AI agent identity growth outpaces scalable identity security programs

At a glance

What this is: This is an analysis of why identity security programs fail to keep pace with business growth, with NHI and lifecycle blind spots emerging as the core gap.

Why it matters: For IAM and NHI practitioners, it shows why periodic reviews and ticket-based offboarding are insufficient when acquisitions, hiring surges, and AI adoption keep creating new identities.

By the numbers:

• The average enterprise already carries a 144:1 ratio of non-human to human identities before an acquisition adds another institution’s environment on top of it.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Clarity Security's analysis of scalable identity security for business growth

Context

Identity governance breaks first at the edges where growth outpaces process. Acquisitions, hiring surges, and department-led AI adoption create new non-human identities and access paths faster than quarterly reviews or ticket queues can absorb, which leaves IAM teams governing a partial view of the environment. This article is really about the operational gap between what the program can see and what the business is actually deploying.

For NHI management, the problem is not only volume but lifecycle drift. Service accounts, API keys, and OAuth connections are often created outside formal provisioning and remain active long after the use case changes. That makes visibility, ownership, and offboarding the decisive controls, not just access approvals.

The pattern is familiar to any team that has tried to reconcile a newly acquired identity estate. The starting position described here is typical, not unusual, because most programs were designed around stable inventories rather than continuous business change.

Key questions

Q: How should security teams govern non-human identities created during business growth?

A: Security teams should govern non-human identities with the same lifecycle discipline they apply to human access, but with tighter discovery and revocation controls. The practical model is continuous inventory, named ownership, expiry by default, and automated offboarding when the business use case ends. Without that, acquisitions, AI tools, and automation projects will keep producing unmanaged access paths.

Q: When does ticket-based access management become too slow for NHI governance?

A: Ticket-based access management becomes too slow once growth events create identities faster than humans can review them. That is usually visible after acquisitions, hiring surges, or broad SaaS adoption. At that point, the main risk is not just delay, but drift, because access granted manually is often broader and harder to revoke later.

Q: What is the difference between human identity lifecycle management and NHI lifecycle management?

A: Human identity lifecycle management is usually tied to HR events, while NHI lifecycle management must also cover machine-created credentials, integrations, and service accounts that have no manager or employee record. NHI governance therefore depends on discovery, ownership, rotation, and automated revocation across systems that HR never sees.

Q: Why do AI tools create new identity risk for IAM teams?

A: AI tools create identity risk because they often connect to business systems through API keys, OAuth grants, or service accounts that persist beyond the pilot phase. Those credentials can bypass normal provisioning workflows and remain active after the team forgets the integration. IAM teams need discovery and policy gates before the connection becomes shadow AI.

Technical breakdown

Why periodic access reviews miss NHI growth

Periodic access certifications only validate a snapshot of the environment. They do not detect identities created after the review closes, nor do they reliably catch entitlements that should have been removed when a role changed or a project ended. In practice, ticket-based joiner-mover-leaver workflows depend on human initiation, which means they lag the pace of business change. That gap becomes more severe when the identity in question is non-human, because service accounts and API keys often lack a business owner who will request removal. Continuous governance closes the interval between change and control.

Practical implication: Shift from point-in-time review cycles to continuous entitlement monitoring and automatic revocation triggers.

How acquisitions create identity blind spots

An acquisition usually brings a separate directory, different access policy assumptions, and legacy service accounts that were created for another governance model. The technical failure is not only duplication but translation. The acquiring organisation must map foreign identity objects, understand inherited dependencies, and decide which accounts are still active enough to matter. If that mapping is manual, the process will always trail the environment. This is why post-close reconciliation so often becomes incomplete. The identity estate remains partially unknown, which means its risk remains partially unmanaged.

Practical implication: Treat acquired identity environments as high-risk imports that require rapid inventory, ownership assignment, and staged cleanup.

Why AI tools create shadow NHI sprawl

Department-level AI adoption often creates shadow AI because the business can connect a tool to production systems without central review. Each connection typically generates a non-human identity such as an OAuth grant, API token, or service account. Those identities are not reflected in HR systems, so normal lifecycle triggers never fire. Once the use case fades, the credential can persist indefinitely. That is a structural governance failure, not a training issue. The same pattern applies to workflow automation and SaaS integrations that quietly expand the access surface without entering the access review cycle.

Practical implication: Add discovery and policy checks for every new AI or SaaS integration that can create a persistent NHI.

Threat narrative

Attacker objective: The attacker wants persistent, low-friction access through identities that the organisation does not fully inventory or routinely revoke.

1. Entry occurs through a business-led AI or integration workflow that creates a new non-human identity outside central IAM control.
2. Escalation follows when the identity is granted production access broader than the use case requires and remains outside review cycles.
3. Impact appears when the orphaned identity is reused, compromised, or forgotten, creating unmanaged access to sensitive systems.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Business growth is now an identity security event. Mergers, hiring surges, and AI adoption all create new access objects faster than traditional governance cycles can reconcile them. That means identity security can no longer be treated as a back-office control that catches up later. Practitioners should treat every growth event as a governance trigger, not a follow-on remediation project.

Identity inventory is becoming the new control plane. If a program cannot see service accounts, API keys, OAuth grants, and workload identities, it cannot govern their risk. Visibility is not a reporting feature, it is the foundation for entitlement decisions, offboarding, and auditability. The practical conclusion is straightforward: build control around complete identity discovery before adding more review logic.

Ephemeral change still creates durable risk. A short-lived project, pilot, or integration can leave behind credentials with long-lived access and no clear owner. That creates what can be called an identity blast radius, where a single forgotten credential can outlast the business event that created it. Teams should assume that temporary access becomes permanent unless it is actively revoked.

Manual JML processes do not scale to modern NHI populations. Joiner-mover-leaver controls built around tickets and human follow-up cannot keep pace with hundreds of lifecycle events, much less shadow-adopted AI tools. The field should move toward continuous governance, where provisioning, review, and revocation are tied to actual state changes. Practitioners should plan for automation as the default control path, not an efficiency upgrade.

Scalable identity security is now a resilience issue, not only a compliance issue. Examiners will continue to ask for access evidence, but the deeper risk is operational: unmanaged identities expand the blast radius of every compromise and every acquisition. That makes the case for governance stronger across IAM, NHI, and Zero Trust programmes. The correct outcome is fewer exceptions, faster revocation, and a smaller set of identities that can surprise the business.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why cleanup lags even when teams know the problem exists.
• For a broader control baseline, Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows how lifecycle automation reduces the window for orphaned access.

What this signals

Identity governance will increasingly be judged by whether it can absorb growth without creating shadow access. Teams that still rely on periodic reviews will keep discovering the problem only after acquisitions or AI adoption have already widened the entitlement surface. The programme implication is clear: discovery, ownership, and revocation need to become continuous controls, not audit-season tasks.

With 80% of identity breaches involving compromised non-human identities such as service accounts and API keys, per Ultimate Guide to NHIs, the operational priority shifts toward reducing credential dwell time and eliminating orphaned access. That is where the next governance gains will come from.

Identity blast radius: once a business event creates a credential, the organisation must assume it can persist beyond the event unless automation removes it. That means security teams should build faster revocation paths, stronger ownership models, and better integration monitoring before the next acquisition or AI rollout arrives.

For practitioners

• Automate lifecycle triggers for all identity changes Tie provisioning, role changes, and offboarding to authoritative sources so access changes happen when the business event happens, not when a ticket is filed.
• Inventory every non-human identity after growth events Run post-acquisition and post-integration discovery for service accounts, API keys, OAuth grants, certificates, and workflow accounts before the environment is merged into steady-state operations.
• Enforce ownership for every NHI Assign a named business or technical owner to each credential, integration, and service account so expired use cases can be removed without guesswork.
• Add AI and SaaS integrations to access review scope Require review and approval for any department-led tool that connects to production data, especially when it can create persistent credentials outside IAM workflows.
• Measure orphaned access as an operational risk metric Track identities with no active owner, no expiry, or no recent use, then prioritize cleanup based on privilege level and system criticality.

Key takeaways

• Growth events create identity risk faster than manual IAM processes can reconcile it.
• Non-human identities are the main blind spot when service accounts, API keys, and OAuth grants sit outside lifecycle control.
• Continuous discovery, ownership, and automated revocation are the practical controls that keep least privilege enforceable.

Key terms

• Non-Human Identity: A non-human identity is any machine or software credential that can authenticate and act in an environment, including service accounts, API keys, OAuth tokens, certificates, and agent credentials. These identities often outnumber human accounts and require their own discovery, ownership, rotation, and revocation processes.
• Identity Blast Radius: Identity blast radius is the amount of access exposure created when a credential, account, or integration is overprivileged or left unmanaged. In NHI programmes, the blast radius grows when credentials persist after the business use case ends or when no owner can remove them quickly.
• Shadow AI: Shadow AI is the use of AI tools or agents that are not visible to central security or IAM teams. It matters because each hidden integration can create persistent non-human identities, access tokens, and data paths that never enter the normal review or offboarding cycle.
• Lifecycle Governance: Lifecycle governance is the control model that manages identity from creation through change, review, and removal. For NHI security, it means access is tied to a business purpose, monitored continuously, and revoked automatically when the purpose ends or the credential becomes inactive.

What's in the full article

Clarity Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The three growth patterns in full context, including mergers and acquisitions, headcount growth, and AI adoption.
• The business case framing for capacity, backlog reduction, and audit readiness that sits behind the governance model.
• The article's operational examples of how manual JML and reconciliation work fail at scale.
• The closing diagnostic question that the source uses to test whether a programme leads growth or reacts to it.

👉 Clarity Security's full post expands the acquisition, hiring, and AI adoption scenarios in detail

Deepen your knowledge

Identity lifecycle governance and NHI discovery are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is struggling with acquisition sprawl or shadow AI, it is worth exploring.