The Coworkers You Never Hired
Jim Walker
General Manager, Service Delivery
Quick exercise.
Picture your org chart.
Count the people.
Now multiply that number by somewhere between 45 and 144.
That's roughly how many identities are actually operating inside your environment right now — and the overwhelming majority of them aren't people.
We've spent two decades getting good at the human side of identity. We provision accounts when someone is hired, we make them prove who they are with MFA, we review their access once a quarter, and we shut them off the day they leave. It's not perfect, but there's a process, an owner, and a paper trail.
Meanwhile, a second workforce has quietly moved in. Service accounts. API keys. OAuth tokens. Certificates. CI/CD pipeline secrets. Cloud roles and service principals. RPA bots. And now AI agents. None of them were hired. None of them carry a badge. Most of them will never change a password or sit through an access review. And there are far, far more of them than there are of you.
Nobody Agrees on How Big the Problem Is — Which Is the Problem
Here's the part that should make you uncomfortable. When you ask people inside an organization how many non-human identities they have, you get wildly different answers depending on who you ask. Security practitioners tend to guess a ratio of two-to-one, maybe ten-to-one. Executives guess far higher, often fifty-to-one or more. The actual field research lands past even that — the Identity Defined Security Alliance puts it around 50:1, Rubrik Zero Labs around 45:1 with some shops hitting 100:1, and Entro Labs measured 144:1 in cloud-native and DevOps environments last year, up from 92:1 the year before.
Forget which number is "right." The fact that the guesses span two orders of magnitude tells you everything. If you can't estimate the size of a population within an order of magnitude, you are not governing it. You're hoping.
And these aren't dormant accounts sitting in a corner. They authenticate constantly, they hold standing access to the systems that matter most, and a striking share of them are over-privileged. CyberArk's 2025 research found machine identities now vastly outnumber human ones and that nearly half carry sensitive or privileged access. That's the exact profile that would get a human account flagged immediately. Except no one's watching this one.
Why They Multiply Faster Than You Can Track
The growth isn't linear, and it isn't going to slow down. Every cloud migration, every new microservice, every automated deployment spawns more identities. The uncomfortable truth is that non-human identities create other non-human identities. A pipeline mints temporary credentials for every build, a containerized app spins up identities per service, a SaaS integration quietly issues a token to talk to three other SaaS platforms.
Unlike a new hire, none of this routes through HR or a joiner-mover-leaver process. One study tracked machine identities climbing from around 50,000 per enterprise in 2021 to roughly 250,000 in 2025. That's not a trend line. That's a flood.
The Reason This Keeps Ending Up in Breach Reports
The mechanics of why this is dangerous are simple, and they all come back to the same root: these identities were built for autonomy, not accountability.
They can't do MFA — there's no thumb to scan and no phone to ping. They rarely get offboarded, because no one remembers the proof-of-concept service account someone stood up three years ago that still has production access. They're frequently over-permissioned, because it was easier to grant broad access than to scope it tightly. And they're hard to trace after the fact; when something goes wrong, figuring out which non-human identity did it can feel like forensics in the dark.
The numbers bear this out:
144:1
non-human to human identities in cloud-native and DevOps environments
~8%
of enterprise identities have no owner in any HR system
47%
of non-human identities are over a year old with no credential rotation
2 in 3
enterprises have already been breached through a non-human identity
This isn't a theoretical risk you're getting ahead of. For most organizations, it has already happened — they just may not know it yet.
And under all of it sits a question almost nobody can answer cleanly: who owns this thing? When a developer stands up a service to ship a feature, are they on the hook for it in production? At its end of life? Does IAM own it, or Security, or IT, or the team that wrote it? A human identity comes with an HR record and a manager attached. Most non-human identities come with neither, and an identity with no owner is one that no one will ever review, rotate, or retire. The fact that OWASP now publishes a Top 10 list of non-human identity risks should tell you this stopped being a fringe topic a while ago. It's a recognized discipline now. Most organizations just haven't staffed it like one.
You Can't Govern What You Can't See
When we run identity assessments at Olympus, the first move is never to recommend a tool. It's to do discovery — to actually count, and to find the things nobody knew were there. The unsanctioned automation account. The certificate issued by a CA that shouldn't exist. The token wired into a connection string that's been sitting in a config file since the last administrator.
Almost every time, the inventory comes back bigger than the customer expected, and the gap between "what we thought we had" and "what we actually have" is the risk.
The PKI side tends to be the most orphaned of all. Plenty of organizations have never named a single owner for their machine-identity and certificate strategy, which is exactly how you end up with an expired cert taking down a production system at 2 a.m. and nobody quite sure whose job it was to renew it. And here's the part that should land for anyone running a Zero Trust program: every Zero Trust model assumes you can enumerate the things asking for access and decide whether to trust them. For your human users, you mostly can. For your non-human ones, most organizations can't — which means the foundation a lot of Zero Trust strategies are built on has a hole in it the size of their largest identity population.
That's the whole point of starting here. You don't need a non-human identity strategy because it's a buzzword. You need one because there's a second workforce inside your walls that you didn't hire, can't see clearly, and have never reviewed — and it holds keys to your most important systems. Everything else in this conversation — governance, rotation, least privilege, Zero Trust, AI agents — builds on top of one unglamorous first step: knowing what you've got.
So Here's My Question
If I walked into your organization today and asked how many non-human identities you have, could you answer within an order of magnitude? Not the exact number — just the right ballpark.
Be honest with yourself on that one. And if the answer is "no," that's not a failure. It's the most useful thing you'll learn this quarter.
I'd genuinely like to hear where people land — what's your gut guess on your own ratio, and how close do you think it is to reality?
This is the first in a short series on non-human identities — what they are, why attackers love them, why "just rotate them" is harder than it sounds, and where AI agents fit in. More to come.
Originally published on LinkedIn.
Read the original on LinkedIn