Non-Human Identities: The New Frontier of Identity Security
▼ Summary
– Enterprises manage hundreds of millions of active permissions, creating vast blind spots as this “identity debt” grows faster than oversight.
– A significant portion of accounts are dormant or orphaned, with these inactive identities nearly doubling year-over-year and expanding the attack surface.
– Human workers hold tens of thousands of permissions on average, and access often outlives employment, leaving former employees with active credentials.
– Non-human identities vastly outnumber human users and a tiny fraction control most cloud resources, with their access often lacking owners or expiration.
– Problematic permissions are increasing, driven by ungoverned access and local accounts, while authentication gaps persist with many users lacking strong MFA.
Managing the sheer scale of modern access permissions has become a monumental challenge for organizations. Security teams are now tasked with overseeing hundreds of millions of active entitlements, a number that grows faster than human oversight can keep pace. This explosion creates significant blind spots, as new permissions are continuously added through cloud services and automated tools while old, unused access accumulates unnoticed. Experts describe this growing backlog as identity debt, a hidden risk that compounds quietly within everyday operations, making the goal of least privilege increasingly difficult to achieve.
A major component of this risk comes from inactive accounts that retain access. Recent analysis reveals a startling number of dormant user accounts, representing 38% of all identity provider users, which showed no activity for at least 90 days but could still authenticate. Compounding the issue are orphaned accounts, active identities with no owner in HR systems, which often persist after incomplete employee offboarding. The volume of these lingering accounts is growing rapidly, with dormant accounts nearly doubling and orphaned identities increasing by 40% year over year, dramatically expanding the pool of credentials available for potential misuse.
For active human users, the scope of access is vast. The average employee holds tens of thousands of permissions across various applications and systems, a legacy of years of role changes and temporary access grants. Alarmingly, a significant percentage of former employees retain active credentials, with 38% of identities flagged as inactive in HR systems still holding live entitlements in core business applications. This demonstrates a critical gap where access permissions frequently outlast employment, leaving systems exposed when reviews are infrequent or incomplete.
The identity landscape is now dominated by non-human entities. Service accounts, API keys, and automation credentials outnumber human users by a staggering ratio of 17 to 1. These machine identities often lack defined owners or expiration dates, persisting indefinitely. A tiny fraction of these privileged accounts, about 0.01 percent, control a vast majority of cloud resources, creating concentrated points of extreme risk. Because they lack natural lifecycle triggers like employee departures, their pervasive access across infrastructure and data pipelines can amplify the impact of any compromise.
Problematic permissions are not static; they multiply through daily business activities. These are often categorized as over-privileged, residual, ungoverned, or policy-violating access. The proportion of permissions considered safe and compliant has dropped significantly, driven largely by a sharp rise in ungoverned access. A key contributor to this trend is the creation of local accounts outside centralized identity tools, which bypass standard governance workflows and remain invisible to security teams.
Authentication controls also reveal persistent weaknesses. A notable portion of enterprise users still operate without multi-factor authentication (MFA), and among those who have it enabled, many rely on less secure methods like SMS or email verification. These authentication gaps frequently overlap with dormant and orphaned accounts, creating a perfect storm of low-protection, high-access identities that are easy targets for attackers because they generate fewer security alerts.
Ultimately, identity risk is evolving into a core business metric. Boards, regulators, and insurers are increasingly demanding proof of control over system and data access. The data indicates a common pattern across industries: identities and their permissions accumulate rapidly, while oversight mechanisms struggle to keep up. This expanding access layer is precisely what threat actors seek to exploit. As one cybersecurity leader noted, the widespread issues of excessive privileges, dormant accounts, and over-permissioning underscore the immense difficulty teams face in enforcing least privilege across complex, ever-growing digital environments.
(Source: HelpNet Security)
