Notifications
Clear all
Topic starter
02/06/2026 6:53 pm
TL;DR: Orchid Security’s Identity Gap: 2026 Snapshot says invisible identity now exceeds visible identity in enterprise environments by 57% to 43%, while 67% of non-human accounts are created directly inside applications and remain unseen by IAM programs. The finding underscores a structural governance gap that becomes more acute as AI agents inherit access and act at machine speed.
NHIMG editorial — based on content published by Orchid Security: Identity Gap: 2026 Snapshot and the rise of identity dark matter
By the numbers:
- Invisible identity now outweighs visible identity across enterprise environments, 57% to 43%.
- 67% of non-human accounts are created directly within the application, unseen and unmanaged by IAM programs.
- 70% of enterprise applications contain an excessive number of privileged accounts, increasing the impact of misuse or compromise.
Questions worth separating out
Q: How should security teams govern non-human accounts that are created inside applications?
A: They should inventory them separately from human identities, assign a business owner, define the access purpose, and bind each account to a retirement process.
Q: Why do application-local accounts create more NHI risk than centrally managed identities?
A: Application-local accounts create more risk because they bypass the visibility, review, and policy controls that central identity systems provide.
Q: What breaks when hardcoded credentials are left in code or configuration files?
A: Hardcoded credentials break the assumption that access can be rotated, revoked, and audited on demand.
Practitioner guidance
- Inventory application-local identities first Build a separate inventory for local accounts, service principals, and bot identities created inside applications.
- Eliminate clear-text and embedded credentials Scan code repositories, configuration files, and application secrets stores for hardcoded credentials.
- Reduce standing privilege in application accounts Review non-human accounts that retain broad access after setup or integration.
With NHIs outnumbering human identities by 25x to 50x, the scale problem is already established; the operational question is whether governance can reach below the directory?
👉 Read Orchid Security’s analysis of identity dark matter and AI agent readiness →
Explore further
02/06/2026 7:06 pm
Identity dark matter is now a governance problem, not a visibility side issue. When most access activity sits outside formal IAM systems, the control plane no longer matches the environment it is supposed to govern. That breaks assumptions behind reviews, certifications, and least-privilege enforcement. Practitioners should stop treating hidden identity as an exception and start treating it as the default attack surface.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which helps explain why hidden identity persists across modern environments.
A question worth separating out:
Q: How do teams know whether identity dark matter is actually shrinking?
A: They should look for fewer application-local accounts without owners, fewer credentials found in code, and fewer access paths that bypass centralized identity providers. A real reduction shows up as cleaner inventory, faster offboarding, and less reliance on unmanaged authentication. If those indicators do not improve, the hidden identity layer is still growing.
👉 Read our full editorial: Identity dark matter is widening the NHI governance gap
