Notifications
Clear all
Topic starter
25/06/2026 1:40 pm
TL;DR: 69% of companies now manage more machine identities than human ones, 72% say machine identities are harder to manage, and only 38% have a real-time list of active machine identities, according to a SailPoint-sponsored Dimensional Research survey. The gap is no longer visibility alone; it is lifecycle control, auditability, and accountability.
NHIMG editorial — based on content published by SailPoint: The silent security threat: Why machine identities are your biggest blind spot
By the numbers:
- 69% of companies surveyed now manage more machine identities than human ones.
- 72% of identity professionals surveyed find machine identities more difficult to manage than human identities.
- Only 38% of companies surveyed reported having a real-time list of their active machine identities.
Questions worth separating out
Q: How should security teams govern machine identities at scale?
A: Security teams should govern machine identities as a lifecycle problem, not a one-time provisioning task.
Q: Why do machine identities create more risk than human accounts in many environments?
A: Machine identities often have broader access, longer-lived credentials, and weaker oversight than human accounts.
Q: What do organisations get wrong about machine identity auditing?
A: They treat auditing as a periodic report instead of a live control.
Practitioner guidance
- Build a live machine identity inventory Create a system of record that ties every service account, bot, token, and certificate to an owner, workload, and business purpose.
- Enforce lifecycle ownership at creation Require named ownership and expiry logic whenever a machine identity is provisioned.
- Recertify non-human access by workload need Review permissions against the current application or service requirement, not the historical deployment pattern.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- Survey methodology and respondent breakdown for the machine identity findings
- SailPoint's product framing for discovery, classification, certification, and lifecycle automation
- The report's operational discussion of manual workflow pain points and audit challenges
- Additional context on why organisations fear deleting machine identities and how that affects remediation
👉 Read SailPoint's analysis of machine identity blind spots and governance gaps →
Machine identity blind spots: what IAM teams need to fix now?
Explore further
25/06/2026 3:39 pm
Machine identity sprawl is a lifecycle failure before it is a visibility problem. The article shows that organisations have more machine identities than human ones, yet still depend on manual workflows and incomplete inventories. That combination means the real failure is not simply that identities exist, but that their creation, ownership, and retirement are not governed as a continuous lifecycle. Practitioners should treat the growth of machine identities as evidence that governance has drifted behind operational reality.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do teams reduce the blast radius of unmanaged service accounts?
A: Teams reduce blast radius by narrowing permissions, removing inactive identities, and preventing credentials from persisting after their business purpose ends. The goal is to make every service account easy to attribute, easy to review, and easy to revoke when its workload changes or disappears.
👉 Read our full editorial: Machine identity blind spots are widening faster than governance
