A new report from the Cloud Security Alliance’s Non-Human Identity working group pegs the median enterprise ratio of machine identities to human users at 45 to 1 — up from 17:1 in the group’s 2023 baseline. The explosion tracks the combined rise of microservice architectures, serverless CI/CD, third-party SaaS automation, and — more recently — LLM agents (see our separate coverage on agent identity).
The inventory problem
Of 420 CISOs surveyed, 53% said they could enumerate fewer than half of the machine identities in their environments with confidence. The long tail — expired certificates, orphaned service principals, embedded API keys in legacy deployments — is statistically where incidents actually originate. The DBIR’s 2026 cohort found that 31% of identity- related breaches traced to a non-human credential that no human on the current team could identify as theirs.
Where the spend is going
Secrets management is shifting from a single-product category to a capability embedded in several adjacent platforms. CIEM vendors (Ermetic, Wiz, Sonrai) are adding machine-identity discovery; PAM vendors (CyberArk, Delinea) are pushing the other direction into workload identity; and a cluster of NHI-first startups (Astrix, Oasis, Clutch) are competing on the inventory and rotation layer.
Practical first steps
CISA’s 2025 joint advisory on machine-identity hygiene remains the clearest checklist we can recommend: discover, classify, rotate short-lived, kill long-lived, and build an attribution chain back to a human owner. The work is tedious. The blast-radius of not doing it is every post-mortem we have read in the last twelve months.