Notifications
Clear all
Topic starter
06/06/2026 1:42 am
TL;DR: Identity has become the main attack vector in the AI enterprise, with Palo Alto Networks citing 9 out of 10 organisations experiencing an identity-related breach, 109-to-1 machine and AI identity sprawl, and 61% of privileged access requests still fulfilled with standing privilege. The governance shift is from managing access to controlling every identity at runtime.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 9 out of 10 organisations experiencing an identity-related breach in the past year.
- Machine and AI identities now outnumber humans 109 to 1.
Questions worth separating out
Q: How should security teams govern machine and agentic identities alongside human users?
A: They should treat each actor type as a separate governance population while keeping one control model for discovery, privilege, and lifecycle.
Q: Why do standing privileges create so much risk in AI-enabled enterprises?
A: Standing privilege creates risk because it leaves elevated access available long after the original task is finished.
Q: What breaks when identity discovery is incomplete?
A: Governance breaks first, because you cannot certify, rotate, revoke, or offboard identities you cannot see.
Practitioner guidance
- Inventory machine and agentic identities separately from human accounts Build an identity register that distinguishes human users, workloads, secrets, and agentic identities so entitlement reviews do not collapse distinct risk profiles into one list.
- Remove standing privilege from high-risk workflows Target admin, production, and data-access paths where privileged access remains persistent and convert them to just-in-time grants with explicit expiry conditions.
- Tie governance automation to identity lifecycle events Require every non-human identity to have an owner, purpose, and revocation trigger so access does not outlive the workload, service, or agent that uses it.
What's in the full announcement
Palo Alto Networks' full press release covers the operational detail this post intentionally leaves for the source:
- How Idira is packaged across existing CyberArk customer tiers and license paths
- The specific feature set for discovery, zero standing privilege, and AI-powered governance
- The vendor's own description of how machine and agentic identity protections fit into the platform
- Forward-looking availability notes for capabilities coming later in the year
👉 Read Palo Alto Networks' press release on Idira and AI enterprise identity security →
Idira and the AI enterprise identity gap: what changes for IAM teams?
Explore further
06/06/2026 2:59 am
Identity governance is being forced to evolve from human-centric PAM into multi-actor privilege control. The article reflects a real market shift: identity is now a shared control plane for humans, workloads, and agentic systems. That means teams can no longer treat privileged access as a narrow admin problem. The practitioner conclusion is that governance scope now has to follow the actor type, not the old product category.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own non-human identity lifecycle governance in practice?
A: Ownership should sit across IAM, PAM, cloud, and application teams, with clear accountability for creation, change, and revocation. Non-human identities often span multiple systems, so no single team can govern them effectively from one tool. The practical test is whether every identity has an accountable owner and a revocation path before it is put into production.
👉 Read our full editorial: Palo Alto Networks Idira reframes identity security for AI enterprises
