TL;DR: Identity-related breaches are now a board-level identity security problem, according to CyberArk, citing 87% of organisations that have experienced at least two successful breaches and framing privileged controls, lifecycle governance and continuous discovery as the core response. The real issue is not adding more access tooling, but treating every identity type as part of one governance model.
NHIMG editorial — based on content published by CyberArk: securing every identity with the right level of privilege controls
By the numbers:
- 87% of organizations have experienced at least two successful identity-related breaches.
- Only 5.7% of organizations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorized access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern machine and AI identities alongside human users?
A: Treat them as one identity programme with different lifecycle rules, not as separate security domains.
Q: Why do excessive privileges create such a large identity security risk?
A: Because any identity with more access than it needs has a larger blast radius when credentials are stolen or sessions are abused.
Q: What do organisations get wrong about identity lifecycle management?
A: They often manage joiner, mover and leaver processes well for employees but leave non-human identities outside the same discipline.
Practitioner guidance
- Unify identity inventory across all actor types Map workforce accounts, service accounts, tokens, certificates and AI identities into one authoritative register, then assign an owner and business purpose to each identity.
- Separate standing privilege from task-based access Review privileged entitlements for persistent access that can be replaced with just-in-time elevation, session scoping or narrower role boundaries.
- Make lifecycle ownership explicit for non-human identities Require creation, rotation, recertification and offboarding steps for service accounts, API keys and certificates, with a named human owner for each.
What's in the full article
CyberArk's full article covers the operational detail this post intentionally leaves for the source:
- Customer-facing platform capabilities for discovery, privilege enforcement and governance across identity types.
- The vendor's own implementation framing for lifecycle management, policy automation and compliance workflows.
- Analyst report references and customer stories that show how the message is positioned in market terms.
- Platform-oriented detail on how CyberArk describes continuous threat detection and adaptive defenses.
👉 Read CyberArk's article on securing every identity with privilege controls →
Human, machine and AI identities: what IAM teams need to know?
Explore further
Identity security is no longer a perimeter control, it is the operating model for every access path. CyberArk is right to frame the problem around workforce, machine and AI identities because modern environments do not respect those historical silos. The practical consequence is that identity governance, PAM and NHI controls have to be designed as one control plane, not separate programmes that only meet during an audit.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorized access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: When should teams prioritise privilege controls over broader IAM projects?
A: When privileged identities can touch production systems, secrets stores or sensitive data paths, privilege controls should be the first priority. Those identities create the fastest route from access to impact. Broader IAM modernisation still matters, but it will not compensate for unchecked standing privilege in high-risk accounts.
👉 Read our full editorial: Identity security now spans human, machine and AI identities