Machine identities — service accounts, API keys, certificates, and SSH keys — now outnumber human identities by more than 45 to 1 in the average enterprise. Yet most organisations still spend the vast majority of their identity security budget on governing human access.
The result is a sprawling, largely invisible attack surface that adversaries are increasingly targeting.
Why Machine Identities Are Different
Human identities follow predictable patterns. Employees join, change roles, and eventually leave. Identity governance processes — however imperfect — were designed around this lifecycle. Machine identities follow no such rules.
They multiply automatically. Every new service, microservice, container, and pipeline generates new credentials. In cloud-native environments, this can mean thousands of new machine identities per week, with no human in the loop.
They outlive their purpose. Service accounts created for a project that ended three years ago still exist in most environments — and often still hold active permissions to sensitive systems.
They are rarely rotated. Certificates expire only if someone notices in time. API keys from 2021 may still be embedded in production code, committed to repositories, or stored in CI/CD environment variables.
No one owns them. Machine identities fall between teams. Security says it’s a DevOps problem. DevOps says it’s a security problem. The credentials sit ungoverned in the middle.
What the Attack Surface Looks Like
When threat actors target machine identities, they are not trying to phish an employee. They are looking for:
- Orphaned service accounts with domain admin rights that nobody remembers creating
- Leaked API keys in public repositories — GitHub’s secret scanning program blocks millions of credential exposures per year, which tells you how many are being accidentally committed
- Expired or misconfigured certificates that create inspection blind spots in network traffic
- Overprivileged workload identities in cloud environments with far broader permissions than any workload actually requires
Each of these is an open door. In the average enterprise, dozens of those doors are standing open at any given time.
The Governance Gap
The challenge is not awareness — most security teams understand that machine identity sprawl is a problem. The challenge is tooling. Traditional identity governance platforms were designed for human identities. They work well for access certifications, role mining, and lifecycle management tied to HR systems.
Machine identities have no HR record. They have no manager to approve access requests. They are created programmatically, often without any security review, and their permissions are rarely revisited after the initial setup.
What Good Machine Identity Management Looks Like
Closing the gap requires a purpose-built approach built on five pillars:
1. Continuous discovery. You cannot govern what you cannot see. Automated discovery across cloud environments, on-premises infrastructure, and CI/CD pipelines is the non-negotiable starting point.
2. Classification and ownership. Every machine identity should have a documented owner, a defined purpose, and an assessed risk level. Without this, prioritisation is impossible.
3. Automated rotation. Static credentials that persist for months or years are a liability that compounds over time. Automated rotation — ideally to dynamic, short-lived credentials — eliminates the risk window entirely.
4. Least-privilege enforcement. Machine identities should hold exactly the permissions needed for their current function — nothing more. Regular right-sizing reviews reduce blast radius when a credential is eventually compromised.
5. Behavioural monitoring. When a service account that normally reads from a single database begins querying every table in the schema, something is wrong. Behavioural anomaly detection catches credential compromise early — often before data is exfiltrated.
The Bottom Line
Machine identities are the fastest growing, least governed, and most actively exploited attack surface in the modern enterprise. The organisations that close this gap will have a structural security advantage over those that do not.
The breach reports of the next five years will make the machine identity problem impossible to ignore. The question is whether your organisation addresses it proactively — or reactively.