AI Agents Cause 76% Surge in NHIs, Revealing Governance Gaps

A new survey reveals that the rapid integration of AI agents into business operations is dramatically expanding the attack surface, with a majority of organizations struggling to implement basic security controls. The 2026 SANS State of Identity Threats & Defenses Survey, gathering insights from more than 500 security professionals worldwide, found that 76% of organizations are reporting a significant increase in non-human identities (NHIs). This category includes service accounts, API keys, and automation bots, with a substantial portion now linked to autonomous AI systems.

The data indicates a quiet explosion in these digital identities, with their numbers often doubling or tripling within corporate environments. A driving force behind this surge is the adoption of agentic AI, with 74% of organizations already using AI agents that require credentials to function. These systems represent a distinct and potent new risk vector. Unlike traditional automated tools that follow static scripts, agentic AI operates with a degree of autonomy, interpreting instructions and taking actions that can be unpredictable. Security experts warn this makes them behave like an over-privileged insider, but one capable of operating at machine speed and susceptible to AI hallucination.

This acceleration is outpacing security governance. The survey uncovered critical gaps in foundational security practices, particularly around credential hygiene. An overwhelming 92% of organizations fail to rotate machine credentials on a recommended 90-day cycle, primarily due to fears of disrupting service accounts. Furthermore, 59% rotate fewer than half of their NHI credentials quarterly, and a concerning 15% do not even track their rotation rates. Some organizations, 5%, are unaware if they are running agentic AI at all.

The scale of the problem is exacerbated by legacy management approaches. Many companies still depend on manual access reviews and ticket-based provisioning, processes that cannot keep pace with thousands of NHIs operating across DevOps, cloud, and SaaS platforms. Richard Greene, a certified instructor at SANS, notes that decision-making authority is being granted to AI faster than corresponding governance frameworks are being built. He points to the historical lessons of unmanaged NHI growth, warning that agentic systems are advancing at an even more rapid clip.

While there are early positive indicators, such as 40% of organizations using human-in-the-loop approvals for AI agent actions, the core challenge remains. Security teams must establish control before these pilots become embedded in core business functions. To mitigate risk, SANS recommends a focused shift toward automated security fundamentals: implementing secrets vaults, enforcing automated credential rotation, and applying the principle of least-privilege access. The effectiveness of these measures, however, hinges on their ability to scale in lockstep with the relentless proliferation of non-human identities.