. That means every service account, token, certificate, or AI agent needs ownership, purpose, expiry, least privilege, and continuous monitoring. Periodic access reviews alone are too slow for machine identities that change faster than review cycles.

Q: Why do AI agents create extra IAM risk compared with traditional workloads?

A: AI agents create extra IAM risk because they can act autonomously, chain tool access, and expand the impact of a single credential. When an agent has broad permissions, the issue is not just compromise but uncontrolled execution. Organisations need post-authentication policy enforcement so the agent only acts within its intended scope.

Q: What is the difference between human identity governance and NHI governance?

A: Human identity governance focuses on onboarding, role changes, and access reviews for people. NHI governance must also manage machine-to-machine trust, secret rotation, token reuse, and identity retirement across systems. The practical difference is that machine identities need automated lifecycle controls, not just periodic attestations.

Q: When should organisations prioritise NHI monitoring over more access approvals?

A: Organisations should prioritise NHI monitoring when identities are created frequently, reused across systems, or tied to automation and AI workflows. More approvals do not solve drift if the environment already has unmanaged service accounts and bots. Real-time visibility and revocation reduce risk faster than adding another manual gate.

Technical breakdown

Why NHI sprawl breaks legacy identity governance

Non-human identities are created to let systems and agents act without human intervention, but that convenience changes the governance model. A service account, bot, or AI agent may be provisioned for a narrow task, then reused across environments, pipelines, and applications. Once that happens, the identity stops looking like a temporary operational object and starts behaving like standing infrastructure. Traditional IAM processes built around human onboarding and periodic access reviews miss these faster lifecycle changes, especially when the same identity can hold privileges across cloud, hybrid, and on-premise systems.

Practical implication: Practitioners need inventory, ownership, and review processes that track machine identities from creation through retirement.

How AI-driven attacks compress the response window

AI-driven attacks change the economics of identity compromise by reducing the time between discovery, exploitation, and follow-on abuse. When attackers can automate reconnaissance and adapt payloads faster than a human analyst can triage, weak NHI controls become an accelerant. Machine identities are especially exposed because they often use secrets, tokens, or certificates that can be copied, reused, or inherited by systems with little runtime friction. The result is a shorter defender decision window and a higher premium on detection tied to identity drift, anomalous usage, and privilege escalation patterns.

Practical implication: Teams should pair NHI monitoring with automated revocation and anomaly detection rather than waiting for periodic review cycles.

Why identity-first security now has to include machines

Identity-first security only works when the control plane treats human and non-human identities with the same rigor. That means context-aware access, least privilege, and Zero Trust Architecture cannot stop at employees and contractors. NHI governance has to account for service account lineage, workload context, and whether an agent is acting within its expected scope. Without that, the organisation ends up authenticating the identity but not governing its behaviour. In practice, the gap is often not authentication itself but the lack of continuous policy enforcement after access is granted.

Practical implication: Use context-based controls and continuous verification for machine identities, not just one-time authentication.

Threat narrative

Attacker objective: The attacker objective is to turn unmanaged machine access into durable control over systems, data, or automation workflows.

1. Entry begins when a machine identity such as a bot, service account, or AI agent is granted broad access for speed and deployment convenience.
2. Escalation follows when stolen or over-privileged credentials let an attacker expand access faster than manual reviews can detect drift.
3. Impact occurs when unmanaged identities retain access long after their original purpose, enabling persistence, data exposure, or abusive automation.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity sprawl has become a governance problem, not a visibility problem. The important shift is that machine identities are no longer edge cases inside IAM programs. They are now a dominant part of the access estate, which means lifecycle ownership, entitlement review, and retirement discipline have to be designed for non-human scale. Practitioners should treat NHI inventory as a core control, not a reporting exercise.

AI agents create ephemeral credential trust debt. The more quickly organisations provision short-lived access for autonomous systems, the more they accumulate implicit trust that is hard to verify later. That trust debt shows up when an agent is reused, chained into other workflows, or left with broad permissions after the original task is complete. Practitioners should assume every temporary grant needs a retirement path before it needs a creation path.

Manual IAM processes are now a control failure mode. Ticket-heavy approvals and periodic reviews cannot keep pace with machine identities that are created, delegated, and changed by software. This is why NHI governance has to move toward continuous monitoring, policy enforcement, and automated revocation. Practitioners should modernise controls around identity state changes rather than static account lists.

Identity-first security only works if it governs behaviour after authentication. A successful login or token issuance is not evidence of safety when the identity is non-human. The real issue is whether the system can constrain what the identity does next, in what context, and for how long. Practitioners should focus on post-authentication policy enforcement, not just credential issuance.

AI and NHI risk are converging into one operating model. The article points to a future where machine identity growth and attack automation feed each other. That convergence means organisations cannot solve AI security and NHI security as separate programs. Practitioners should unify governance, monitoring, and privilege control across both domains.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• From our research: 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• For a broader control model, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for rotation, offboarding, and governance patterns that reduce this blind spot.

What this signals

Ephemeral credential trust debt: the more automation teams rely on short-lived access, the more they accumulate hidden trust that must be retired, not just issued. Organisations should expect the governance burden to move from initial provisioning to continuous verification, especially where AI agents can request or reuse access at runtime.

The control gap will widen unless teams connect NHI discovery to lifecycle enforcement. In our research, 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, which is a reminder that visibility alone does not close the risk path. Practitioners should align their response with the OWASP Non-Human Identity Top 10 and the NIST Cybersecurity Framework 2.0 where identity governance and monitoring intersect.

As machine identities multiply, programme leaders should prepare for more aggressive entitlement reviews, shorter secret lifetimes, and stronger retirement rules. That shift should also change how teams measure maturity: the question is no longer how many identities exist, but how quickly the organisation can identify, constrain, and remove unsafe access.

For practitioners

• Inventory every non-human identity Build a complete register of service accounts, bots, API keys, certificates, and AI agents across cloud, hybrid, and on-premise systems. Tie each identity to an owner, a business purpose, and a retirement date so hidden access does not survive project changes.
• Replace periodic reviews with continuous monitoring Monitor access drift, unusual token use, and privilege escalation in near real time. Pair alerts with automated revocation workflows so response does not depend on a manual ticket queue.
• Enforce least privilege for machine accounts Remove broad inherited access from service accounts and AI agents, especially where those identities were created for deployment speed. Revalidate privileges at each stage of the lifecycle rather than assuming the original permissions are still justified.
• Standardise onboarding for new applications and agents Require pre-approved identity patterns, secret handling rules, and access templates before a new app or agent can enter production. That reduces shadow IT and makes it easier to detect when an identity appears without governance.

Key takeaways

• Non-human identity growth is now a governance problem because machine accounts can outnumber the controls built to manage them.
• AI-driven attack speed makes manual review and ticket-based remediation too slow for modern identity estates.
• Teams should move toward continuous monitoring, least privilege, and lifecycle enforcement for every non-human identity.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software rather than a person. That includes service accounts, API keys, tokens, certificates, bots, workloads, and AI agents. In practice, NHIs often move faster than human accounts and therefore require automated ownership, rotation, and retirement controls.
• Identity Sprawl: Identity sprawl is the uncontrolled growth of identities, entitlements, and credentials across an environment. For NHIs, it usually appears when automation creates accounts faster than governance teams can inventory, review, and remove them. The result is hidden access, weak accountability, and a wider attack surface.
• Ephemeral Credential Trust Debt: Ephemeral credential trust debt is the hidden risk created when temporary access is treated as inherently safe. Even short-lived tokens, certificates, or agent grants can accumulate if teams fail to verify scope, monitor use, and retire access cleanly. The debt appears when temporary permissions outlast the task they were meant to support.
• Access Drift: Access drift is the gradual divergence between intended permissions and actual permissions over time. For NHIs, it often happens when service accounts or AI agents inherit new rights, reuse old secrets, or continue operating after their original purpose has changed. Continuous monitoring is the main way to detect it early.

What's in the full article

Clarity Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Practical steps for unifying human and non-human identity governance across cloud, hybrid, and on-premise environments
• Examples of deep entitlement reviews that surface hidden access points attached to NHIs
• Recommended controls for continuous monitoring and real-time drift detection in identity estates
• Planning considerations for reducing shadow IT through application and agent intake standards

👉 Clarity Security's full post covers the five trends, response actions, and operational examples in more detail

Deepen your knowledge

NHI lifecycle management and access review discipline are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to govern service accounts, bots, and AI agents at scale, it is worth exploring.