AI, automation and identity risk in 2026: the breaking point

At a glance

What this is: Lumos’ 2026 identity research argues that identity attacks are accelerating faster than legacy governance models can absorb, especially as AI, automation, and non-human identities expand the attack surface.

Why it matters: IAM teams need to read this as a governance warning: identity controls built for slower human review cycles are increasingly mismatched to NHI sprawl, AI-assisted operations, and modern attack paths.

By the numbers:

• 133 survey respondents were included in the research, from organisations ranging from 500 to over 10,000 employees.

👉 Read Lumos' 2026 report on AI, automation and identity risk

Context

Identity security is moving from a control-management problem to a detection-and-decision problem. When leaders say they are “prepared” but still face identity-driven incidents, the gap is usually not policy intent. It is the mismatch between governance processes and how access is actually created, reused, abused, and reviewed across human users, service accounts, and AI-enabled workflows.

Lumos’ research points to three pressures that now collide in the same programme: dormant accounts, lateral movement, and growing non-human identity populations. That combination matters because identity is no longer just a directory and access review concern. It is the operating layer for cloud, SaaS, automation, and emerging agentic systems, which means weak governance can become a direct path into production systems.

Key questions

Q: How should security teams measure whether identity governance is actually reducing risk?

A: Measure outcomes that reflect attacker friction, not policy activity. Focus on revocation speed, stale account reduction, identity telemetry coverage, and the percentage of privileged access that is still standing outside an approved business purpose. If those indicators do not improve, the programme may look mature but still leave exploitable access paths in place.

Q: Why do non-human identities make legacy IAM and IGA models less effective?

A: Because many legacy models assume access is assigned to a person, reviewed on a human cadence, and retired through predictable offboarding. Non-human identities do not follow those assumptions. They are often created for systems, retained indefinitely, and reused across workloads, which means lifecycle ownership and expiry become more important than periodic certification alone.

Q: What do organisations get wrong about using AI in identity governance?

A: They often assume automation can compensate for weak identity data. In reality, AI can only prioritize or detect what the programme can already observe. If ownership records, entitlement mappings, and exception handling are incomplete, AI will scale inconsistency rather than correct it.

Q: Should teams prioritise non-human identity lifecycle management before broader AI governance?

A: Yes, when machine credentials, service accounts, and automation tokens are already numerous or poorly owned. Those identities often create immediate exposure through persistence and over-privilege. Strong lifecycle control for NHIs gives teams a practical baseline for any broader automation or AI governance programme.

Technical breakdown

Identity attacks now start with access, not perimeter failure

Modern identity attacks increasingly exploit valid credentials, stale entitlements, and over-permissioned accounts rather than brute-forcing a network boundary. That changes the technical problem from “did the attacker get in?” to “which identities can be abused once access exists?” In practice, dormant accounts, delegated trust, and weak entitlement hygiene create a low-friction path for escalation. For NHI programmes, the same pattern applies to API keys, tokens, and service accounts that are rarely reviewed after issuance.

Practical implication: map which identities can authenticate without active human oversight and treat those as first-class attack paths.

AI-driven identity operations shift governance from manual review to signal analysis

The report’s AI theme reflects a broader operational shift: identity teams can no longer rely on periodic review alone when access patterns change continuously. AI-assisted governance is useful when it helps detect anomalies, prioritize revocations, and surface risky access faster than human queues can process them. But the technical value comes from better signal handling, not from labeling a workflow as automated. Without high-quality identity telemetry, automation simply scales the same blind spots more quickly.

Practical implication: validate which identity signals your tooling can actually observe before using AI to automate decisions.

Non-human identities turn least privilege into a lifecycle problem

Non-human identities behave differently from human accounts because they are often provisioned for systems, pipelines, and integrations that outlive the original business need. That makes lifecycle management central to security: creation, rotation, scope reduction, and offboarding must be tied to operational reality, not annual cleanup. The technical failure mode is privilege persistence, where a credential remains valid long after its purpose has expired. In NHI environments, that persistence is often the real blast radius.

Practical implication: tie NHI entitlements to service ownership and expiry, not to static account creation records.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Preparedness scores are often a governance illusion, not a security measure. When identity leaders say they are “prepared,” they may be measuring process presence rather than control effectiveness. The article’s framing fits a broader pattern we see in identity programmes: organisations confuse having reviews, policies, and automation with actually shrinking attack paths. That distinction matters because attackers care about valid access paths, not control documentation.

AI is becoming a control multiplier, but only where the underlying identity data is already trustworthy. AI can improve detection, prioritisation, and access decisioning, yet it also amplifies bad inputs if entitlement data, ownership records, or identity relationships are incomplete. For practitioners, that means AI does not replace governance maturity. It exposes whether governance is sufficiently structured to be machine-assisted at scale.

Non-human identity growth turns lifecycle governance into the core security control, not a back-office task. Service accounts, tokens, and automation identities do not fail loudly when they outlive their business purpose. They persist, accumulate access, and become easy reuse points for lateral movement. The implication is that NHI lifecycle management now sits on the same critical path as detection and response.

Identity governance is moving toward a continuous model because periodic review no longer matches attack tempo. The report’s emphasis on automation reflects a deeper operational reality: identity risk changes faster than quarterly or annual recertification cycles can capture. That does not mean review is obsolete. It means the review model has to be continuous enough to catch access drift before it becomes incident response.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For a deeper view of how identity failures become breach paths, review The 52 NHI breaches Report for root cause patterns and control gaps.

What this signals

Identity programmes will be judged less by policy completeness and more by operational latency. If revocation, review, and anomaly handling are still slow, attackers will continue to live inside valid access paths long enough to cause damage. The programme signal to watch is whether identity changes can be acted on quickly enough to matter in production.

Non-human identity growth is turning ownership hygiene into a board-level control issue. Once a credential or token is unowned, the organisation loses the ability to justify, review, or retire it with confidence. That is why lifecycle ownership needs to be tied to service and application management, not left inside technical cleanup queues.

For practitioners

• Re-baseline identity preparedness on control outcomes Measure whether your identity programme can actually shorten attacker dwell time, remove stale access, and detect lateral movement through valid accounts. Replace self-assessment metrics with evidence from access reviews, revocation speed, and identity telemetry coverage.
• Inventory non-human identities by service ownership Build an authoritative view of which teams own each service account, API key, token, and certificate, then tie each identity to a business purpose and expiry condition. Unowned identities should be treated as immediate risk items, not deferred hygiene work.
• Use AI only where identity telemetry is complete enough to trust Before automating access decisions, confirm that your logs, entitlement data, ownership metadata, and exception tracking are current. AI will only improve governance if the inputs are complete enough to support safe revocation, review prioritisation, and anomaly detection.
• Collapse standing access for automation identities Move critical service accounts and machine credentials toward narrower scopes, shorter validity windows, and explicit renewal paths. Standing privilege in NHI programmes expands blast radius even when the account is rarely used.

Key takeaways

• Identity risk is no longer defined only by perimeter failure, because valid access and stale entitlement paths are now a primary attack surface.
• The research reinforces that non-human identities are a growing governance burden, especially when ownership, lifecycle, and revocation are weak.
• Teams should focus on measurable control outcomes, because automation only improves identity security when the underlying data and lifecycle model are already trustworthy.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software rather than a person. It includes service accounts, API keys, tokens, certificates, bots, workloads, and AI agents when they act in systems. Governance focuses on ownership, lifecycle, scope, and revocation, not on human login behaviour.
• Identity Telemetry: Identity telemetry is the event and entitlement data security teams use to understand how identities are being used. It includes authentication signals, privilege changes, access patterns, and anomalies. For governance to work, telemetry must be timely enough to support review, detection, and access decisions before damage spreads.
• Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only when needed. In identity programmes, it creates persistent exposure because the credential or entitlement can be abused whenever it is found, stolen, or misused. Reducing standing privilege is one of the clearest ways to shrink blast radius.

Deepen your knowledge

AI, automation, and NHI risk in identity programmes are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are reworking governance around service accounts, tokens, and access review, it is worth exploring.

This post draws on content published by Lumos: AI, Automation, and Risk in 2026: Identity at a Breaking Point. Read the original.