Identity visibility is lagging behind machine and AI agent sprawl

At a glance

What this is: This is an analysis of why identity visibility and intelligence have become necessary as machine identities and AI agents outgrow credential-centric IAM models.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes now have to govern identities that traditional tooling cannot fully see, own, or contextualise.

By the numbers:

• Gartner's 2025 Hype Cycle says IVIP addresses 97% of identities that traditional IAM solutions miss.

👉 Read SPHERE Technology Solutions' analysis of identity visibility and AI agent risk

Context

Identity visibility is the ability to see what identities exist, who or what owns them, what they can access, and whether that access still makes sense. The problem the article exposes is not a lack of credentials management, but a lack of identity-level understanding across human users, service accounts, and emerging AI agents.

That gap matters because credential inventories can look healthy while the underlying identities remain orphaned, over-privileged, or completely unknown. For teams building NHI, IAM, IGA, and PAM programmes, the real question is no longer whether credentials are rotated, but whether the identity behind them is governed at all.

Key questions

Q: How should security teams govern service accounts that are hidden outside central IAM?

A: They should start by discovering where those identities are created, used, and stored, then assign ownership and business purpose before any access review. Once the identity is visible, teams can right-size permissions, remove stale access, and bring the account into PAM or IGA workflows. Without that first step, rotation alone only preserves an unmanaged identity.

Q: Why do machine identities create more governance risk than human accounts?

A: Machine identities often operate continuously, are created in many different systems, and accumulate access faster than teams can review them. They also tend to have weak ownership and poor documentation, which makes orphaned access more likely. The result is a larger attack surface that traditional human-centric IAM processes do not fully cover.

Q: How do organisations know whether identity visibility is actually improving?

A: They should measure how many identities have clear ownership, complete context, and documented dependencies, not just how many secrets are rotated. Improvement shows up when fewer accounts are orphaned, more machine identities appear in governance workflows, and security teams can answer what each identity is for without manual forensics.

Q: Who should be accountable when an unmanaged identity is used in a breach?

A: Accountability should sit with the team that owns the identity lifecycle, not only the team that stores the credential. If the underlying service account or agent was never assigned purpose, review, and offboarding responsibility, governance has failed before the incident begins. That is why IAM, PAM, and IGA ownership must be explicit.

Technical breakdown

Identity visibility vs credential visibility

Credential visibility tells you a password, token, or key exists. Identity visibility tells you the entity behind that credential, why it exists, who owns it, what systems it touches, and whether its access still reflects current business need. Traditional IAM often stops at the secret or directory entry, which is why orphaned service accounts, embedded API keys, and hidden automation identities evade review. The article’s core point is that identity sprawl is not just more accounts. It is more unmanaged relationships between identities, systems, and privileges.

Practical implication: build discovery around identities and ownership, not just account inventories.

Why traditional IAM misses machine identities

Traditional IAM was built around human authentication flows and relatively stable account lifecycles. Machine identities behave differently: they can be created inside applications, scripts, schedulers, containers, and cloud services, often outside central directories. That means PAM, IGA, and directory tooling each see only a slice of the picture. The article argues that this siloed model leaves most machine identities outside effective governance, especially when accounts are orphaned or hidden in non-obvious places.

Practical implication: expand discovery beyond directories into scripts, configs, schedulers, and application stacks.

How AI agents change the governance model

AI agents are not just another type of service account. In this article’s framing, they can choose actions, adapt behaviour, request access, and even create temporary identities for tasks. That creates a governance problem that human-centric IAM was never designed to solve. If an identity can vary its behaviour at runtime, static permission reviews and quarterly audits no longer describe actual exposure. The control question shifts from who has the account to what the identity may decide to do next.

Practical implication: treat AI agent identities as governed runtime actors, not static accounts.

Threat narrative

Attacker objective: The objective is to turn unseen identity sprawl into sustained access, lateral movement, and control over business systems.

1. Entry occurs through hidden service accounts, embedded API keys, or other identities that are not visible in the central IAM view.
2. Escalation happens when over-privileged or orphaned identities retain access long after ownership, purpose, or business need has changed.
3. Impact follows when attackers or unauthorized automation move through systems using identities that defenders can neither fully see nor confidently constrain.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Credential management is no longer a sufficient proxy for identity governance. The article correctly separates the thing that authenticates from the entity that acts, and that distinction is now central to NHI governance. Service accounts, API keys, and tokens are only the visible edge of a much larger identity graph. Practitioners should treat identity visibility as the control plane, not an optional enhancement.

The real failure mode is orphaned identity, not just orphaned credential. A token can be rotated and still leave the underlying service account untouched, undocumented, and over-privileged. That is why identity hygiene must start with ownership, purpose, and dependency mapping. The implication for practitioners is that every access review must answer who controls the identity, not only whether the secret was changed.

Identity visibility becomes the named governance gap: hidden identity sprawl. This is the condition where machine identities multiply faster than discovery, classification, and review processes can keep up. It is the reason traditional IAM tools look effective while missing most of the attack surface. Practitioners should recognise hidden identity sprawl as a programme-level blind spot, not a tooling edge case.

AI agent governance cannot be built on static identity assumptions. The article’s autonomous-agent section is a warning that runtime behaviour matters more than account labels. If an identity can adapt actions and create temporary credentials, then least privilege defined at provisioning time is already incomplete. Practitioners should rethink how they define scope, ownership, and accountability for agentic actors.

IVIP-like visibility is an architectural response, but the discipline is identity intelligence. The category name matters less than the operating model it represents: continuous discovery, context, and automated governance across humans and machines. In practice, that means joining PAM, IGA, and discovery data into one identity view. Practitioners should measure success by how much identity risk they can explain, not how many credentials they can enumerate.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• The same report found that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
• For the wider NHI governance picture, see Ultimate Guide to NHIs for lifecycle, visibility, and control patterns that help close the identity blind spot.

What this signals

With 67% of service accounts already orphaned in the source article’s framing, the next governance priority is not more credential tracking but better identity ownership and dependency mapping. Teams that still treat machine identities as a by-product of application operations will keep discovering them only after they become incidents.

A practical concept here is hidden identity sprawl: identities created outside core governance processes that remain operational long after their purpose is understood by no one. Once this pattern is embedded, quarterly review cycles become performative rather than protective, and PAM or IGA coverage must be extended into the systems where identities are actually born.

For teams aligning to external guidance, the OWASP Non-Human Identity Top 10 is a useful reference point for the risks this article surfaces, especially around over-privilege, secret exposure, and weak lifecycle control. The operational signal to watch is whether your programme can explain every machine identity without manual forensics.

For practitioners

• Map identity ownership before you map secrets Build an inventory that starts with the identity, its business purpose, and its owner, then attach credentials, dependencies, and access paths. This stops teams from rotating secrets on accounts that should already be retired.
• Extend discovery beyond directories and vaults Scan application configs, scripts, schedulers, container manifests, and cloud automation for service accounts and embedded credentials. Hidden identities are often the ones that never appear in standard IAM reports.
• Join PAM and IGA views around shared identities Reconcile privileged access data with governance records so orphaned or over-privileged machine identities are visible in one review cycle. That reduces the gap between what security teams can authenticate and what they can actually govern.
• Define runtime guardrails for AI agent identities Specify which actions, data sets, and downstream tools an agent may use at runtime, then monitor for behaviour that departs from the approved scope. Static account labels are not enough when the actor can change its activity pattern dynamically.

Key takeaways

• The article’s core warning is that organisations are governing credentials while missing the identities that actually use them.
• The scale problem is already severe, with machine identities multiplying far faster than human-centric IAM processes can review or certify them.
• The control that changes the outcome is identity visibility joined to ownership, context, and lifecycle governance, not secret rotation alone.

Key terms

• Identity Intelligence: Identity Intelligence is the continuous analysis of identity data to expose risk, ownership, and access context. It goes beyond listing accounts by linking identities to purpose, dependencies, and governance actions, which is essential when machine identities and AI agents multiply faster than manual review cycles.
• Orphaned Service Account: An orphaned service account is a non-human identity that still exists and may still be active even though no accountable owner can be identified. These accounts are high-risk because they often retain access, evade lifecycle governance, and remain invisible to teams that focus only on documented credentials.
• Identity Visibility: Identity visibility is the ability to discover, classify, and track identities across systems, including where they live and what they can do. It matters because security teams cannot govern access effectively if identities are hidden in applications, scripts, schedulers, or cloud automation outside standard IAM views.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SPHERE Technology Solutions: Identity visibility is lagging behind machine and AI agent sprawl. Read the original.