Identity dark matter is widening the NHI governance gap

At a glance

What this is: Orchid Security’s 2026 snapshot argues that identity dark matter now outweighs visible identity and leaves most non-human accounts outside IAM oversight.

Why it matters: For IAM and NHI practitioners, the report shows that access risk is increasingly hiding in application-local accounts, hardcoded credentials, and unmanaged paths that existing governance models miss.

By the numbers:

• Invisible identity now outweighs visible identity across enterprise environments, 57% to 43%.
• 67% of non-human accounts are created directly within the application, unseen and unmanaged by IAM programs.
• 70% of enterprise applications contain an excessive number of privileged accounts, increasing the impact of misuse or compromise.
• 36% of all credentials are hardcoded and in clear text within applications.

👉 Read Orchid Security’s analysis of identity dark matter and AI agent readiness

Context

Identity dark matter is the layer of accounts, credentials, and access paths that exist outside centralized IAM visibility. In this report, Orchid Security argues that this hidden layer has become larger than the managed layer, which means NHI governance is no longer just about policy design but about discovering where identity actually lives across applications.

That matters because AI agents inherit the same access patterns as service accounts, bots, and application-local users, then operate with far less human oversight. For teams building agentic AI controls, the problem is not only privilege volume but the mismatch between formal identity inventories and real-world execution paths.

This starting position is now typical rather than exceptional: many enterprises have mature IAM controls on paper while still carrying substantial unmanaged access in the application layer.

Key questions

Q: How should security teams govern non-human accounts that are created inside applications?

A: They should inventory them separately from human identities, assign a business owner, define the access purpose, and bind each account to a retirement process. If an application can create its own identity, then lifecycle control must extend into the application layer, not stop at the directory boundary. Without that, reviews and offboarding remain incomplete.

Q: Why do application-local accounts create more NHI risk than centrally managed identities?

A: Application-local accounts create more risk because they bypass the visibility, review, and policy controls that central identity systems provide. They often carry standing access, are harder to map to an owner, and survive long after their original use case ends. That combination makes them a common source of orphaned privilege and hidden persistence.

Q: What breaks when hardcoded credentials are left in code or configuration files?

A: Hardcoded credentials break the assumption that access can be rotated, revoked, and audited on demand. Once a secret is embedded in code or config, it is easy to copy, hard to trace, and often reused across environments. That turns a single secret into a durable access path that is difficult to contain after exposure.

Q: How do teams know whether identity dark matter is actually shrinking?

A: They should look for fewer application-local accounts without owners, fewer credentials found in code, and fewer access paths that bypass centralized identity providers. A real reduction shows up as cleaner inventory, faster offboarding, and less reliance on unmanaged authentication. If those indicators do not improve, the hidden identity layer is still growing.

Technical breakdown

What identity dark matter means in enterprise IAM

Identity dark matter is the collection of accounts, credentials, and authorization paths that sit outside the formal IAM plane. These include local application accounts, embedded secrets, orphaned accounts, and unmanaged authentication routes. The technical issue is not only visibility, but control-plane mismatch: directories, SSO, PAM, and IGA may be present while the application continues to authenticate users or workloads through its own native logic. That creates a parallel identity system that security teams often do not inventory, govern, or retire. In practice, hidden identity becomes the default path when convenience, legacy design, or automation outruns centralized control.

Practical implication: Security teams should treat application-local access as an identity inventory problem, not only a configuration problem.

Why non-human accounts escape centralized identity providers

Non-human accounts often get created inside applications because the application needs a local principal for service logic, automation, or legacy integration. Those identities are frequently granted standing access, carry broad permissions, and bypass centralized identity providers entirely. Once that happens, standard access review processes lose coverage because the account is not linked cleanly to an employee, group, or lifecycle workflow. The result is an unmanaged NHI estate that expands quietly as applications multiply. AI agents make this worse because they can use whatever access path is available, including the shortest path around central governance.

Practical implication: Map every application-local account to an owner, a purpose, and a retirement path before adding AI agents to the same environment.

Toxic combinations: why overlap matters more than single findings

The report’s toxic combinations concept reflects a basic security truth: isolated identity gaps are bad, but overlapping gaps create compounding exposure. An orphaned account is riskier when it is also privileged. A clear-text credential is more dangerous when the application bypasses the identity provider and logs are missing. These combinations reduce detection, increase persistence, and shorten the time between compromise and impact. For NHI governance, this means teams need to score identity risk by path and privilege together, not by finding single weaknesses in isolation.

Practical implication: Prioritise remediation on identity paths where privilege, persistence, and invisibility overlap.

Threat narrative

Attacker objective: The attacker wants durable, low-visibility access through identity paths that the enterprise cannot easily see, review, or revoke.

1. Entry occurs through application-local accounts, hardcoded credentials, or unmanaged authentication paths that sit outside centralized IAM controls.
2. Escalation follows when overprivileged non-human accounts or orphaned accounts provide broader access than intended, especially when logging and ownership are weak.
3. Impact comes from autonomous systems or attackers using hidden identity paths to move faster than review and response processes can react.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity dark matter is now a governance problem, not a visibility side issue. When most access activity sits outside formal IAM systems, the control plane no longer matches the environment it is supposed to govern. That breaks assumptions behind reviews, certifications, and least-privilege enforcement. Practitioners should stop treating hidden identity as an exception and start treating it as the default attack surface.

AI agent readiness depends on application-level identity hygiene first. Autonomous systems do not create new trust assumptions so much as they expose old ones at higher speed. If an agent can inherit a local account, read embedded secrets, or use an unmanaged path, the organisation has already outsourced control to the weakest identity path. The governance question is whether access is visible enough to constrain before automation scales it.

Identity blast radius is the right concept for prioritisation. The report’s toxic combinations show that the real risk is not any single orphaned or privileged account, but the radius created when those conditions overlap. That means risk teams should rank identities by reach, persistence, and detectability together. The practical outcome is a narrower, more defensible remediation queue.

Traditional IAM programmes need an application-first correction. Central directories remain necessary, but they are insufficient when applications create and maintain their own identity logic. NHI governance now has to include application discovery, local account mapping, and secret inventory inside the operational stack. Practitioners should expect more work at the application boundary, not less.

Shadow AI will inherit the same hidden access patterns as other unmanaged systems. The article’s findings suggest that undiscovered or ungoverned AI agents will not fail in novel ways first. They will fail through old identity weaknesses that were already present and simply invisible. That means the enterprise’s AI risk posture is only as strong as its ability to find and govern hidden identity.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which helps explain why hidden identity persists across modern environments.
• The next step is to pair inventory with lifecycle controls, starting with the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Identity dark matter is becoming a programme-design issue, not just a discovery issue. If unmanaged application accounts continue to sit outside central IAM, teams will need a second operating model for the application layer. That means tighter ownership mapping, better dependency discovery, and stronger retirement controls before AI agents amplify the same gaps. With NHIs outnumbering human identities by 25x to 50x, the scale problem is already established; the operational question is whether governance can reach below the directory.

Identity blast radius should replace single-point remediation as the prioritisation lens. The practical signal is not just how many secrets or accounts exist, but how many systems each one can reach if compromised. That is where identity governance, PAM, and application discovery have to converge. For teams aligning to external guidance, the NIST AI Risk Management Framework is useful where agentic behaviour and ownership become part of the control problem.

Hidden identity will matter even more as autonomous software begins to prefer the shortest access path available. Practitioners should expect shadow AI and unmanaged service accounts to overlap in the same weak spots, especially where local auth is still accepted and logs are thin. The response is to treat application identity as an audit surface, not an implementation detail, and to push towards observable identity paths rather than merely centralized policy.

For practitioners

• Inventory application-local identities first Build a separate inventory for local accounts, service principals, and bot identities created inside applications. Track owner, purpose, privilege scope, and retirement criteria so these accounts are not left outside lifecycle controls.
• Eliminate clear-text and embedded credentials Scan code repositories, configuration files, and application secrets stores for hardcoded credentials. Replace static secrets with managed rotation and remove any dependency on credentials that exist only inside application logic.
• Reduce standing privilege in application accounts Review non-human accounts that retain broad access after setup or integration. Where possible, convert always-on permissions into task-scoped access and remove excess entitlements from accounts that do not need persistent reach.
• Map toxic combinations by system, not by ticket Look for overlaps between orphaned accounts, unmanaged authentication paths, missing logs, and excess privilege. Use that combined view to decide which applications require immediate containment and which need structural redesign.

Key takeaways

• Identity dark matter is the unmanaged layer where enterprise access still lives, even when IAM looks mature on paper.
• AI agents increase the risk because they can use hidden, local, and overprivileged identity paths faster than review processes can react.
• The practical response is application-level identity inventory, tighter ownership, and lifecycle controls that reach beyond the directory.

Key terms

• Identity Dark Matter: Identity dark matter is the layer of accounts, credentials, and access paths that exist outside centralized IAM visibility. It includes local application accounts, embedded secrets, orphaned access, and unmanaged authentication routes that security teams often do not govern with the same rigor as directory-managed identities.
• Non-Human Account: A non-human account is an identity used by software rather than a person. Service accounts, bots, API-linked principals, and application-local users all fall into this category, and they require lifecycle control, ownership, and review because they can carry standing privilege and persistent access.
• Toxic Combination: A toxic combination is the overlap of multiple identity weaknesses that magnify risk beyond any single issue. For example, an orphaned account with elevated privileges and no logging creates a much larger exposure than each condition alone because it improves attacker persistence and reduces detection.
• Application-Local Identity: An application-local identity is an account created and managed inside an application rather than through a central identity provider. These identities often bypass standard provisioning and access review processes, which makes them harder to inventory, rotate, and retire when the underlying business need ends.

Deepen your knowledge

Identity dark matter and application-level NHI governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to close the gap between directory controls and real application access, it is worth exploring.

This post draws on content published by Orchid Security: Identity Gap: 2026 Snapshot and the rise of identity dark matter. Read the original.