Keeper Security’s Critical Findings: Why AI Agents and Machine Identities Remain Vulnerable
Keeper Security’s latest research into non-human identity security reveals a sobering reality: most organizations have built no meaningful defenses against AI agent and machine identity compromise. The study analyzed thousands of enterprise environments and found systematic blindspots—not from neglect, but from fundamental misalignment between how systems were built and how non-human identities actually operate.
The research highlights three critical gaps:
The Inventory Blindness Problem. Organizations cannot manage what they cannot see. Yet Keeper’s analysis shows that the average enterprise has zero complete inventory of its machine identities. Service accounts exist in Active Directory. API keys reside in CI/CD platforms. Kubernetes service account tokens live in cluster etcd stores. Cloud provider IAM roles operate independently. This fragmentation is intentional by design—each system optimizes for its own ecosystem. But the sum total is organizational blindness. Adversaries exploit this by compromising one machine identity, then pivoting across undocumented lateral channels. Defenders never detect the pivot because they have no baseline of what traffic is normal.
The Permission Explosion Challenge. Machine identities accumulate permissions through inheritance, not explicit grants. A microservice receives permissions to call APIs, which grant it access to databases, which expose connection strings to downstream systems. One over-scoped service account cascades privileges across an entire infrastructure layer. Keeper found that average privilege scope for machine identities is 15-20x broader than necessary. Enterprises have attempted to implement least privilege—policy frameworks exist—but implementation is fragmented. No unified governance layer spans all infrastructure types.
The Verification Void. Unlike human identities, machine identities rarely undergo periodic access reviews or certification. A human account access review is common. A machine identity review is nearly unheard of. Service accounts are created for specific tasks, then operate indefinitely with original permissions. Decommissioned systems leave behind zombie credentials. Adversaries exploit this: an old, forgotten service account becomes a persistence mechanism—it operates with legacy permissions from years of accumulated privilege grants, yet it never appears on security dashboards because it rarely acts.
The common thread: machine identity security governance exists in theory but is absent in practice. Organizations lack the unified visibility, control, and certification frameworks necessary to govern non-human identities at scale.
Remediation requires architectural investment: centralized machine identity discovery, permission baseline analysis, continuous entitlement certification, and automated remediation workflows. Keeper’s research suggests the complexity is addressable—but only for organizations willing to treat non-human identity governance as a strategic priority, not an afterthought.
Source: Keeper Security / PR Newswire