Read Full Article: VentureBeat
CyberArk’s 2025 research confirms what security teams and AI builders have long suspected: Machine identities now outnumber humans by a wide margin. Microsoft Copilot Studio users created over 1 million AI agents in a single quarter, up 130% from the previous period. Gartner predicts that by 2028, 25% of enterprise breaches will trace back to AI agent abuse.
Active Directory, LDAP, and early PAM were built for humans. AI agents and machines were the exception. Today, they outnumber people 82 to 1, and that human-first identity model is breaking down at machine speed.
Why legacy architectures fail at machine scale
Gartner analysts explain the core problem in a report published in May: “Traditional IAM approaches, designed for human users, fall short of addressing the unique requirements of machines, such as devices and workloads.”
Builders don’t create shadow agents or over-permissioned service accounts out of negligence. They do it because cloud IAM is slow, security reviews don’t map cleanly to agent workflows, and production pressure rewards speed over precision. Static credentials become the path of least resistance — until they become the breach vector.
The governance gap is stark. CyberArk’s 2025 Identity Security Landscape survey of 2,600 security decision-makers reveals a dangerous disconnect: Though machine identities now outnumber humans 82 to 1, 88% of organizations still define only human identities as “privileged users.” The result is that machine identities actually have higher rates of sensitive access than humans.
The Gartner Leaders’ Guide explains why legacy service accounts create systemic risk: They persist after the workloads they support disappear, leaving orphaned credentials with no clear owner or lifecycle…
That 42% figure represents millions of API keys, service accounts, and automated processes with access to crown jewels, all governed by policies designed for employees who clock in and out.
By Louis Columbus
The visibility gap compounds the problem. A Gartner survey of 335 IAM leaders found that IAM teams are only responsible for 44% of an organization’s machine identities, meaning the majority operate outside security’s visibility. Without a cohesive machine IAM strategy, Gartner warns, “organizations risk compromising the security and integrity of their IT infrastructure.”
Their research identifies why retrofitting fails: “Retrofitting human IAM approaches to fit machine IAM use cases leads to fragmented and ineffective management of machine identities, running afoul of regulatory mandates and exposing the organization to unnecessary risks.”
AI agents are the fastest-growing and least-governed class of these machine identities — and they don’t just authenticate, they act. ServiceNow spent roughly .6 billion on security acquisitions in 2025 alone — a signal that identity, not models, is becoming the control plane for enterprise AI risk.
