Notifications
Clear all
Topic starter
25/06/2026 5:18 pm
TL;DR: Machine identities are harder to manage than human identities for 72% of identity professionals, and 66% say the work requires more manual steps, according to SailPoint’s study. The editorial point is that visibility, ownership, and policy consistency now determine whether machine identity risk stays containable or becomes structural.
NHIMG editorial — based on content published by SailPoint: Build a stronger identity security program by mitigating machine identity risk
By the numbers:
- 72% of identity professionals say machine identities are more difficult to manage than human identities.
- 62% of companies surveyed said they have machine identities that are active without any visibility.
- 66% of study respondents report that managing machine identities requires more manual steps than managing human identities.
Questions worth separating out
Q: How should security teams govern machine identities at enterprise scale?
A: Security teams should govern machine identities with the same discipline used for human access, but adapted for background execution.
Q: Why do machine identities create more governance risk than human accounts?
A: Machine identities create more governance risk because they are numerous, background-driven, and easy to overlook when no one logs in interactively.
Q: What breaks when machine accounts have no clear owner?
A: When machine accounts have no clear owner, access reviews lose accountability and offboarding becomes ambiguous.
Practitioner guidance
- Build an authoritative machine-identity inventory Discover service accounts, application accounts, and device identities across cloud, SaaS, and on-prem systems, then reconcile them against a single source of record.
- Assign named owners to every machine account Require a human owner for each account and make ownership a prerequisite for access review, exception approval, and lifecycle changes.
- Reduce standing privilege on machine accounts Review entitlement scope for every service identity and remove access that is broader than the current workload requires.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- The survey framing and respondent breakdown behind the 72% and 66% findings.
- The article's recommended operating model for assigning human oversight to machine accounts.
- The identity-fabric argument in more implementation detail, including why unified workflows matter.
- The practical discovery and classification approach SailPoint describes for machine identities.
👉 Read SailPoint's analysis of machine identity risk in identity security programs →
Machine identity visibility gaps: what IAM teams need to know?
Explore further
25/06/2026 5:53 pm
Machine identity sprawl is now an identity governance problem, not a niche operations issue. The article shows that machine identities are already harder to manage than human identities for most organisations, and that is a governance signal rather than a tooling complaint. When 62% of surveyed companies say they have machine identities active without visibility, the estate is no longer reviewable in a meaningful way. Practitioners should treat undiscovered machine accounts as an IGA failure mode, not just an inventory gap.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage.
A question worth separating out:
Q: How can organisations tell whether machine identity controls are actually working?
A: Machine identity controls are working when teams can discover accounts quickly, map each one to an owner, explain its permissions, and revoke access without manual hunting. If discovery is incomplete, ownership is missing, or reviews depend on tribal knowledge, the control is not working at programme level.
👉 Read our full editorial: Machine identity risk is exposing gaps in enterprise IAM programs
