SpyCloud’s latest research has surfaced an uncomfortable truth about enterprise security: the fastest-growing attack vector is not targeting humans at all. Stolen tokens and compromised session data are fueling a sharp rise in non-human identity attacks, and most organisations remain blind to the exposure.

The study analysed data from billions of compromised credentials recovered from criminal underground sources. What researchers found was a structural shift in how attackers operate. Rather than brute-forcing passwords or phishing human users, threat actors are increasingly harvesting session tokens, API keys, and machine credentials — the quiet plumbing that lets non-human identities authenticate across cloud services, APIs, and automated workflows. These credentials rarely expire, are almost never rotated, and are typically stored in plaintext across configuration files, CI/CD pipelines, and developer environments.

The core problem is visibility. Unlike human accounts, which have well-established governance lifecycles — provisioning, access reviews, deprovisioning — non-human identities are often created ad hoc by developers, automated scripts, or third-party integrations. Nobody owns them. Nobody audits them. And when a session token is stolen, the attacker inherits the full privilege of that machine identity without triggering a single alert, because the authentication mechanism sees a valid credential being used in an expected manner.

SpyCloud’s findings highlight three areas where non-human identity governance is failing. First, session hijacking has become the preferred entry point. Once an attacker possesses a valid session token, they bypass MFA entirely — the token represents an already-authenticated session, and legacy identity tools treat it as legitimate. Second, machine credentials are overprivileged. Service accounts and API keys are routinely granted broad permissions for convenience and never scoped down. Third, the lifecycle gap is enormous: non-human identities are created but almost never inventoried, meaning organisations cannot answer basic questions about how many machine credentials exist, who created them, or what they can access.

The implications extend beyond credential theft. When a stolen token grants access to a cloud management API, the attacker can spin up infrastructure, exfiltrate data, or pivot into adjacent services — all under the identity of an automated process that security teams have no reason to monitor. The attack surface is not a single endpoint but a mesh of interconnected machine identities, each one a potential stepping stone.

What the SpyCloud data ultimately reveals is that the non-human identity problem is not theoretical. It is already being exploited at scale, and the gap between how organisations govern human versus non-human identities has become the defining security blind spot of the AI era. Addressing it requires a fundamental rethinking of identity lifecycle management — one that treats machine credentials with the same rigour applied to human accounts, including continuous discovery, contextual access controls, and automated rotation policies that assume compromise is not a possibility but an eventuality.