For most of security's history, an “identity” meant a person: an employee with a badge, a login and a manager who eventually offboarded them. That world is gone. Machines now account for the overwhelming majority of identities within the enterprise. Palo Alto Networks' 2026 Identity Security Landscape report puts the ratio at 109 machine identities for every human, up from 82-to-1 just a year earlier. CyberArk's research puts it at more than 80-to-1. The precise number varies by methodology, but the trajectory is unmistakable: non-human identities (NHIs) already dominate, and the gap is widening every quarter.
What has changed is AI. Of the 109 machine identities per human, roughly 79 are AI agents. Agent identities are projected to grow by around 85% over the next 12 months, faster than machine identities overall. Every automation, pipeline, service account, API key, container, and now every autonomous agent, carries credentials, holds permissions and accesses sensitive data. Unlike employees, they are rarely offboarded, their secrets seldom rotate and no single owner is accountable for them.
This is a governance problem before it is a technical one. Standing-privilege service accounts and forgotten API keys are precisely the footholds attackers seek. The frameworks already expect you to manage them: ISO 27001 makes no distinction between human and machine identities in identity and privileged-access management; CIS Controls v8 (Account and Access Control Management) explicitly covers service accounts; and NIST CSF's Identify and Protect functions assume you can inventory every identity in your estate. The catch is that most organisations cannot even see their NHIs, let alone govern them.
Traditional IAM tooling was built around joiners, movers and leavers, a human life cycle. NHIs do not fit that model. They are spun up by developers in seconds, live within cloud consoles and CI/CD systems, and vanish from view the moment a project moves on. Point-in-time audits and annual access reviews simply cannot keep pace with identities that multiply daily.
This is where continuous, telemetry-driven governance earns its place. CyberCyte approaches the problem from the artefact up. Its agents and integrations collect scripts, scheduled tasks, service accounts, tokens and shadow IT that spawn non-human identities, then apply AI-driven classification to score and prioritise them against real asset context. Those findings do not stay buried in technical noise; they automatically map to ISO 27001, NIST and CIS controls within CyberCyte's built-in GRC layer, feeding a dynamic risk registry and maturity scoring so teams can prove coverage rather than assume it. And when a risky account or unauthorised artefact surfaces, CyberCyte can act on it directly, not merely raise another alert.
The 100-to-1 enterprise is not a forecast; it is already here, and AI agents will push the ratio even higher with every release cycle. The organisations that stay in control will not be those with the longest policy documents; they will be those that can continuously discover every identity, human or not, tie it to real control, and remediate the moment it drifts. So the question for every security leader is a simple one: if machines already outnumber your people 80 or 100-to-1, are your controls governing all of them, or just the humans?
Andrzej Jarmolowicz is co-founder and Operations Director at Cybershure. The company is a distributor of bespoke IT solutions, with offices in London and South Africa, and is the sole distributor of CyberCyte in Africa.
Sources
Palo Alto Networks / Help Net Security — 2026 Identity Security Landscape:
machine identities outnumber humans 109 to 1 CyberArk — Machine Identities Outnumber Humans by More Than 80 to 1

