Report: Bulk of Identities Are Unseen and Unmanaged in the Enterprise
A report published by Orchid Security shines a spotlight on the degree to which identity management has become a growing problem for organizations, finding that two-thirds of nonhuman accounts are unseen and unmanaged.
Based on anonymized telemetry that the provider of a platform for analyzing identity data collected, the report finds invisible identities account for 57% of the total in enterprise IT environments, compared to 43% that are visible using existing identity and access management (IAM) tools.
The report noted that 67% of the non-human identities were created directly from within an application, which means they are largely invisible to an IAM tool.
Orchid Security CEO Roy Katmor said that issue is only going to become more problematic as more end users access artificial intelligence (AI) agents from within those applications. In the absence of any ability to observe identities, a massive blindspot will only continue to expand, he added. In effect, identity is now akin to dark matter that cybersecurity teams know exists but simply can’t see, said Katmor.
Furthermore, the report finds 57% of applications bypass centralized identity providers, with 40% of the accounts analyzed being orphaned in the sense that the user who created it is no longer working for the organization.
More troubling still, 70% of enterprise applications contain an excessive number of privileged accounts and 36% of all credentials are hardcoded and in clear text within applications.
In theory, identity is supposed to be the new cybersecurity perimeter. In practice, it’s all but impossible to manage what can’t be seen. In addition to all the human identities that cybersecurity teams are trying to secure, there are 10 times as many non-human identities that might be compromised as well.
Additionally, there are now a growing number of identities attached to AI agents. In most cases, those AI agents are inheriting permissions from the end users that created them, but there will also be AI agents that are autonomously performing tasks on behalf of the organization that will need to be secured. In general, cybersecurity teams should expect to see a wave of attacks enabled by stolen credentials that are being used to compromise entire agentic AI workflows.
Unfortunately, most of the permissions granted to AI agents are being given by end users that don’t always have the greatest appreciation for cybersecurity implications. Most cybersecurity teams are relying on a patchwork of IAM and privileged access management (PAM) tools and platforms to manage identities. In other cases, the only authentication capability an organization has is a directory maintained by the IT department.
There will, of course, come a time when compliance teams start asking harder questions about who or what has access to sensitive data. That may prove to be the best thing that could happen to cybersecurity teams that are often hard pressed to find the budget resources required to manage identities, an issue that will be further exacerbated in the AI era. In the meantime, however, in the absence of the right tools and skills, it’s probable things will get much worse before they hopefully get better.
