TL;DR: Survey data from 725 IT and cybersecurity leaders shows zero-incident organisations fell from 17% in 2024 to 10% today, while 90% of firms reported at least one incident and 52% of incidents now cost $500,000 or more, according to Gurucul's 2026 Insider Risk Report. The real issue is structural: identity, detection, and response controls were built for human-paced environments, but machine-speed insiders compress the window to govern privilege and contain damage.
NHIMG editorial — based on content published by Gurucul: The machine is now the insider, and IAM models are lagging
By the numbers:
- The "clean" list is shrinking: organizations reporting zero incidents dropped from 17% in 2024 to just 10% today.
Questions worth separating out
Q: How should security teams govern non-human insiders that inherit user privileges?
A: Treat them as identity subjects with explicit scope, expiry, and containment rules.
Q: Why do non-human insiders make insider-risk programmes harder to manage?
A: They compress the time between access and impact.
Q: What breaks when insider-risk tooling is fragmented across multiple platforms?
A: Analysts lose the ability to connect identity, behaviour, and data movement quickly enough to contain the event.
Practitioner guidance
- Inventory non-human insiders by delegated scope Map every AI assistant, service account, token, and automation path to the data, tools, and actions it can reach.
- Unify identity and insider-risk telemetry Correlate IAM, PAM, SIEM, DLP, and behavioural signals around one identity record so analysts can answer who acted and what access enabled it.
- Bind alerts to containment actions Ensure suspicious activity can trigger revocation, session interruption, token invalidation, or delegation shutdown without waiting for manual escalation.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- The full survey breakdown across 725 IT and cybersecurity leaders, including how respondents split on AI risk and vulnerability
- The report's cost and triage data, including where remediation expense rises and where containment still fails
- The article's breakdown of the 'fragmentation tax' and the specific operational pain points tied to tool sprawl
- The closing view on AI-assisted defence, including how the vendor frames virtual AI analysts in insider-risk operations
👉 Read Gurucul's 2026 Insider Risk Report on the machine as insider →
Non-human insiders: what the insider risk report means for IAM?
Explore further
Non-human insiders turn insider risk into an identity problem, not just a people problem. The report is right to move beyond malicious employee narratives, because the real exposure now includes delegated machine actions, automated workflows, and AI systems acting with inherited privilege. That changes the governance target from intent to access scope, lifecycle, and containment speed. The implication is that insider-risk programmes now need the same discipline used for NHI governance and privileged access control.
A few things that frame the scale:
- Organizations that experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirming a breach and 26% suspecting one.
A question worth separating out:
Q: Who is accountable when an AI-enabled workflow causes a security incident?
A: Accountability sits with the teams that granted, scoped, and monitored the delegated access, not with the automation itself. The right question is whether the organisation can show who approved the authority, how it was limited, and how it will be removed when the task ends.
👉 Read our full editorial: The machine is now the insider, and IAM models are lagging