Identity security’s two axes of tension are widening in 2026

At a glance

What this is: This is Silverfort’s analysis of The Identity Underground Annual Pulse 2026, showing a widening gap between executive concern over AI-era threats and practitioner reality around credential abuse and NHI visibility.

Why it matters: It matters because IAM, NHI, and identity governance teams now have to manage legacy attack patterns and emerging agentic risk at the same time, with incomplete visibility into the identities already in production.

By the numbers:

• 54% of executives cite AI-enhanced threats as their top concern for 2026.
• 43% of practitioners say credential stuffing and password spraying are still their most frequent attacks.
• Only 5% of organizations feel confident they have a complete inventory of non-human identities.
• 37% have 21 or more third-party companies with access to their systems.

👉 Read Silverfort's analysis of The Identity Underground Annual Pulse 2026

Context

Identity security is increasingly shaped by two competing realities. Executives are being pushed to prepare for AI-enhanced threats and agentic risk, while practitioners are still absorbing credential stuffing, password spraying, and identity abuse across legacy estates. The result is not a single programme failure, but a governance split between future-facing planning and present-tense exposure.

For IAM and NHI teams, that split matters because the environment now contains service accounts, API keys, workload identities, and third-party access paths that do not fit classic human-centric governance models. The report’s core message is that visibility, ownership, and response speed are no longer optional traits of mature identity programmes; they are the minimum needed to keep pace with attacks that move faster than manual review.

Key questions

Q: How should security teams handle identity risk when legacy infrastructure and AI threats collide?

A: They should treat this as a single governance programme with two time horizons. Legacy authentication, weak credential hygiene, and manual response need immediate remediation, while AI-driven and agentic risks require forward planning. The mistake is building separate control tracks that ignore how the same identity estate is exposed today and targeted tomorrow.

Q: Why do non-human identities create more governance risk than many teams expect?

A: Because they often lack a clear human owner, a visible lifecycle, or consistent review points. Service accounts, API keys, and workload identities can accumulate silently across environments, especially where third parties are involved. Without ownership and lifecycle control, these identities become durable access paths rather than managed assets.

Q: What breaks when identity teams rely on manual response during an attack?

A: Manual response breaks when attackers move faster than analysts can correlate logs across IdP, PAM, IGA, and SIEM. At that point, the team becomes dependent on people stitching together evidence after the attacker has already moved or persisted. Identity security needs response paths that can contain activity without waiting for full manual reconstruction.

Q: Who is accountable for third-party access that outlives its intended use?

A: The organisation that granted the access remains accountable, even when the relationship was initiated through a vendor, app, or integration. If third-party access is not tied to ownership, offboarding, and periodic review, it becomes an unmanaged extension of the identity perimeter rather than a bounded exception.

Technical breakdown

Why legacy identity infrastructure creates modern exposure

Legacy identity systems become risk multipliers when they remain in place after the threat model changes. NTLM, older directory patterns, and manual identity workflows can keep the business running, but they also preserve weak assumptions about trust, ownership, and response speed. In practice, this means attackers can continue to exploit credential replay, over-permissioned accounts, and stale authentication paths long after the organisation has moved on in architecture terms. The problem is not simply outdated technology. It is the mismatch between the speed of modern identity attacks and the lag in governance and remediation. Practical implication: map legacy authentication paths to the identities and systems that still depend on them, then remove the highest-risk dependencies first.

Practical implication: map legacy authentication paths to the identities and systems that still depend on them, then remove the highest-risk dependencies first.

The non-human identity frontier and governance blind spots

Service accounts, API keys, workload identities, and third-party OAuth access are NHI categories that often lack a clear human owner or lifecycle checkpoint. That makes them harder to inventory, harder to attest, and easier to leave untouched when access relationships change. When only a small fraction of organisations can claim full visibility, the issue is not just discovery. It is governance absence at scale, especially where third parties inherit broad access through app consent or shared integrations. Practical implication: treat every non-human identity as a governed asset with ownership, rotation, and offboarding requirements, not as a technical by-product of application delivery.

Practical implication: treat every non-human identity as a governed asset with ownership, rotation, and offboarding requirements, not as a technical by-product of application delivery.

Human APIs cannot replace automated identity response

The report’s description of identity teams acting as "human APIs" captures a real failure mode. Manual correlation across IdP, PAM, IGA, and SIEM may work for occasional investigations, but it breaks down when attackers operate at machine speed. Identity security only becomes operationally credible when detection and response are linked, so that suspicious activity can be contained before an attacker completes the sequence. Without that, teams remain dependent on analysts stitching together evidence after the fact. Practical implication: reduce dependence on manual triage by wiring identity telemetry into response workflows that can act without waiting for an analyst to reconstruct the whole event.

Practical implication: reduce dependence on manual triage by wiring identity telemetry into response workflows that can act without waiting for an analyst to reconstruct the whole event.

Threat narrative

Attacker objective: The attacker aims to turn weak identity controls into repeatable access across systems, then use that access to move, persist, and operate before defenders can coordinate response.

1. Entry occurs through credential stuffing or password spraying against weak or reused identity credentials, giving attackers an initial foothold into identity-managed environments.
2. Escalation follows when attackers reuse that foothold across legacy authentication paths, third-party access, or over-privileged identities that were never tightly governed.
3. Impact is achieved through identity abuse that lets attackers move through systems faster than manual detection and response can contain the activity.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity security has become a split-brain discipline. Executive concern is moving toward AI-enhanced threats, while practitioners are still fighting credential stuffing and password spraying in live environments. That disconnect is not a communications problem. It is a programme design problem, because identity control priorities are being set against two different threat horizons at once. The implication is that governance teams must stop treating strategy and operations as separate lanes.

The non-human identity frontier is now a governance problem, not a discovery problem. The article’s visibility figures show that many organisations still cannot account for the identities that actually execute work in production. Service accounts, workload identities, API keys, and third-party OAuth access have outgrown informal ownership models. NHI programmes that stop at inventory will miss the real issue, which is lifecycle control across identities that never pass through a human approval rhythm.

Manual identity response is a structural bottleneck. Calling analysts "human APIs" is more than a metaphor, because it describes an operating model where evidence collection outruns containment. That model was built for slower incidents and stable identity boundaries. The implication is that organisations should expect manual correlation to fail as a primary response method whenever identity abuse scales across systems.

Runtime identity control is becoming the dividing line between visibility and security. Organisations can collect logs and still fail to control exposure if policy enforcement does not happen where the identity is being used. The field is moving from retrospective reporting toward context-aware enforcement across human, NHI, and emerging autonomous use cases. Practitioners should treat runtime identity enforcement as a baseline expectation, not an optimisation.

Identity programmes now need a unified model for humans, NHIs, and agentic systems. The report is not just about one class of identity risk. It shows that the same organisation can be under pressure from legacy authentication, machine identities, and board-level AI concerns at the same time. That convergence means programme boundaries built around only human IAM or only NHI security will become less defensible. Practitioners should align governance, telemetry, and remediation across the full identity estate.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to Ultimate Guide to NHIs.
• For a broader control baseline, the NIST Cybersecurity Framework 2.0 remains the cleanest way to connect identity detection, response, and recovery outcomes.

What this signals

Identity teams should expect AI-era planning to fail if current credential abuse remains unresolved. The immediate signal is that governance maturity is still being measured by how well teams can see and contain the identities already active in production. With 71% of NHIs not rotated within recommended time frames, according to Ultimate Guide to NHIs, the operational gap is still in the basics.

Non-human identity sprawl is becoming the organising concept for programme prioritisation. The right question is no longer whether NHIs exist, but which of them are unowned, over-privileged, or still reachable through legacy authentication paths. That is the point at which inventory, lifecycle, and response start working as one control plane.

The next step for mature programmes is to connect identity telemetry to containment decisions before analysts have to reconstruct the attack by hand. That shift aligns with NIST Cybersecurity Framework 2.0 because detection only matters when it leads to response and recovery.

For practitioners

• Inventory non-human identities as governed assets Establish ownership, business purpose, and lifecycle state for service accounts, API keys, workload identities, and third-party OAuth access. If an identity cannot be assigned to a control owner, it should be treated as an unmanaged risk rather than a technical detail.
• Prioritise legacy authentication removal Identify NTLM and other legacy identity paths that still support critical workflows, then rank them by exposure and dependency. Reduce the highest-risk paths first, especially where they intersect with privileged or externally reachable systems.
• Reduce manual identity triage dependence Connect IdP, PAM, IGA, and SIEM telemetry so that suspicious identity activity can trigger pre-defined containment workflows. Manual correlation should support investigation, not serve as the main response mechanism.
• Reconcile AI planning with present-tense controls Do not let AI-threat planning displace the work of closing credential abuse, third-party access, and visibility gaps already present in production. Build one programme that can handle both future risk and current exposure.

Key takeaways

• Identity security is being pulled between AI-era threat planning and live credential abuse, and that split exposes a governance gap rather than a tooling gap.
• The clearest warning sign is visibility failure across non-human identities, where unmanaged service accounts and third-party access create durable attack paths.
• Programmes that still depend on manual correlation and legacy authentication will struggle to contain identity abuse at machine speed.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software, services, or automated workflows rather than a person. It includes service accounts, API keys, tokens, certificates, and workload identities, all of which need ownership, lifecycle control, and monitoring because they can expose privileged access at machine speed.
• Identity Governance: Identity governance is the discipline of deciding who or what should have access, for how long, and under what conditions. For NHIs, governance extends beyond approval into ownership, rotation, offboarding, and visibility because non-human access often persists without a human manager in the loop.
• Legacy Authentication: Legacy authentication is an older identity mechanism that remains in production even after better options exist. It is risky because it often relies on weaker trust assumptions, creates hard-to-track dependencies, and can let attackers reuse or replay credentials in ways modern governance models struggle to see quickly.
• Manual Identity Response: Manual identity response is the practice of investigating and containing identity incidents through human-led correlation across multiple tools. It can support complex cases, but it becomes a bottleneck when attackers move faster than analysts can assemble the evidence needed to act.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by Silverfort: The Identity Underground Annual Pulse 2026. Read the original.