Identity discovery now includes machine and AI accounts at scale

At a glance

What this is: This session frames identity discovery as the first control for unmanaged service accounts, AI agents, and orphaned accounts, with the key finding that organisations often uncover hundreds of hidden identities in hours.

Why it matters: It matters because IAM teams cannot govern what they cannot inventory, and hidden NHI sprawl now directly affects privilege review, board reporting, and incident containment across human, machine, and AI estates.

👉 Read Delinea's session on hidden identity discovery across human, machine, and AI

Context

Identity discovery is the discipline of finding every account, token, workload, and agent that can authenticate or act on behalf of the organisation. In practice, that now includes service accounts, scripts, APIs, bots, AI agents, cloud workloads, and third-party integrations, which means the inventory problem is bigger than traditional human IAM programmes were built to handle.

The governance gap is not just scale, but opacity. If teams do not know what identities exist, who owns them, or how much access they retain, they cannot assess blast radius, recertify access, or explain residual risk to auditors and boards. For teams building out NHI governance, the Ultimate Guide to NHIs is the clearest starting point for the lifecycle and control model.

Key questions

Q: How should security teams inventory hidden machine and AI identities?

A: Start by aggregating identity data from cloud platforms, SaaS tools, directories, CI/CD systems, and secrets stores into one operational view. Then classify each identity by owner, purpose, and risk so unmanaged accounts do not disappear into separate tooling silos. A usable inventory is one that supports review and remediation, not just counting.

Q: Why do unmanaged service accounts increase breach risk?

A: Unmanaged service accounts often retain standing access, broad permissions, and weak ownership, which makes them easy to overlook and hard to contain. Once attackers find them, they can use those credentials to move laterally, access secrets, or reach production systems without triggering normal human access controls.

Q: What should teams do when discovery finds hundreds of new identities?

A: Triage by privilege exposure and business criticality, not by raw volume. The first response is to identify which accounts touch production, secrets, or sensitive data, then place unknown or orphaned identities into an ownership and review workflow before broader remediation begins. That approach reduces risk without creating analysis paralysis.

Q: How do organisations keep an identity inventory current after the first scan?

A: Tie discovery to lifecycle processes so new identities trigger ownership assignment, review, and offboarding checks as part of normal operations. Continuous inventory matters because workloads, bots, and AI agents appear faster than annual or quarterly review cycles can capture them.

Background and context

Why identity inventory fails across hybrid and cloud estates

A complete identity inventory is hard because identity data is fragmented across cloud control planes, CI/CD systems, SaaS platforms, IAM directories, and local scripts. Service accounts and machine credentials are often created outside standard joiner-mover-leaver flows, then reused across environments without a clean owner or business purpose. AI agents add another layer because they can appear as application identities, integrations, or delegated users depending on the platform. The result is a control plane problem, not just a discovery problem.

Practical implication: consolidate discovery across cloud, SaaS, and on-prem sources before attempting certification or rotation work.

How hidden identities expand privilege and blast radius

Unmanaged identities become dangerous when their access is persistent, broad, or poorly attributed. A single machine credential may have write access to production data, access to secrets, or the ability to impersonate other services, which makes blast radius the right prioritisation lens. Discovery is useful only if the output is ranked by privilege exposure, inherited permissions, and dependencies on other systems. That is how security teams separate administrative noise from the identities that can actually move laterally or trigger high-impact changes.

Practical implication: rank newly found identities by access scope and dependency chains, not by count alone.

What continuous discovery changes in NHI governance

Continuous discovery turns identity inventory from a point-in-time project into an operational control. New workloads, integrations, and agents appear every day, so the inventory decays as soon as a scan finishes unless it is tied to ongoing telemetry and ownership workflows. This is where NHI governance intersects with lifecycle management: newly created identities need classification, ownership, and review before they become permanent risk. Without that loop, organisations end up with orphaned credentials and stale entitlements that no one intended to keep.

Practical implication: make discovery feed ownership, recertification, and offboarding workflows on an ongoing basis.

NHI Mgmt Group analysis

Hidden identity risk is now an inventory failure, not a niche credential problem. The article’s central point is that service accounts, APIs, bots, and AI agents now outnumber human identities in many environments, which makes traditional directory-centric control incomplete. That gap matters because the identities most likely to be forgotten are often the ones with standing access and unclear ownership. Practitioners should treat identity discovery as a foundational control rather than a reporting exercise.

Blast radius is the right way to prioritise unmanaged identities. The article correctly shifts attention away from total identity count and toward the identities that can reach production, secrets, or sensitive data. That is the operational difference between visibility and governance: a small number of hidden credentials can create far more exposure than a large number of low-risk ones. Practitioners should use privilege depth, dependency mapping, and business criticality to decide what gets remediated first.

Continuous discovery exposes the lifecycle gap that most NHI programmes miss. Discovery without ownership assignment and offboarding discipline simply creates a better snapshot of the same problem. The governance issue is that new machine and AI identities appear faster than review cycles can absorb them, so inventory must connect to lifecycle control immediately. Practitioners should treat every newly found identity as a governance event, not a static record.

Identity discovery is now the bridge between human IAM and NHI governance. The same operational question applies across people, service accounts, and AI agents: who owns it, what can it reach, and when does its access end. That makes the discipline cross-functional, with IAM, PAM, cloud, and security operations all sharing the same inventory truth. Practitioners should align discovery to a single identity governance model rather than maintain parallel views for each identity type.

From our research:

• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
• If your programme is still catching up, the next step is to map hidden identities to lifecycle control using Ultimate Guide to NHIs before your inventory decays.

What this signals

Identity sprawl is now a governance workload, not just a discovery exercise. As machine and AI identities multiply, the practical question becomes whether your programme can absorb new identities as a routine control event rather than an exception. The organisations that mature fastest will be the ones that connect discovery to ownership, recertification, and offboarding in one flow.

Continuous visibility is the new baseline for NHI control. A one-time scan only tells you what existed at that moment, while the operational problem is what appears tomorrow. Security teams should expect identity inventory to behave more like telemetry than documentation, with recurring scans feeding risk prioritisation and exception handling.

Discovery without lifecycle governance creates a false sense of control. Once a hidden identity is found, the challenge is not merely to record it but to decide whether it should exist, who owns it, and when it should be removed. That is why discovery programmes should be linked to lifecycle controls and the broader NHI governance model.

For practitioners

• Inventory hidden identities across all control planes Pull identity data from cloud accounts, SaaS apps, directories, CI/CD pipelines, and secrets stores into one governed view. Classify service accounts, bots, scripts, and AI agents separately so ownership and risk can be assigned correctly.
• Prioritise remediation by privilege and blast radius Score newly discovered identities by access scope, production reach, and dependency on privileged secrets. Remediate the identities that can affect sensitive systems first, even if they are few in number.
• Attach ownership to every discovered NHI Require a named owner, purpose, and expiry or review cadence for each machine or AI identity. Orphaned identities should move into a quarantine workflow until a business owner accepts accountability.
• Operationalise continuous discovery Run discovery on a recurring basis and connect results to recertification and offboarding processes. The inventory should refresh when a new workload spins up, not only during annual audits.

Key takeaways

• The article’s core warning is that unmanaged service accounts, bots, and AI identities create a blind spot that traditional IAM cannot govern well enough.
• The evidence point is operational, not theoretical: first scans commonly reveal hundreds of unmanaged machine and AI identities within hours.
• The control implication is clear: discovery only matters when it feeds ownership, blast-radius prioritisation, and continuous lifecycle governance.

Key terms

• Identity Discovery: Identity discovery is the process of finding every account, token, workload, and agent that can authenticate or act in an environment. In NHI governance, it is the control that turns unknown identities into managed ones by linking them to ownership, risk, and lifecycle action.
• Blast Radius: Blast radius is the amount of damage an identity can cause if it is abused. For non-human identities, it is shaped by privilege scope, production reach, and dependency chains, so a small number of powerful credentials can represent more risk than a large population of low-value accounts.
• Orphaned Account: An orphaned account is an identity that still exists but no longer has an accountable owner or valid business purpose. In NHI environments, orphaned service accounts and integrations are especially dangerous because they often retain standing access long after the system or team that created them has changed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.

This post draws on content published by Delinea: hidden identity discovery across human, machine, and AI identities. Read the original.