iamones

Your Next 100 Identities Won't Be Human

Marco Serenelli - AI Engineer
Mar 23, 2026By Marco Serenelli - AI Engineer

Let's talk about a number that should worry every IAM team: 100:1.

That's the current ratio of machine identities to human identities in most enterprises, according to ManageEngine's 2026 Identity Security Outlook.

Some sectors are already hitting 500:1. And the fastest-growing contributor to that ratio? AI agents.
Not chatbots. Autonomous systems that execute commands, query databases, modify configurations, and trigger workflows across your environment without a human pressing a button.

If you work in IAM, your entire governance lifecycle is built around a simple assumption: identities belong to people. People have managers, respond to access review campaigns, and eventually leave. AI agents break every part of that assumption.

How AI agents create identities

When a team deploys an AI agent, it needs credentials. An API key for the CRM, a token for the ticketing system, OAuth access to the email platform, a service account for the database. A single agent might require 15 to 20 distinct credentials across integrated systems.

None of these go through your IAM onboarding process. A developer creates them during a sprint, scopes them broadly, and ships them to production. CyberArk found 82 machine identities for every human across organizations, with 42% holding privileged or sensitive access. And 68% of organizations lack identity security controls specifically for AI.

Why agents aren't just another service account

A traditional service account is static. Same API, same parameters, every time. Predictable and auditable.
An AI agent reasons about what to do based on context, dynamically decides which tools to call, and chains actions across systems.

That context can be manipulated. A maliciously crafted support ticket could trick an agent into querying data outside its intended scope.

The agent doesn't malfunction. It follows its instructions perfectly, it just received them from the wrong source.
When that agent runs on a shared credential with broad access and no monitoring, the blast radius scales with the permissions it holds.

The identity gap

The tools to fix this already exist. Short-lived tokens, workload identity federation, scoped permissions, automated lifecycle management. None of this is new. We apply these principles to cloud infrastructure and CI/CD pipelines every day.

We just haven't extended them to AI agents, and that's the problem. OWASP ranks improper offboarding as the #1 non-human identity risk. Only 12% of organizations have automated lifecycle management for their machine identities. Meanwhile agents keep shipping, credentials keep accumulating, and nobody goes back to clean up.

The gap between how fast these identities are being created and how well they're being governed is the defining IAM challenge of 2026.

Your next 100 identities won't be human. Your IAM program needs to be ready.

Sources: ManageEngine, "Identity Security Outlook 2026"; CyberArk, "2025 Identity Security Landscape"; OWASP Non-Human Identities Top 10