2026 Non‑Human Identities Reality Report
What Was Predicted. What Actually Happened. What Must Change.
Purpose Statement:
This report exists to distinguish signal from narrative in Non‑Human Identity (NHI) risk for Jan 1 – Dec 31, 2025, and to provide decision‑grade clarity on how API keys, service accounts, secrets, and AI agents actually changed the kill chain—and what must be engineered differently in 2026 to reduce blast radius, not just increase detection.
1. BLUF / Executive Reality Summary
1.1 One‑Page Reality Snapshot
Hard truths for 2025 NHIs:
- Non‑human identities decisively outnumbered humans in production environments, and became the primary “real” perimeter for cloud, SaaS, and agentic AI systems.
- Secret sprawl did not improve; long‑lived credentials and zombie secrets persisted across years, turning every repo, CI pipeline, and agent framework into an identity leak surface.
- AI agents converted static NHI risk into machine‑speed execution risk; compromised or over‑privileged agent credentials produced full kill chains without malware.
- Most “identity” programs still optimized human SSO and MFA, while NHI governance (inventory, lifecycle, kill switches) lagged by years, leaving the largest identity population effectively unmanaged.
- Detection improved around leaked secrets and anomalous usage, but remediation and revocation stayed human‑paced; as a result, attackers routinely operated with valid keys that should already have been dead.
- Agentic AI and frameworks (LangChain, Langflow, OmniGPT) proved that NHI misuse is not a theoretical risk; real incidents showed environment secrets, API keys, and service accounts leaking through agent stacks at scale.
- Vendor and conference narratives framed NHIs as a governance/compliance concern; in practice, NHI failures showed up as concrete execution paths to data theft, supply‑chain compromise, and AI‑orchestrated attacks.
1.2 Last Year’s Predictions vs Reality (Scorecard)
2025 was the first explicit CSI baseline year for NHIs, so the scorecard contrasts emergent 2025 industry claims with execution reality, and uses AI SAFE² v2.0/v2.1 as the reference engineering lens.
| Prediction / Claim | Widely Claimed By | Outcome (2025) | Accuracy | Example Evidence |
|---|---|---|---|---|
| NHIs are an emerging topic but still niche compared to human IAM | Vendors, conferences | NHIs outnumber humans by tens‑to‑one in many orgs (45–100:1 observed ranges) | Narratively false | CSA RSAC 2025 (45:1), GitGuardian/Entro and others citing up to 100:1 machine‑to‑human ratios. |
| Secrets sprawl is improving due to better tooling (push protection, scanners) | Vendors | 23.8M leaked secrets on GitHub 2024; 70% of 2022 secrets still valid in 2024/25 | Narratively false | GitGuardian 2025 State of Secrets Sprawl data. |
| “Machine identities” are mostly a PKI/certificate hygiene problem | Traditional IAM vendors | Real incidents centered on API keys, env vars, CI/CD tokens, and agent credentials, not just certs | Partially accurate | WEF NHI piece (crypto focus) plus Entro/GitGuardian datasets on tokens and keys. |
| Secrets scanning + vault = sufficient NHI control | Vendors, platform talks | Scanners detected leaks, but zombie secrets, stale NHIs, and unowned accounts remained exploitable | Narratively false | 70% of old secrets still active; 40%+ orphaned non‑human identities; active abuse via LangChain/Langflow. |
| AI is “just another consumer” of credentials, not an identity category | Many IAM narratives | AI agents behaved as first‑class principals with broad rights, and their governance required new NHI‑centric controls | Narratively false | AI SAFE² v2.0/v2.1 elevation of NHI governance as a dedicated pillar. |
| NHI risk is primarily theoretical; no major real‑world incidents yet | Conference panels, blogs | LangChain CVE‑2025‑68664, Langflow RCE, OmniGPT breach, GTG‑1002 campaign all exploited NHI/secret paths | Narratively false | AI SAFE² v2.1 Q4‑2025 incident mapping. |
| Focus on “identity of the caller” is enough if IAM and SSO are strong | Traditional Zero Trust | Valid NHI identities executed malicious flows; the missing control was runtime action constraint, not identity proof | Narratively false | AI SAFE² Law‑2‑aligned NHI controls, and GTG‑1002 autonomous kill chains using valid credentials. |
1.3 What Executives Must Know
- The largest identity population in your environment is now non‑human, and it already sits inside your critical workflows (CI/CD, data pipelines, SaaS integrations, AI agents).
- The main NHI failure mode is not “lack of detection,” but “lack of decisively enforced lifecycle and blast‑radius constraints” (creation, scoping, rotation, revocation, kill switches).
- AI agents turned NHIs from a static risk into an active, autonomous operator class; any 2026 strategy that doesn’t treat NHIs as first‑class security principals with runtime constraints is structurally unsound.
Executives need to decide differently by:
- Reframing “identity security” roadmaps around machine‑to‑human ratios and NHI lifecycle coverage, not just human SSO and MFA.
- Funding deterministic controls that stop dangerous actions by NHIs at runtime (Law 2), even when credentials are valid and scans are green.
2. The Narrative vs The Reality
2.1 The Surface Narrative (2025)
Across vendor reports, conference talks, and IAM marketing, the dominant storyline in 2025 was:
- “Machine identities” framed primarily as certificate/PKI and workload identity posture; the message: get your cert inventory and rotation under control.
- Secrets sprawl presented as a detection problem: push protection, repo scanners, and centralized vaults were marketed as the primary solution, with the implication that adoption ≈ resolution.
- AI agents described as “productivity enablers” that consume existing identity and access paths, not as a new class of identities with distinct governance needs.
- NHI statistics like “X machine identities per employee” used to create urgency, but rarely tied to concrete kill chains or architectural design changes.
Judgment was deferred; the story emphasized visibility, dashboards, and compliance narrative over execution mechanics.
2.2 The Underlying Reality
Execution‑layer evidence tells a different story:
- Attackers increasingly operated with valid non‑human credentials—tokens in code, CI/CD secrets, hard‑coded keys exposed through agents—meaning the decisive failures were architectural, not purely detection‑gaps.
- GitGuardian and others showed that secret exposure volume is still growing, and more importantly, that organizations leave leaked secrets valid for years, turning one leak into a long‑term NHI foothold.
- Entro‑style telemetry and NHI research highlighted behaviors like tokens reused across devices, reactivated stale identities, and widespread orphaned NHIs—patterns that silently widen blast radius before any alert fires.
- Q4‑2025 agent incidents (LangChain CVE‑2025‑68664, Langflow RCE, OmniGPT credential leak, GTG‑1002) demonstrated full kill chains where the “exploit” was simply poor NHI governance in frameworks, not advanced malware.
In short: identity‑as‑gate thinking failed for NHIs; what mattered was constraining what those identities could do, not proving who they were. Law 2 (constrain action, assume identity compromise) held; human‑centric IAM narratives did not.
3. Engineering Truth: How NHI Attacks Actually Worked
3.1 Dominant Attack Mechanics (Flows)
Flow A — Secrets‑to‑Cloud Kill Chain (LOTL via NHIs)
- Entry: An attacker discovers a leaked secret (token, API key, service account) in a public repo, CI logs, chat transcript, or compromised agent memory—often months or years after its first exposure.
- Escalation: Using that valid NHI, the attacker accesses cloud APIs or SaaS backends, enumerates permissions, and laterally moves through storage buckets, queues, and management planes without dropping malware (pure API‑level activity).
- Impact: Data exfiltration, configuration tampering, or new NHIs are created to ensure persistence; the activity blends with normal machine traffic because it is literally using the same non‑human identities the system expects.
Flow B — Agent‑Mediated NHI Abuse (AI‑Orchestrated Attacks)
- Entry: A vulnerable agent framework (LangChain, Langflow, OmniGPT) exposes environment secrets or uses over‑privileged service accounts; prompt or memory injection amplifies control over the agent.
- Escalation: The attacker uses the agent—and its NHIs—to chain tools, call external APIs, and pull more secrets, effectively turning the agent into an autonomous operator executing reconnaissance and exploitation.
- Impact: Multi‑stage campaigns like GTG‑1002 run 80–90% autonomously, exfiltrating data, creating new backdoor NHIs, or modifying infrastructure, with human attackers mainly supervising.
Flow C — NHI Supply‑Chain Poisoning
- Entry: A malicious or compromised model/package (e.g., poisoned Hugging Face model, backdoored component in CI) is introduced into the build or inference supply chain; its deployment is authorized using NHIs.
- Escalation: The component runs with the workload’s NHI privileges, reading secrets, calling upstream APIs, or modifying downstream artifacts as part of “normal” pipeline execution.
- Impact: Ecosystem‑level compromise where one poisoned artifact propagates across many tenants, each trusting their own NHIs that are now implicitly executing attacker logic.
In all flows, the “exploit” is that NHIs are: over‑privileged, long‑lived, unowned, or embedded in agents and pipelines that nobody treats as primary identities. The system trusts the identity; the attacker abuses the actions available to it.
3.2 Time, Scale, and Automation
- Time‑to‑impact compressed: once a valid NHI is obtained, impact is measured in minutes to hours, not weeks; no phishing, persistence malware, or lateral movement beacons are required—just API calls.
- Scale favored attackers: millions of secrets scanned continuously, automated discovery of exposed tokens, and AI agents capable of chaining actions across dozens of services at machine speed.
- Detection lag is now fatal: secret scanning or ITDR that flags anomalies days later doesn’t matter if an attacker can exfiltrate and establish alternate NHIs in the first hour.
This validates Law 1 and Law 2 applied to NHIs: if an NHI‑driven attack executes to impact, the architecture failed; identity‑centric detection after the fact is not a compensating control.
4. Debunked & Retired Metrics
4.1 Metrics That Must Be Retired
| Old Metric / Stat | Why It’s Misleading | Replace With |
|---|---|---|
| “X machine identities per employee” (e.g., 45:1, 96:1, 100:1) | Reused as a scare stat; conveys scale, not risk. Different orgs count radically different things as NHIs. | NHI blast‑radius density: how many high‑impact systems each NHI can reach; measure permissions and adjacency, not just count. |
| “Number of leaked secrets detected this year” | Detection volume ≠ risk; most orgs leave old secrets valid, and one high‑value key outweighs thousands of minor ones. | Median secret dwell time and percent of leaked secrets revoked/rotated within 24 hours. |
| “Percentage of repos covered by secret scanning” | Coverage metric ignores remediation; a fully scanned but non‑remediated environment is still exploitable. | Time‑bound remediation rate: share of critical secrets fully revoked and rotated within strict SLAs. |
| “Vault adoption” (yes/no or % of apps using vault) | Vault usage says nothing about hard‑coded secrets, agent configs, or orphaned NHIs. | Share of NHIs whose lifecycle (creation, rotation, revocation) is fully orchestrated and auditable via code. |
| “% of identities with MFA” | MFA barely applies to NHIs; focusing on this hides the real attack surface. | % of high‑risk NHI actions that require multi‑party or step‑up approval at runtime. |
| “Number of AI agents deployed” | Raw agent count ignores whether their NHIs are governed; risk is not proportional to count alone. | Ratio of governed to ungoverned agents (AI SAFE² coverage) and % of agents with dedicated, scoped NHIs. |
4.2 Metrics That Actually Predict Damage
Metrics with predictive power for NHI‑driven loss:
- Median dwell time of exposed NHIs (from first leak to revocation), by sensitivity tier.
- Percentage of NHIs that are orphaned (no owner) or stale (no recent legitimate use) but still active.
- Share of critical workflows executable solely by NHIs without human approval or multi‑party checks.
- Ratio of NHI privileges actually exercised vs granted (excess privilege index).
- Coverage of runtime action constraints for NHIs (e.g., kill switches, rate‑limiters, policy guards) across AI SAFE² NHI sub‑domains.
These align directly with Law 2: measuring what actions can execute, not just how many identities exist or how many alerts were generated.
5. What Defenders Missed (Blind Spot Analysis)
5.1 Vendor Visibility Gaps
Tier‑1 and many Tier‑2 vendors systematically under‑saw NHI risk in 2025 because their telemetry and economics are tuned elsewhere:
- Telemetry bias: traditional EDR, NDR, and SIEM views focus on endpoints, network traffic, and human sessions—not on internal NHI behavior, secret usage patterns, or agent‑to‑tool RPC paths.
- Product incentives: vendors monetize more from identity threat detection around human SSO and phishing than from low‑margin, messy lifecycle work across millions of NHIs.
- Architectural limits: many platforms treat secrets scanning or workload identities as add‑ons, not as a unified NHI shield where agent frameworks, CI/CD, repos, and SaaS all share a consistent identity model.
As a result, they do see:
- Leaked secrets in public code, some anomalous token use, some PKI hygiene issues.
But they mostly don’t see:
- The graph of which NHIs call which APIs, at what privilege levels, across which agents and pipelines, with what cumulative blast radius.
5.2 Defender Pain Signals
In practice, teams struggled with:
- Building and maintaining a trustworthy NHI registry—across clouds, CI systems, SaaS, and agents—without dedicated tooling.
- Tracing incident impact when a single credential was compromised, because there was no clean mapping from that NHI to the workloads and data it touched.
- Enforcing rotation and revocation at scale; many secrets stayed valid because rotation broke fragile pipelines or nobody knew who owned the NHI.
- Securing AI agents that autonomously spawn credentials or call tools; most security teams were brought in after pilots shipped, not at design time.
Silently failing controls included:
- IAM policies that looked “least privilege” on paper but, when combined with agent tool‑chaining, created de‑facto admin‑level paths.
- Secrets managers that stored credentials securely while those same secrets were hard‑coded in configs, notebooks, or agent memory.
6. Updated Framework / Control Model
6.1 Does the Old Model Still Work?
The legacy model—“secrets scanning + vault + human IAM” as NHI strategy—is no longer adequate. It partially helps with exposure discovery, but it fails Law 2 (constraining action) and Law 3 (unified architecture) in an agentic, NHI‑heavy world.
AI SAFE²’s evolution in 2025 explicitly recognized this: NHI governance coverage in v2.0 was only ~25%, and real incidents forced v2.1 to add 10 targeted NHI sub‑domains, moving coverage toward ~95%.
So the answer:
- Old NHI model: No—it must be replaced.
- AI SAFE² NHI pillar (v2.1): Partially sufficient—it provides the architectural blueprint, but many orgs have not implemented it in enforcement‑grade form.
6.2 Deterministic NHI Control Model (Law‑2 Aligned)
What must be prevented
Any high‑impact action (data exfiltration, privilege escalation, critical configuration change, financial transaction, agent orchestration) executing solely on the basis of an NHI’s long‑lived credential, without runtime policy checks and kill switches.
At what execution layer
At the action layer, not the login layer:
API gateways that enforce per‑NHI, per‑action policies and rate limits.
Agent frameworks instrumented to treat NHI use as controlled operations with circuit‑breakers.
CI/CD and workflow engines enforcing step‑up controls for destructive stages, regardless of which NHI calls them.
With what failure tolerance
- For Tier‑0/Tier‑1 actions (crown‑jewel data, production infra, financial moves): target zero tolerance—no single NHI, however “trusted,” can execute these without additional checks.
- For lower‑tier actions: tightly bounded blast radius per NHI, enforced via scope, rate, and domain constraints, plus automated revocation on anomaly.
An AI SAFE²‑consistent NHI model in 2026 therefore includes:
- A live NHI registry with automated discovery, ownership, and lifecycle hooks across clouds, CI, SaaS, and agents.
- Continuous secret hygiene: detection + rotation + revocation pipelines with hour‑level SLAs, not ticket queues.
- Runtime governance in agent frameworks: GitGuardian‑style secret detection, OAuth scoping, just‑in‑time elevation, and emergency global kill for compromised NHIs.
7. Forward Outlook (Next 12 Months)
Tied to mechanics, not fear:
- The machine‑to‑human identity ratio will continue to climb (toward ~80:1+), driven largely by embedded AI agents and automation—not traditional service accounts.
- At least one high‑profile breach is likely to center on an AI agent whose NHI was hijacked or over‑privileged, producing financial loss or data theft at machine speed.
- Regulators and auditors will begin asking for explicit NHI governance evidence (inventory, lifecycle, runtime constraints) as part of AI, cloud, and resilience assessments.
- Vendors will fold more NHI features into platforms, but gaps will remain around agent frameworks and cross‑platform NHI graphs—areas where AI SAFE²‑style architectures will still be required.
Signals to watch:
- Median revocation time for leaked secrets in your environment.
- Growth rate of ungoverned agents or NHIs vs governed ones.
- Incidents where postmortems show valid non‑human credentials as the primary enabler, not malware.
8. Reference Annex
Sources & Inputs (Representative)
- GitGuardian “State of Secrets Sprawl 2025” and associated H1/H2 data on leaked secrets and dwell time.
- Entro NHI & secrets risk report and NHIDR‑style anomaly patterns for non‑human identities.
- The Hacker News and related 2025 coverage on NHI expansion, secret longevity, and cloud compromise.
- Cloud Security Alliance guidance on securing NHIs in the age of AI agents (RSAC 2025 session and artifacts).
- NHI governance and lifecycle guidance from emerging vendors and consultancies (e.g., Prefactor, Defakto).
- Cyber Strategy Institute AI SAFE² v2.0 and v2.1 framework documents, including NHI governance coverage and Q3/Q4‑2025 incident mappings.
- Cyber Strategy Institute 2025 AI Threat Landscape review and 2026 outcomes analysis, for macro context on agentic AI and identity‑first risk.
Methodology & Gaps
- Primary weight given to execution mechanics (kill chains, incident patterns, exploit classes) and architectural failures (NHI lifecycle gaps, agent framework exposures).
- Public incident detail on NHI‑centric breaches remains incomplete; many conclusions rely on aggregated telemetry and framework‑level evidence rather than named victim case studies.
- Machine‑to‑human identity ratios vary by source and definition; ranges (45:1 to 100:1) are treated as directional, with focus placed on blast‑radius and lifecycle rather than exact counts.
What Defenders Should Stop Measuring
- Raw counts of machine identities, leaked secrets, or vault‑connected apps as success indicators.
- Human‑centric identity metrics (MFA coverage, phishing simulation results) as proxies for NHI resilience.
What Actually Predicts Damage
How long valid NHIs stay exploitable after exposure, how far their privileges reach, and whether high‑impact actions can execute at all without runtime constraint—regardless of which “face” (bot, agent, token, service account) attackers choose to wear.
Frequent Ask Questions (FAQ)
1. What is the core purpose of the 2026 Non-Human Identities Reality Report?
To separate signal from narrative in Non-Human Identity (NHI) risk, evaluate what actually happened across 2025, and provide decision-grade clarity for how NHIs, secrets, and AI agents changed the kill chain—and what must be engineered differently in 2026.
2. Why are NHIs now considered the real perimeter?
Because NHIs outnumber humans by tens-to-one in most environments and directly operate CI/CD, SaaS, data pipelines, and AI agents. Attackers increasingly exploit these identities rather than targeting human MFA or endpoints.
3. What was the biggest misconception about machine identities in 2025?
That machine identity risk is primarily a PKI/certificate management issue. In reality, most incidents involved API keys, service accounts, CI/CD tokens, environment variables, and AI-agent credentials—not certificates.
4. Did secret scanning and vault adoption meaningfully reduce risk?
No. Detection improved, but remediation and revocation did not. Millions of leaked secrets remained valid for months or years, enabling attackers to operate with legitimate NHIs long after exposure.
5. Why did AI agents materially increase NHI risk?
Because they turned static credentials into machine-speed execution flows. Compromised or over-privileged agent credentials allowed attackers to chain tools, orchestrate cloud calls, and execute full kill chains without malware.
6. What were the major NHI-centric incidents in 2025?
Real-world events—such as LangChain CVE-2025-68664, Langflow RCE, OmniGPT credential exposures, and the GTG-1002 campaign—demonstrated that NHI misuse can autonomously produce high-impact breaches.
7. Why did identity-centric detection fail for NHI attacks?
Because attackers used valid NHIs. The issue was not proving who the identity belonged to, but constraining what the identity was allowed to do. Traditional IAM and SSO assumptions did not translate to NHIs.
8. What is the main NHI failure mode organizations must fix?
Long-lived, over-privileged, unowned, or zombie NHIs with no enforced lifecycle boundaries, no kill switches, and no runtime constraints. These create unmonitored execution paths that attackers exploit.
9. Which common metrics should be retired?
Metrics like “machine identities per employee,” “number of leaked secrets,” “vault adoption,” and “repo scan coverage.” These measure activity, not risk, and fail to reflect blast radius or lifecycle hygiene.
10. What metrics actually predict real damage from NHI compromise?
Critical predictors include median NHI dwell time, percentage of orphaned/stale NHIs, excess privilege index, share of high-impact actions executable without human approval, and runtime constraint coverage.
11. Why are NHIs difficult for vendors to see and secure today?
Most security products monitor human sessions, endpoints, and network activity—not internal NHI behavior, cross-agent tool chains, secret usage patterns, or SaaS/cloud API graphs where NHIs operate.
12. What did defenders struggle with most in 2025?
Maintaining accurate NHI inventories, enforcing rotation and revocation, tracing impact during incidents, and securing AI agents that spawned or used credentials autonomously. Many controls silently failed under real workloads.
13. Does the traditional “vault + scanning + IAM” model still work?
No. It is insufficient for agentic and NHI-heavy environments. It lacks runtime action constraints, deterministic kill switches, and cohesive lifecycle governance required under updated AI SAFE² principles.
14. What must organizations implement in 2026 to reduce blast radius?
A deterministic, Law-2-aligned model: enforce per-NHI action policies at runtime, automate discovery and lifecycle management, implement hour-level rotation SLAs, scope agent NHIs tightly, and add kill switches for high-impact actions.
15. What major trends should leaders expect over the next 12 months?
Machine-to-human ratios will climb toward ~80:1+, at least one major breach will originate from a compromised AI-agent NHI, regulators will demand explicit NHI governance evidence, and runtime control architectures will become mandatory.
