The Hidden 82%: Closing the Machine Identity Security Gap Before It’s Too Late

Read full article from Clutch Security here: https://www.clutch.security/blog/why-82-of-your-attack-surface-is-invisible-to-your-security-team/?source=nhimg

Most organizations now manage 82 machine identities for every human user, yet security strategies remain overwhelmingly focused on human accounts. This misalignment leaves a massive, largely unmonitored Non-Human Identity (NHI) attack surface that adversaries increasingly exploit.

The root problem isn’t weak security teams or outdated tooling — it’s that modern business operations are creating new identity risks faster than security frameworks can adapt. Business units such as Sales, DevOps, and Legal routinely deploy integrations, automations, and third-party services that generate OAuth tokens, API keys, and service accounts with broad, persistent privileges — often without security oversight.

What’s Driving the Problem

This risk misalignment isn’t the result of carelessness or lack of skill. It’s baked into how business functions operate today:

• Sales connects new SaaS integrations, creating OAuth tokens with broad access.

• DevOps accelerates deployments but spins up service accounts with cross-environment privileges.

• Legal adopts new vendors, each requiring persistent API keys.

These actions are business-critical, but the security frameworks in place haven’t evolved to match the speed, distribution, and complexity of NHI creation.

The Evidence Is Clear

Recent breaches underline the trend:

• GitHub’s leaked Dependabot personal access tokens.

• Microsoft’s two-year-active SAS token exposing 38 TB of data.

• Cloudflare’s unrotated service tokens from the Okta breach.

• Dropbox Sign’s compromised service account.

In each case, the exploited identity wasn’t a person—it was a machine identity with excessive and poorly monitored access.

Risk Distribution Across Domains

The research shows a clear mismatch between where risk lives and where security teams spend their time:

• AI Domain – Critical Risk: Rapid AI adoption with no mature governance; LLMs and agents often granted broad data and system access without oversight.

• Development Domain – High Risk: Widespread use of hardcoded secrets, poor credential hygiene, and Git history retaining exposed credentials indefinitely.

• Supply Chain – Moderate-High Risk: Third-party integrations create trust pathways beyond direct control.

• User & Production Domains – Moderate Risk: Generally better tooling, but still reliant on long-lived keys in some workflows.

• Corporate IT – Low Risk: Well-governed, mature, but still the largest recipient of security resources.

The consequence: Up to 60% of NHI security resources are allocated to Corporate IT, which only represents about 15% of the total domain-level risk.

Why This Matters for Business Leaders

When high-risk domains are compromised, attackers don’t stop there—they use that foothold to move laterally into production systems, user accounts, and corporate infrastructure. This chain reaction can result in enterprise-wide breaches, even if your most “visible” systems are well protected.

Financial and operational impacts are significant:

• Average secret remediation cost: $2,880 per incident.

• Developer productivity loss: ~25% due to security incidents and remediation.

• AI agents potentially leaking sensitive data learned from training or prompts.

The Action Plan

To address this, organizations must align security strategy with business reality, shifting focus from securing infrastructure in isolation to securing the intent and workflows that create NHIs.

Immediate Actions (0–90 Days)

• Inventory AI systems, agents, and their data access patterns.

• Scan repositories for hardcoded secrets; rotate and revoke as needed.

• Enable cross-domain monitoring for high-risk NHIs.

Short-Term (3–12 Months)

• Implement governance frameworks for AI adoption.

• Embed security directly into developer workflows without blocking delivery.

• Manage vendor credentials with clear lifecycle controls.

Long-Term (12+ Months)

• Establish Zero Trust principles for all NHIs.

• Automate threat detection and response for machine identity misuse.

• Integrate security into business processes, not just technical infrastructure.

Bottom Line

Non-human identities are now the largest and least visible part of the enterprise attack surface. Securing them requires moving away from infrastructure-only thinking and adopting a domain-aligned strategy that prioritizes the highest-risk areas. Organizations that make this pivot will reduce breach potential, improve operational efficiency, and be better equipped for the evolving threat landscape.