Why 82% of enterprise attack surface stays invisible to IAM

At a glance

What this is: This analysis argues that most enterprise attack surface is hidden because machine identities are being created faster than security teams can govern them.

Why it matters: It matters because IAM, PAM, and governance programmes now have to manage NHI sprawl across AI, development, supply chain, production, and user workflows, not just human access.

By the numbers:

• Your organization now manages 82 machine identities for every human user.

👉 Read Clutch Security's analysis of enterprise NHI attack surface visibility gaps

Context

Enterprise attack surface visibility fails when security teams track infrastructure boundaries instead of identity creation. In this case, the core problem is not just credential volume, but the fact that business functions are generating non-human identities faster than governance processes can classify, review, and retire them.

The article’s central claim is that the riskiest NHI domains are receiving the least attention, with AI and development creating the biggest exposure. That shifts the IAM problem from perimeter defence to lifecycle control, because who created the credential, why it exists, and what it can reach now matters more than where it technically sits.

Key questions

Q: How should security teams govern machine identities across business domains?

A: Start with ownership, business purpose, and expiry for each machine identity, then map those identities to the domain that created them. Governance fails when NHIs are tracked as generic infrastructure objects instead of business-linked access paths. The practical goal is to make every credential reviewable, attributable, and removable when the business need ends.

Q: Why do AI and development environments increase NHI risk so quickly?

A: AI and development environments generate credentials at high speed and often place them in code, pipelines, or training workflows before security can review them. That combination creates both sprawl and persistence. Once secrets land in these systems, they tend to survive longer than the business task that created them.

Q: What breaks when organisations secure infrastructure but ignore NHI intent?

A: What breaks is the link between access and accountability. A credential can be technically valid while being semantically wrong for the business function that created it. When security cannot tell why an NHI exists, it cannot judge whether the access is still justified or whether it has already become blast radius.

Q: Which frameworks should teams use to align NHI governance with risk?

A: Use OWASP NHI guidance for machine identity controls, NIST CSF for programme structure, and zero trust principles to reduce implicit trust between domains. These frameworks work best when teams apply them to lifecycle, ownership, and cross-domain access paths rather than to infrastructure labels alone.

Technical breakdown

Business functions are creating hidden NHI attack surfaces

Modern enterprises do not create machine identities in one place. Sales integrations issue OAuth tokens, DevOps automations create service accounts, and legal or procurement workflows add API keys for third-party access. Each credential is tied to a business outcome, but each also expands identity scope beyond what legacy governance models can track. The technical failure is not simply weak secrets hygiene. It is the absence of a unified inventory that links business purpose, privilege scope, and lifecycle state across domains. Without that linkage, teams cannot tell whether a machine identity is temporary, shared, or still in active use.

Practical implication: build an NHI inventory that records business owner, purpose, scope, and expiry for every credential class.

Why AI and development domains create the largest governance gaps

The article places AI and development in the highest-risk zone because both domains combine fast credential growth with immature controls. AI systems often require broad data access, while development environments accumulate secrets in repositories, pipelines, and local workstations. This creates an environment where machine identities are created faster than they are reviewed, and where leaked credentials persist in code history or model training data. In practical terms, the issue is not only exposure, but persistence: once a secret enters these workflows, it may outlive the business need that created it.

Practical implication: focus discovery, scanning, and rotation controls first on AI and development workflows, not on the most mature environments.

Cross-domain identity movement turns local compromise into enterprise reach

The article describes a ripple effect where compromise in one domain exposes credentials and context that can be reused elsewhere. That is a classic NHI problem because machine identities often carry delegated privileges across cloud, code, and production systems. Once an attacker obtains one credential set, they can use it to discover architectures, harvest additional secrets, and move into adjacent environments. The mechanism is not lateral movement in the human account sense, but identity chaining across business functions and toolchains. That is why domain-based governance has to be paired with graph visibility into credential relationships.

Practical implication: model NHI-to-NHI trust paths so you can see where one compromised identity can open another domain.

Threat narrative

Attacker objective: The attacker aims to turn one hidden machine identity into broad enterprise access by chaining secrets, trust relationships, and cross-domain privileges.

1. Entry begins when attackers compromise an exposed machine identity, such as an API key, OAuth token, or service account tied to AI or development workflows.
2. Escalation follows when that credential reveals additional secrets, architectures, or trusted integrations that let the attacker reuse access across adjacent systems.
3. Impact occurs when the attacker moves from one domain into production, user-facing applications, or corporate systems, expanding the breach beyond the original credential scope.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Machine identity visibility is now a governance failure, not just a tooling gap. The article is right to frame the problem as invisible attack surface, because the real issue is that many organisations do not know which NHIs exist, who created them, or when they should die. That is an OWASP-NHI and NIST CSF control problem, but also a lifecycle problem across provisioning, rotation, and offboarding. Practitioners should treat unknown machine identity populations as unmanaged risk, not background noise.

AI and development domains are where NHI governance assumptions collapse first. The controls built for mature IT estates assume predictable ownership, stable scope, and reviewable credential lifecycles. Those assumptions fail in AI and development because credentials are created at high velocity, reused across pipelines, and often embedded in code or training workflows before security ever sees them. The implication is not to add more review meetings, but to recognise that review-based governance is structurally behind the way these domains operate.

Domain-based security investment is misallocated when it follows visibility instead of risk. The article’s core finding is that corporate IT receives heavy tooling while AI and development carry critical exposure. That is a portfolio failure in identity governance, because low-risk, mature environments absorb attention that should be directed at credential sprawl, standing privilege, and trust chains in the least governed zones. Practitioners should rebalance controls toward the domains that create the most NHIs and the least auditability.

Cross-domain trust has become the real identity blast radius. Once one machine identity is compromised, the attacker often inherits context that spans cloud, code, and production. That means the breach surface is not the individual secret alone, but the web of delegated access around it. The practitioner takeaway is to govern trust relationships as aggressively as credentials themselves, because NHI compromise now propagates through business workflows as much as through infrastructure.

Identity governance must follow business function, not infrastructure labels. The article shows that the same credential can matter differently depending on whether it was created by sales, devops, or legal. That is why NHI programmes need ownership models tied to business intent, lifecycle state, and domain-specific risk rather than a single technical bucket. Practitioners should design governance around how identities are produced and consumed, not just where they reside.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• For the broader identity control model, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should be tied to business ownership.

What this signals

Invisible attack surface is becoming a domain problem, not a point-in-time secret problem. If 92% of organisations already agree AI agent governance is critical but only 44% have policies in place, the gap is no longer awareness but execution. That makes domain-level inventory and lifecycle ownership the next practical control layer, especially where machine identities are created inside business workflows instead of security workflows.

Identity programmes will need to treat cross-domain trust as a first-class risk signal. When one credential can expose code, systems, and business context, the programme that tracks only individual secrets will miss the attack path. Practitioners should pair credential discovery with trust-graph analysis and reinforce the guidance in the NHI Lifecycle Management Guide to stop access from outliving its business purpose.

AI agent governance now overlaps directly with broader NHI governance. The attack surface does not stop at one class of identity, because AI systems, service accounts, OAuth tokens, and vendor integrations often coexist in the same business process. As organisations scale automation, they need controls that can see where identity is created, delegated, and retired across the whole operational chain.

For practitioners

• Map machine identities to business domains Build a domain-level inventory that records creator, business purpose, privilege scope, system dependency, and expiry for every NHI. Use that inventory to distinguish AI, development, supply chain, production, and user-generated identities before you prioritise controls.
• Prioritise AI and development secret discovery Start with the environments the article identifies as critical risk: AI workflows, source repositories, CI/CD pipelines, and developer workstations. Scan for hardcoded credentials, stale tokens, and long-lived service accounts, then remove or rotate the highest-impact secrets first.
• Reduce standing access across trust chains Review OAuth grants, service account permissions, and vendor integrations for access that persists beyond the original business need. Where possible, shorten the credential lifetime and remove inherited access paths that let one compromised identity open adjacent systems.
• Model cross-domain blast radius Trace how one credential can reveal others, especially where AI systems, development tools, and production services share trust relationships. Focus on the credential relationships that would let an attacker move from one domain into another without reauthentication.

Key takeaways

• The article’s central point is that most enterprise risk is hidden inside machine identities, not traditional user accounts.
• The highest-risk domains are AI and development, where credential growth and governance gaps are expanding faster than security visibility.
• The control that changes the outcome is lifecycle-aware, domain-specific NHI governance tied to business intent and trust paths.

Key terms

• Non-Human Identity: A non-human identity is any credentialed digital entity that acts on behalf of a system, workflow, or service rather than a person. In practice, this includes service accounts, API keys, OAuth tokens, certificates, bots, and AI-driven workloads that can access data or tools.
• Machine Identity Sprawl: Machine identity sprawl is the uncontrolled growth of non-human identities across teams, platforms, and business processes. It becomes a governance problem when identities are created faster than they can be inventoried, reviewed, rotated, or retired, leaving security teams with incomplete visibility and weak accountability.
• Cross-Domain Trust Path: A cross-domain trust path is the chain of delegated access that lets one identity operate across multiple systems or business functions. It matters because compromise in one place can expose other credentials, permissions, or data sets, expanding the attack surface beyond the original system of entry.
• Credential Lifecycle: Credential lifecycle is the full path from creation to retirement for an identity secret or token. For NHIs, the important question is whether the credential is still needed, who owns it, how it is rotated, and whether offboarding actually removes its ability to access anything.

Deepen your knowledge

Machine identity visibility, lifecycle control, and domain-based governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building an NHI programme from a similar starting point, it is worth exploring.

This post draws on content published by Clutch Security: Why 82% of Your Attack Surface Is Invisible to Your Security Team. Read the original.