Notifications
Clear all
Topic starter
02/06/2026 12:59 pm
TL;DR: Delinea reports that 87% of organisations say their identity security posture is prepared for AI, yet 46% admit their AI identity governance is deficient and 53% regularly encounter unauthorized AI tools or agents accessing company systems. The gap is not visibility alone, but the mismatch between autonomous NHI behaviour and legacy IAM controls that still assume human-paced access review.
NHIMG editorial — based on content published by Delinea: The hidden risk of non-human identities in AI adoption
By the numbers:
- 87% of organizations say their identity security posture is prepared.
- 46% of those surveyed admitting that their AI identity governance is deficient.
- 53% of surveyed organizations regularly encounter unauthorized AI tools and agents accessing company systems.
Questions worth separating out
Q: How should security teams implement least privilege for AI agents and NHIs?
A: Start by treating AI agents as a separate identity class with explicit ownership, purpose, and lifecycle records.
Q: Why do NHIs complicate zero trust architecture in practice?
A: NHIs complicate zero trust architecture because they authenticate and act at machine speed, often without the human checkpoints that zero trust programs assume.
Q: What breaks when organisations cannot see their non-human identities?
A: When NHIs are invisible, least privilege, credential rotation, and access review all become incomplete.
Practitioner guidance
- Implement continuous discovery for machine identities Inventory service accounts, API keys, tokens, certificates, AI agents, and shadow AI tools across cloud and hybrid environments.
- Reduce standing privilege for autonomous identities Classify every persistent entitlement held by NHIs and AI agents, then replace it with just-in-time access where operationally possible.
- Enforce access certification for NHIs Run regular access reviews on machine identities with the same rigor used for human access.
With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, per the 2026 Infrastructure Identity Survey, the control model is already out of balance?
👉 Read Delinea's analysis of hidden NHI risk in AI adoption →
Explore further
02/06/2026 1:00 pm
The real problem is not AI adoption itself, but the identity model underneath it. Enterprises are trying to govern autonomous systems with controls designed for human logins and periodic certification. That mismatch produces a visibility gap, a privilege gap, and an ownership gap at the same time. NHI governance has to be treated as a control-plane problem, not an inventory exercise.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, and organisations failing to scope AI access properly are 4.5x more likely to experience a security incident, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How do security teams respond when AI identity governance is already deficient?
A: First, contain the highest-risk identities by reviewing standing access, removing unnecessary privileges, and forcing ownership assignment for every NHI. Then establish discovery and certification workflows so the same problem does not reappear. If AI is already in production, the right response is staged reduction of exposure, not a blanket freeze on adoption.
👉 Read our full editorial: AI identity risk is exposing the NHI visibility gap in enterprise IAM
