EY: How Enterprises can Fight Non-Human Identity Risks

As organisations accelerate their adoption of cloud platforms, automation and AI-driven workflows, the nature of identity within the enterprise is changing fast.

Machine accounts, service identities and APIs now underpin almost every digital process, quietly enabling scale and speed while often operating outside traditional governance models.

This shift has created new efficiencies but it has also introduced unfamiliar risks, particularly as security controls designed for people are stretched to cover non-human actors.

From blind spots in visibility to new attack paths for cyber criminals, security leaders are being forced to rethink how identity is defined, managed and protected.

Here, Richard Watson, Global Cybersecurity Consulting Leader at EY, explores the rapid growth of non-human identities, where organisations are most exposed and what practical steps can be taken to regain control without slowing innovation. 

What is driving the growth of non-human identities and why has it accelerated so quickly?

The rapid growth of non‑human identities is primarily driven by increased reliance on cloud computing, automation and AI‑led workflows. As organisations adopt these technologies, every automated process, AI application or cloud service requires its own identity to access systems and data, mirroring the needs of human users.

This growth has accelerated as businesses prioritise efficiency and scalability to streamline operations and improve productivity.

However, this proliferation presents significant challenges for cybersecurity and identity management. Each non‑human identity must be carefully managed, monitored and reviewed to prevent unauthorised access and ensure compliance with data protection requirements. As the number of identities grows, so too does the complexity of managing permissions, increasing the risk of oversharing, misuse or exposure of sensitive information.

Many organisations are finding that identity hygiene has not kept pace with the speed of cloud and AI adoption. As a result, non‑human identities are becoming a critical focus area within identity and access management.

Securing these identities is now one of the fastest‑growing priorities in cybersecurity, requiring organisations to adopt more comprehensive strategies to safeguard their digital environments.

What are the biggest blind spots when it comes to managing and securing non-human identities?

One of the most significant blind spots in managing non‑human identities is the lack of visibility into which systems have access to specific data.

Traditional identity and access management tools were designed for human users and often fail to account for the complexity introduced by cloud adoption, automation and AI‑driven workflows. This can lead to unauthorised access and increased exposure to data breaches.

Organisations also struggle with the dynamic nature of non‑human identities. As workflows evolve, identities and permissions change rapidly, making it difficult to maintain an accurate inventory.

Without continuous oversight, access can easily become excessive or outdated, increasing risk. These issues are often overlooked because manual governance processes cannot scale at the pace of modern digital environments.

However, advancements in AI offer a promising solution. AI can enhance identity governance by providing real‑time visibility into identity hygiene and automating access decisions.

Emerging vendors are developing tools specifically designed to improve security and oversight for non‑human identities. By adopting AI‑driven approaches, organisations can reduce risk, strengthen compliance and improve their overall cybersecurity posture.

How are cyber criminals exploiting weaknesses in machine identity management today? 

Cyber criminals are increasingly exploiting weaknesses in machine identity management as organisations expand their use of cloud services, APIs and automated workflows.

While weak human identity controls remain an issue – reinforcing the idea that attackers often “log in” rather than hack in – attackers are now placing greater focus on non‑human identities.

Service accounts, automated scripts and API keys often rely on hard‑coded or long‑lived credentials, creating single points of failure. Once compromised, these accounts frequently have broad and persistent privileges, enabling attackers to move laterally at machine speed. Techniques such as token theft, abuse of cloud metadata services and impersonation of trusted workloads are increasingly used to evade traditional detection.

CISOs should be particularly concerned about environments where machine identities operate without credential rotation, monitoring or behavioural baselining. Defences must extend beyond human‑centric controls such as MFA to include strong secrets management, least‑privilege design for service accounts and continuous behavioural analytics.

AI‑augmented identity threat detection can also help distinguish legitimate machine activity from subtle impersonation attempts before significant damage occurs.

How do the current identity and access management controls break down when applied to service accounts, APIs and machine-to-machine credentials?

Most identity and access management frameworks were built for human users, where credentials are limited, behaviour is relatively predictable and governance processes are well established. These assumptions break down when applied to service accounts, APIs and machine‑to‑machine identities.

Machine identities often rely on long‑lived secrets, hard‑coded keys or shared credentials and frequently lack clear ownership or lifecycle management.

Controls such as password rotation policies or interactive MFA are not well suited to automated systems that require constant access.

As cloud workloads, automation and AI‑driven systems scale, the number of machine identities grows rapidly, while visibility and governance struggle to keep pace.

Machine‑to‑machine interactions are also harder to baseline. Workloads communicate across numerous services, APIs are created dynamically and ephemeral environments appear and disappear quickly.

This makes traditional role‑based access models less effective. To manage this complexity, organisations are increasingly adopting AI‑driven identity intelligence, automated secrets rotation and centralised machine identity platforms.

Without these capabilities, unmanaged machine identities become an attractive and easily exploitable target for attackers.

What steps can organisations take to improve visibility, governance and resilience around non-human identities?

To get ahead of the growing risk posed by non‑human identities, organisations should start by improving visibility.

Understanding where service accounts, API keys, tokens and workload identities exist – and what they can access – is foundational. With that visibility, governance and enforcement can be automated without slowing cloud innovation.

Several practical steps can significantly improve resilience:

• First, organisations should establish clear ownership and lifecycle management for every machine identity, eliminating orphaned or over‑privileged accounts.
• Second, automating secrets hygiene through regular rotation of credentials reduces reliance on long‑lived secrets. Third, enforcing least‑privilege access ensures workloads only have the permissions they need. Integrating identity controls into CI/CD pipelines helps embed guardrails early in the development process.
• Finally, behavioural analytics can identify unusual patterns in service‑to‑service communication, enabling teams to detect compromised credentials before major damage occurs.

Together, these measures strengthen governance and resilience while allowing organisations to continue operating at cloud speed.