Unmanaged identities are widening identity risk across human and NHI estates

At a glance

What this is: This is an analysis of unmanaged identities across human, machine, developer, and agentic AI estates, showing how identity sprawl creates security, compliance, and operational exposure.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes all fail in the same place when identities exist outside inventory, lifecycle control, and review.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

👉 Read Delinea's analysis of unmanaged identities across human, machine, and AI estates

Context

Unmanaged identities are any human or non-human identities that sit outside the organisation's identity management, governance, and protection processes. In practice, that means accounts, keys, tokens, certificates, and AI agents that can exist, act, or persist without being fully inventoried or reviewed. The primary keyword here is unmanaged identities, and the governance gap is broader than secrets alone.

Delinea's framing is useful because it groups workforce, developer, machine, and agentic AI identities into one problem space: identity sprawl. That lens matters for IAM, IGA, PAM, and NHI teams because the same missing controls recur across all four domains, especially when access is created faster than it can be discovered, certified, or deprovisioned.

For NHI programmes, the dangerous part is not only credential theft. It is the fact that unmanaged identities can become backdoor access, privilege creep, fragmented visibility, and audit failure at the same time. That is why unmanaged identity control has to be treated as a lifecycle and governance problem, not just an access hygiene issue.

Key questions

Q: How should security teams uncover unmanaged identities across cloud and on-premises environments?

A: Security teams should use continuous identity discovery across cloud, on-premises, and hybrid environments, then reconcile each finding against an authoritative owner, purpose, and lifecycle state. The goal is not just visibility. It is to identify orphaned access, unknown service accounts, and untracked AI agents before they become standing risk.

Q: Why do unmanaged NHIs and AI agents create more risk than tracked service accounts?

A: Tracked service accounts at least sit inside a governance model. Unmanaged NHIs and AI agents do not. That means their credentials, privileges, and behaviours can persist without review, which increases the chance of credential theft, lateral movement, and automation abuse. The risk rises again when these identities can spawn additional access or operate across multiple platforms.

Q: What do organisations get wrong about identity discovery and inventory?

A: They often treat discovery as a one-time project instead of an ongoing control. In fast-moving cloud and AI environments, identities appear, change, and disappear too quickly for periodic snapshots to remain accurate. The common mistake is believing the inventory is complete when unmanaged identities have already shifted outside it.

Q: Who is accountable when an unmanaged identity causes a breach or audit failure?

A: Accountability belongs to the team that owns identity governance, but the remediation path should be shared across IAM, PAM, security operations, and system owners. If the identity has no owner, that absence is itself the control failure. Regulators and auditors will expect the organisation to prove ownership, lifecycle management, and access review coverage.

Technical breakdown

Why unmanaged identities evade centralized discovery

An unmanaged identity is one that exists outside the authoritative record of who or what has access, what it can reach, and who owns it. The technical failure is often fragmentation: cloud, on-premises, DevOps, and business-led tooling each create their own identity objects and secrets without a common control plane. Once that happens, the organisation loses the ability to distinguish legitimate from orphaned access at scale. Continuous identity discovery is therefore not a dashboard feature, but the minimum mechanism needed to re-establish inventory integrity across environments.

Practical implication: build continuous discovery into the control stack so new human and machine identities are detected before they become orphaned access.

How unmanaged machine and AI identities expand attack paths

Machine identities, including AI agents, are different from workforce identities because they can act at speed, across systems, and often without a human in the loop. When these identities are unmanaged, attackers do not need to compromise a person first; they can target the token, key, or certificate that grants the machine persistent reach. AI agents intensify this because they can create additional agents or call external tools, multiplying the access surface inside the same workflow. The risk is not merely more identities, but more identity-mediated pathways into sensitive data and automation.

Practical implication: treat every machine and AI identity as a governed executor, not as a background technical artefact.

Why lifecycle controls matter more than ad hoc access fixes

Lifecycle control is the difference between an identity that is merely provisioned and one that is actually governed. Unmanaged identities persist when offboarding is incomplete, when privilege is never recertified, or when access is granted for speed and never revisited. That creates standing privilege, stale accounts, and unbounded exposure windows. In identity terms, the problem is not only that access exists, but that access survives longer than the business need that created it. PAM, IGA, and automated deprovisioning are the technical layers that turn discovery into durable governance.

Practical implication: tie every unmanaged identity finding to an owner, a review cycle, and a deprovisioning path.

Threat narrative

Attacker objective: The attacker aims to turn ungoverned identity sprawl into durable access that can be used for data theft, control of automation, or broader lateral movement.

1. Entry occurs when an attacker targets unmanaged credentials, such as exposed keys, orphaned accounts, or AI agent tokens that are not covered by central governance.
2. Escalation follows when the identity has more privilege than its task requires, allowing lateral movement, privilege escalation, or the spinning up of additional agents and services.
3. Impact lands in the form of data access, operational disruption, compliance failure, or unauthorized use of automated systems and sensitive information.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Unmanaged identities are a governance failure before they are a detection problem. Once identity creation and identity use move outside the authoritative inventory, every downstream control becomes partial at best. That means IAM, PAM, and IGA are no longer enforcing policy across the full estate. The practitioner conclusion is simple: if an identity cannot be found, it cannot be governed.

Identity sprawl creates a shared failure mode across humans, machines, and agentic AI. The article correctly groups these identity types because the security outcome is similar even when the execution model differs. The common pattern is access that outlives ownership, review, or business need. Practitioners should stop treating NHI governance, workforce governance, and agentic governance as separate operational silos.

Agentic AI changes the meaning of unmanaged identity because the identity can change behaviour, not just persist. Agentic agents are not merely credentials with scale; they are executors that can adapt, interact, and spawn additional activity across environments. That means unmanaged agentic identity is not just an inventory gap, it is a moving control boundary that can drift faster than human review cycles. The practitioner implication is that static lifecycle assumptions no longer hold.

Standing privilege is the named concept this article exposes. Unmanaged identities become dangerous when their access is present long enough to be reused, repurposed, or forgotten. That is the premise behind standing privilege, and it is the reason identity discovery must be coupled to lifecycle enforcement rather than left as an audit exercise. The practitioner conclusion is to remove persistence, not just document it.

Continuous discovery must be paired with accountability, or it becomes a noise generator. Discovering an unmanaged identity is only useful if the organisation can assign ownership, determine intended use, and enforce a retirement path. Without that chain, visibility produces reports but not reduced risk. The practical conclusion is to connect discovery output directly to remediation ownership and identity lifecycle controls.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For the operational context behind identity sprawl and lifecycle control, see NHI Lifecycle Management Guide for the governance steps that turn discovery into enforcement.

What this signals

Standing privilege drift: unmanaged identities only become manageable when discovery is tied to ownership, revocation, and review, not when they are merely listed in a report. For IAM and PAM teams, that means the next maturity step is not another inventory export. It is a closed loop from detection to retirement.

With 72% of organisations reporting or suspecting an NHI breach in our research, the market signal is clear: identity sprawl is now a board-level exposure, not a hygiene issue. Teams should expect more scrutiny of inventory completeness, offboarding quality, and evidence that machine identities are reviewed with the same discipline as human access.

The control model is also converging across human, machine, and AI estates. Organisations that already struggle with orphaned workforce access will face the same problem again in agentic workflows unless ownership, approval, and termination are designed into the identity lifecycle from the start.

For practitioners

• Inventory every identity class continuously Build discovery across workforce, machine, developer, and agentic AI estates so new identities are found as they appear in cloud, on-premises, and hybrid systems.
• Map each unmanaged identity to an accountable owner Require every discovered account, key, token, certificate, or agent to have a named business or technical owner before it remains active.
• Automate offboarding and privilege retirement Connect joiner-mover-leaver workflows to account deprovisioning, secret revocation, and certificate expiry so dormant access does not survive its business purpose.
• Apply just-in-time access to high-risk identities Replace persistent elevation with task-scoped access for admins, developers, and machine identities so standing privilege does not accumulate unnoticed.
• Review AI agents as governed executors Treat each agent as an identity with an owner, scope, and termination path, then verify whether it can create additional access chains outside expected policy.

Key takeaways

• Unmanaged identities are dangerous because they sit outside the identity system that is supposed to control them.
• The main risk is not only exposure, but standing access that survives longer than its business purpose.
• Discovery must connect to ownership, review, and deprovisioning, or identity sprawl will keep reappearing in new forms.

Key terms

• Unmanaged Identity: An unmanaged identity is any account, credential, token, certificate, or agent that exists outside the organisation's authoritative identity governance process. In practice, it cannot be reliably inventoried, reviewed, or retired on schedule, which makes ownership and accountability difficult to prove.
• Standing Privilege: Standing privilege is access that remains active without a clear end point or task boundary. For human, machine, and agentic identities alike, it creates exposure because the access outlives the need that created it and can be reused long after it should have been removed.
• Continuous Identity Discovery: Continuous identity discovery is the ongoing process of finding and reconciling identities across environments as they are created or changed. It is more than inventory management because it is designed to catch orphaned accounts, shadow identities, and AI agents before they become persistent governance gaps.
• Agentic AI Identity: An agentic AI identity is the identity used by an AI system that can make decisions, interact with other systems, and complete tasks independently. It requires governance beyond a static service account because the behaviour can shift at runtime and create new access paths.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity lifecycle management, it is worth exploring.

This post draws on content published by Delinea: Uncovering the risks of unmanaged identities. Read the original.