TL;DR: Machine identities now often outnumber human users 10 to 1, 72% of companies intentionally retain dormant machine identities, and 60% have seen audit issues from poor machine identity management, according to SailPoint’s Horizons of Identity Security Report 2024-25. Identity maturity is becoming a resilience control, not just an IAM metric.
NHIMG editorial — based on content published by SailPoint: Identity at the helm: Why cyber resilience starts with modern identity security
By the numbers:
- Machine identities now often outnumber human users 10 to 1.
- 72% of companies surveyed admit to intentionally retaining dormant machine identities.
- 60% of companies have experienced audit issues stemming from poor machine identity management.
Questions worth separating out
Q: How should security teams govern machine identities at enterprise scale?
A: Security teams should treat machine identities as a governed population, not a side effect of application delivery.
Q: Why do dormant machine identities create so much security risk?
A: Dormant machine identities are risky because they remain valid even after the business need has passed.
Q: How do organisations know whether identity maturity is actually improving?
A: Identity maturity is improving when teams can show fewer unowned accounts, faster entitlement cleanup, better visibility into third-party and machine access, and fewer audit findings tied to access control.
Practitioner guidance
- Inventory every machine identity and owner Create a single inventory for service accounts, API keys, certificates, and third-party access paths, and assign a named business owner to each one.
- Remove dormant non-human identities on a schedule Define and enforce offboarding and revocation routines for dormant machine identities so unused credentials do not remain available indefinitely.
- Reduce privilege before audit season exposes it Review machine and third-party entitlements for excess access, then shrink permissions to the minimum set required for current business use.
What's in the full article
SailPoint's full article covers the operational detail this post intentionally leaves for the source:
- The report's maturity model breakdown across Horizon 1 and Horizon 2 organisations, including how manual processes affect risk handling.
- The specific survey findings on audit issues, insurance premium pressure, and incident reduction tied to identity maturity.
- The practical examples of how higher-maturity organisations use identity intelligence to speed detection and response.
- The infographic and report framing behind SailPoint's identity resilience claims.
👉 Read SailPoint's analysis of identity maturity and cyber resilience →
Machine identity sprawl and cyber resilience: what teams need to know?
Explore further
Identity maturity is now a resilience control, not an IAM reporting metric. The article is right to connect cyber resilience to identity maturity because the blast radius of modern attacks is increasingly determined by entitlement quality, lifecycle control, and visibility. That is the operating layer where NHI, human identity, and third-party access converge. The practitioner conclusion is that resilience programmes must be measured by identity governance outcomes, not process completion.
A few things that frame the scale:
- 68% of organisations do not know how to fully address NHI risks, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, which helps explain why dormant access remains one of the most persistent governance gaps.
A question worth separating out:
Q: Who should be accountable for overprovisioned machine access?
A: Accountability should sit with the business owner who depends on the access, not just the platform team that created it. Access that supports applications, integrations, or vendors must have an explicit owner, a review cadence, and a removal trigger. Without that, overprovisioning becomes permanent by default.
👉 Read our full editorial: Identity maturity and machine identity risk are driving cyber resilience