By NHI Mgmt Group Editorial TeamPublished 2026-02-24Domain: General NHISource: Lumos

TL;DR: 3.8% of surveyed organisations avoided an identity-related incident last year, while 64.6% saw three or more incident types and 88.7% say AI and automation are necessary to keep up, according to Lumos' AI, Automation, and Risk in 2026 research. Manual identity governance is now a scaling problem, not just an efficiency problem, and the trust gap around autonomous decisions is widening.


At a glance

What this is: This is a Lumos analysis of why manual identity governance is failing as machine identities, identity attacks, and AI-driven operations accelerate.

Why it matters: It matters because IAM, NHI, and human identity teams now face the same structural issue at different speeds: more identities, less context, and fewer people able to govern access with confidence.

By the numbers:

👉 Read Lumos's analysis of identity risk, machine identity growth, and autonomous governance


Context

Machine identity security is the control problem that appears when non-human identities outgrow manual governance. In this article, Lumos argues that identity has become a primary attack surface because attackers can log in with stolen or reused credentials, MFA fatigue, dormant access, and over-privileged accounts rather than using malware.

The broader identity programme now has to cover human users, service accounts, APIs, and AI-driven systems together. That creates pressure on IAM, IGA, PAM, and NHI governance because the same review, approval, and monitoring processes are being asked to handle very different identity behaviours at much higher volume.


Key questions

Q: What breaks when identity review is still manual in environments with many machine identities?

A: Manual review breaks when the number of service accounts, APIs, and AI-driven identities grows faster than the team can verify ownership, purpose, and necessity. At that point, access recertification becomes stale before it is completed, and risky entitlements remain active because reviewers lack enough context to make confident decisions.

Q: Why do machine identities increase risk even when authentication looks strong?

A: Machine identities increase risk because authentication can succeed while the entitlement behind it is wrong, stale, or over-privileged. Strong login controls do not prevent abuse if the credential still exists, the owner is unclear, or the access was never retired when the workload changed.

Q: How do security teams know whether access reviews are actually working?

A: Access reviews are working only if they consistently remove stale privileges, confirm current ownership, and shorten the time risky access stays active. If reviewers cannot explain why an identity still needs access, or if exceptions pile up faster than they are closed, the control is failing in practice.

Q: Should organisations use AI for identity governance before they clean up data and policies?

A: No. AI should not be asked to decide access when identity records, entitlement labels, and policy rules are inconsistent. The better sequence is to normalise data, standardise approval criteria, and then apply AI to assist with scale, because automation amplifies the quality of the inputs it receives.


Technical breakdown

Why dormant access and MFA fatigue still work

The article shows that identity attacks increasingly rely on valid access rather than exploit chains. Dormant accounts, insider misuse, and MFA fatigue succeed because they fit within normal login flows and therefore blend into authorised activity. Once an attacker has credentials or can trigger repeated approval prompts, the environment itself becomes the delivery mechanism. The technical issue is not just authentication weakness but the absence of strong context around who should still have access, when it should be challenged, and how quickly misuse is visible in telemetry.

Practical implication: tighten dormant account review, MFA fatigue detection, and alerting around unusual login repetition before attackers turn valid access into persistence.

Machine identity sprawl and access review collapse

Machine identity growth changes the scale and meaning of access governance. APIs, headless systems, SaaS integrations, and AI tools can each require their own credentials, and the article notes ratios reaching 20 machine identities per human in some environments. That matters because reviewers cannot reason about entitlement risk if they lack context, visibility, or ownership data. The technical bottleneck is not just count, but entropy: more identities, more schemas, more stale permissions, and more exception handling than manual programmes can process reliably.

Practical implication: centralise ownership, entitlement context, and review evidence for machine identities so access certification is based on current function, not stale inventory.

AI-assisted governance only works when the data model is clean

Lumos frames AI and automation as necessary, but the article also shows why teams hesitate: technical debt, inconsistent schemas, and concern about AI making the wrong decision. That is a systems-design problem, not a tool-selection problem. AI can only accelerate governance if the underlying identity data is usable, the policy model is explicit, and the output can be validated against known access patterns. Without that, automation simply amplifies ambiguity and can harden bad decisions faster than human teams can review them.

Practical implication: standardise identity data and decision criteria before expanding AI-assisted reviews or autonomous actions.


Threat narrative

Attacker objective: The attacker aims to enter through valid identity controls and then use existing access to move, persist, and act without triggering malware-based detection.

  1. Entry occurs through stolen or reused credentials, MFA fatigue prompts, or abuse of dormant access that still authenticates successfully.
  2. Escalation happens when over-privileged or poorly reviewed identities let the attacker move from initial login to broader access with no malware required.
  3. Impact follows when the attacker uses legitimate tools and already provisioned access to operate inside the environment while remaining hard to distinguish from normal activity.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Manual identity governance is failing because the attack surface now includes both human and machine identities at machine speed. The article shows that the old model of review, approval, and exception handling cannot absorb the volume and velocity of modern identity estates. That is not a tooling gap alone, it is a governance scale problem across IAM, IGA, PAM, and NHI operations. Practitioners should treat identity throughput as a control boundary, not just an operations metric.

Machine identity sprawl is becoming the identity programme's hidden complexity tax. The article's ratio examples show how quickly workload and API identities can outrun human review capacity. Once one human account can spawn many machine credentials, the governance challenge shifts from provisioning to continuously proving ownership, purpose, and retirement. The implication is that identity programmes must measure machine identity density per owner, per system, and per business process.

AI-assisted governance is only credible when the underlying identity data is trustworthy. The article's concern about technical debt and inconsistent schemas is the right one. AI does not fix ambiguous identity records, it speeds up whatever decision model already exists. For that reason, teams need to treat data normalization and policy consistency as prerequisites for any meaningful automation. Practitioners should assume AI will magnify weak governance before it improves it.

Autonomous decision-making changes the meaning of identity governance from review after the fact to control before execution. Access review was designed for identities whose privileges persist long enough to be observed and certified. That assumption fails when the actor can select actions and execute them faster than a human review cycle can register the change. The implication is that identity governance must be rethought around runtime authority, not periodic attestation.

Identity risk is now a cross-domain issue, not a siloed NHI problem. The same control failures showing up in machine identity also affect human accounts when phishing, MFA fatigue, and insider misuse remain effective. That means practitioners cannot solve this with an NHI-only programme or an IAM-only programme. The right operating model ties identity data, privileged access, and workload credentials into one governance view.

From our research:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • A separate finding from the same report shows that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
  • For deeper context on recurring breach patterns, see The 52 NHI Breaches Report for root-cause case studies that show how governance gaps repeat across environments.

What this signals

Identity governance is becoming a data-quality discipline as much as a control discipline. Once machine identities multiply, the limiting factor is no longer policy intent but whether owners, entitlements, and retirement states are consistently recorded. Teams that cannot normalise identity data will struggle to automate access decisions without increasing exception volume.

Only 35% of leaders in the Lumos survey felt very confident in governing and securing machine identity, which is a warning sign for every IAM programme. That confidence gap means most organisations are still trying to scale human-era review processes across a machine-era identity estate. The practical response is to redesign operating metrics around ownership clarity, review latency, and stale entitlement reduction.

Machine identity growth will keep pushing teams toward lifecycle automation and Zero Trust controls. The programme signal is clear: identity work is shifting from periodic cleanup to continuous verification across humans, service accounts, and workloads. Teams should expect more pressure to prove that access is justified at runtime, not just documented at provisioning.


For practitioners

  • Reduce dormant access exposure Inventory accounts inactive for more than 90 days, verify business ownership, and remove or re-approve access that no longer matches current function. Prioritise identities that still authenticate successfully but no longer have a clear operational purpose.
  • Instrument MFA fatigue detection Track repeated push requests, unusual authentication bursts, and approval patterns that deviate from a user's normal behaviour. Route those events into incident response so identity abuse is treated as a live compromise signal, not a user annoyance.
  • Normalize machine identity ownership data Tie every machine identity to a named owner, system, purpose, and retirement condition before reviewers are asked to certify it. If that context is missing, the access review is not evidence-based and should be treated as incomplete.
  • Stage AI in governance before automation expands Use AI first for triage, clustering, and reviewer assistance on high-volume access decisions. Move to autonomous actions only after identity data is clean, policy exceptions are understood, and outputs can be audited against clear decision criteria.

Key takeaways

  • The article argues that identity-related incidents are now routine, not exceptional, because attackers increasingly exploit valid access paths instead of malware.
  • Machine identities are growing faster than manual governance can handle, which turns ownership, review context, and entitlement retirement into the central control problems.
  • Identity teams should prepare for AI-assisted governance, but only after identity data and policy models are clean enough for automation to act on reliably.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Covers unmanaged and over-privileged non-human identities discussed in the article.
NIST CSF 2.0PR.AC-4Access management and review controls are central to the article's governance gap.
NIST Zero Trust (SP 800-207)AC-6Least-privilege enforcement is needed as identity volume and risk increase.

Map machine and human access reviews to current business need and remove stale entitlements quickly.


Key terms

  • Machine Identity: A machine identity is a credentialed digital identity used by a service, application, workload, or automated process rather than a person. It can include API keys, tokens, certificates, service accounts, or cloud workload identities. The governance problem is not just existence, but ownership, lifecycle, and continuous review.
  • Dormant Access: Dormant access is an entitlement attached to an identity that is no longer actively used but still remains valid. In practice, it often survives staff changes, workload shifts, or forgotten integrations. Dormant access is dangerous because it looks legitimate, yet it creates an open path for abuse if credentials are still accepted.
  • Identity Review Context: Identity review context is the business and technical information a reviewer needs to decide whether access should remain in place. That includes ownership, purpose, usage patterns, and current necessity. When context is missing or fragmented, access certification becomes a box-ticking exercise rather than a meaningful governance control.
  • Autonomous Identity Governance: Autonomous identity governance is the use of automated or AI-assisted systems to make or execute identity decisions with limited human intervention. The key challenge is not automation itself, but whether the underlying data and policy logic are trustworthy enough for action. Without that, speed increases while confidence falls.

What's in the full article

Lumos's full blog covers the operational detail this post intentionally leaves for the source:

  • The survey breakdown behind the identity incident figures, including how respondents rated their preparedness and where confidence was weakest.
  • The report's discussion of identity-related incident types such as dormant access, MFA fatigue, and insider misuse across the last 12 months.
  • The practical path from AI-assisted recommendations to more autonomous identity governance, including staged adoption logic.
  • The article's own framing of how teams can move from manual governance to autonomous governance without starting with full automation.

👉 Lumos's full blog expands on the survey results, attack patterns, and the roadmap toward autonomous identity governance.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org