For all the public debate about artificial general intelligence and existential AI risk, the more immediate and practical danger is far less cinematic: unregulated machine identity. Every AI agent, every automated workflow, every cloud-native application creates and consumes credentials at a rate that human-centric identity systems were never designed to handle. The result is an expanding attack surface that grows silently, often invisible to the security teams tasked with protecting it.
The fundamental disconnect is one of governance philosophy. Human identity governance is built on periodic reviews, access certifications, and role-based models that assume a relatively stable population of users with predictable access patterns. Machine identities invert every one of those assumptions. They are created dynamically, they operate continuously, their access patterns change with every deployment, and they often have privileges that far exceed what any individual human would be granted — because they need to orchestrate across multiple systems to perform their function. An AI agent tasked with generating a financial report might need read access to the ERP, write access to the data warehouse, and API access to the visualization platform — a privilege combination that would raise red flags for any human account.
The regulatory dimension adds urgency to this problem. Frameworks like SOC 2, ISO 27001, and emerging AI-specific regulations all require organizations to demonstrate control over who — or what — can access sensitive data and systems. If an auditor asks for an access review of all identities with access to a particular dataset, and the organization can only produce the human accounts, they have failed the audit. Yet this is precisely the state of most enterprises today: machine identities are invisible to governance processes, undocumented in access reviews, and unaccounted for in compliance reporting.
Addressing this requires more than better secrets management, though that is a necessary starting point. It requires a fundamental rethinking of what identity governance means in an environment where the majority of actors are not human. Machine identities need their own lifecycle management, their own access policies, their own behavioural baselines, and their own audit trails. And critically, they need all of this delivered through automation — because if machine identity governance requires human intervention to function, it will fail at the exact scale where it is needed most.