Notifications
Clear all
Topic starter
06/06/2026 1:56 am
TL;DR: Machine identities now outnumber humans by more than 80 to 1, and CyberArk says 68% of organisations still lack proper identity security controls for AI, showing how fast NHI sprawl is outpacing governance. The real issue is that discovery, rotation, and access control still break down when agents, tokens, and secrets expand faster than review cycles.
NHIMG editorial — based on content published by Oasis Security: Taming the Machine Mayhem: 5 Steps to Kickstart Your ISPM Program
By the numbers:
- CyberArk's 2025 research reveals that machine identities now outnumber humans by more than 80 to 1.
- Security leaders expect up to 150% growth in the next year.
- 68% of organizations lack proper identity security controls for AI.
Questions worth separating out
Q: How should security teams implement ISPM for machine identities?
A: Start with discovery, then classify machine identities by privilege, age, ownership, and reuse.
Q: Why do machine identities create more governance risk than human accounts in cloud environments?
A: Machine identities are created faster, used more frequently, and reviewed less consistently than human accounts.
Q: What breaks when secrets are not rotated in machine identity programmes?
A: Unrotated secrets create long-lived access paths that survive application changes, ownership changes, and even some detection efforts.
Practitioner guidance
- Discover every machine identity across all environments Start with a unified inventory for service accounts, API keys, tokens, secrets, and certificates across cloud, on-prem, CI/CD, and developer-managed AI workspaces.
- Prioritise high-risk identities for immediate cleanup Target overprivileged, shared, stale, and unrotated credentials first, because those are the identities most likely to create persistent access and broad blast radius.
- Automate rotation and expiry for standing secrets Use policy-driven rotation, expiry, and just-in-time issuance so access is temporary and task-scoped rather than persistent.
What's in the full article
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- A step-by-step ISPM implementation sequence for discovery, risk assessment, remediation, automation, and monitoring.
- Examples of policy rules for secret rotation, just-in-time access, and restricted service-account privileges.
- Practical handling of shadow AI and local model usage in machine identity governance.
- Oasis Security's own framing of how teams can operationalise machine identity control at programme level.
👉 Read Oasis Security's guide to kickstarting an ISPM program →
Machine identity sprawl and ISPM: what IAM teams need to do?
Explore further
06/06/2026 3:19 am
ISPM is now the control plane for machine identity sprawl, not a niche hygiene programme. The article describes a world where NHIs, secrets, and AI access outgrow manual administration faster than teams can review them. That means the discipline is shifting from point fixes to lifecycle governance across service accounts, keys, and certificates. Practitioners should treat ISPM as a core identity operating model, not an auxiliary toolset.
A few things that frame the scale:
- 68% of organizations lack proper identity security controls for AI, according to OWASP NHI Top 10.
- Claude Code-assisted commits leaked secrets at a rate of 3.2%, more than double the human-only baseline of 1.5%, according to The State of Secrets Sprawl 2026.
A question worth separating out:
Q: What should teams do when shadow AI starts using credentials outside normal control paths?
A: Bring shadow AI into the same identity governance process as other NHIs. Map which credentials the models use, who owns them, and whether they can be rotated, expired, or restricted. If AI usage sits outside the lifecycle record, the programme has a blind spot that policy alone will not close.
👉 Read our full editorial: ISPM for machine identity sprawl in the age of agentic AI
