Blog Posts
Every AI agent your company deploys creates a new identity. Most are unmanaged, over-privileged and never revoked. This is the identity crisis of 2026's breach wave.
Every AI agent your company deploys creates a new identity – credentials to access APIs, databases and enterprise systems without a human in the loop. Most are unmanaged, over-privileged and never revoked. This is the identity crisis of 2026's breach wave.
According to a single anonymized case study reported by NHI security researchers and referenced in multiple 2026 industry reports, a Fortune 500 financial institution had an identity audit to see how many human users it had, expecting to see 50K. What they saw was over 4.2M non-human identities: service accounts, API keys, OAuth tokens, certificates, and bots. Most were unmanaged. Many had too many privileges. Thousands were dead, the owners long gone, but still active. The case is not named, but the pattern it represents is not uncommon: it is the baseline of enterprises that have not done an NHI inventory.
This is not a fluke. The 2026 NHI Reality Report shows the average enterprise today with over 250k NHIs. Rubrik Zero Labs says the machine-to-human identity ratio is 45:1. ManageEngine's 2026 research shows organizations at 100:1 and 500:1. Every SaaS integration, vendor connection, and AI tool deployment creates new NHIs. And now agentic AI has created a qualitatively new identity category that makes everything harder: AI agents are not passive credential holders. They are autonomous actors that get permissions on the fly, spawn sub-agents and chain actions across dozens of systems.
We see this every day in regulated enterprise deployments at Polygraf AI. Here is what the data actually shows about the NHI problem – its scale, its specific failure modes in agentic environments and the controls that actually close the gaps.
A non-human identity is a credential, token or secret that allows a software system, automated process or AI agent to authenticate and access resources, without any human directly involved in that transaction. NHIs are not new. But AI agents have changed their nature in a fundamental way.
IAM was originally designed for human identities. It assumes that the credentials belong to people with working hours, geographic locations and typing patterns – the behavioral signals that security tools use to detect account compromise. NHIs do not make any of these assumptions by design. They are always on. They have no "normal" behavior pattern. They do not trigger MFA. And they live forever without lifecycle management because there is no automated offboarding process for credentials that do not belong to a person.
Service accounts and API keys have been around for decades. What AI agents bring is of a different order of magnitude, not of scale. The non-human identity governance whitepaper of the CSA is a good way to describe the difference: the previous generation of NHIs was passive. AI agents are autonomous actors who can reason about their access needs, ask for new permissions and act in systems in a sequence that leads to emergent behavior that their authors did not foresee.
Three specific properties make AI agent NHIs uniquely dangerous compared to all prior NHI categories:
Property 1 – Dynamic credential acquisition. Static service accounts have fixed credentials. AI agents acquire permissions at runtime. An agent that needs access to a new system can ask for it and if the IAM policy is permissive, get it – without a human reviewing that access grant. Each acquisition generates a new NHI that may never be tracked or revoked.
Property 2 — Sub-agent spawning. As Sophos has shown, AI agents can spawn new agents to do sub-tasks and each new sub-agent spawned will create a new NHI without any human intervention or oversight. A single compromised parent agent can mint dozens of child NHIs with inherited or increased permissions from the parent.
Property 3 — Reasoning about access. A compromised static service account is a credential. A compromised AI agent can reason about what that credential allows, find more paths to access, and systematically abuse its own permissions in ways its operators never envisioned. This makes NHI compromise a known-scope problem to an open-ended exploitation problem.
According to the 2026 NHI Reality Report, 71% of NHIs are not rotated in recommended time and 97% have too many privileges beyond what they need (2026 NHI Reality Report, Protego). Another Delinea finding shows that 97% of organizations are exposing their NHIs to third party vendors – a double risk. 16% of organizations do not track the creation of AI identities at all (CSA, 2026). And 53% of organizations are regularly exposed to unauthorized AI tools and agents in their systems (Delinea 2026 Identity Security Report). This is not a configuration issue. This is a governance gap.
There is no better example of what NHI compromise looks like at enterprise scale than the August 2025 Salesloft-Drift breach – what Permiso.io called "one of the most complete non-human identity attacks from beginning to end". Knowing its anatomy is the first step to understanding why standard identity controls do not stop these attacks.
The attack did not start in August 2025 but in March 5 months before the impact. Threat actor UNC6395 was able to access Salesloft's GitHub environment, clone the repositories and create a guest user account for long term access. In the repositories were OAuth tokens. Those tokens were the master.
UNC6395 used the stolen OAuth tokens (which gave Drift application-level access to customer Salesforce environments) to authenticate as the trusted Drift integration on over 700 organizations between August 8 and August 18. Python scripts ran SOQL queries, exported contact data, case records and support histories. The attackers were also looking for secrets in support tickets and attachments: AWS keys, Snowflake tokens, VPN credentials – using one NHI compromise to harvest more.
Organizations impacted were Cloudflare (104 API tokens leaked), Palo Alto Networks, Proofpoint, Google, Zscaler, PagerDuty, HackerOne, and Workday. The attack was not different from a normal automation since it used real credentials. The OAuth tokens did what they were supposed to do.
The attack used valid OAuth tokens. SOQL queries were like normal Salesforce API calls. SIEM alerts are for anomalous behavior – this was not anomalous behavior, it was authorized. No MFA to bypass. No malware to detect. No lateral movement in the traditional sense. Just legitimate machine-to-machine traffic with stolen credentials.
NHI attacks target failures at any stage of the identity lifecycle. The Salesloft-Drift breach failed at stages 1 (creation - tokens embedded in code), 3 (scoping - tokens with broad Salesforce access) and 5 (monitoring - 10 days of automated queries not detected). Most enterprises have governance failures at 3 or more stages at the same time.
"Managing identities in the era of AI has become a complex endeavor, especially with the labyrinth of NHIs. The credential an agent holds is not merely a passive key — it is the principal identity of an autonomous actor."
— Kavitha Mariappan, Chief Transformation Officer, Rubrik · CSA NHI Governance Whitepaper, 2026In addition to the five lifecycle failures that are common to all NHIs, AI agents have three attack patterns that are specific to autonomous reasoning systems.
In its 2026 research of 205 CISOs, Teleport found that organizations with least-privilege NHI access reported a 17% AI agent security incident rate, and without it a 76% incident rate. That 59-percentage-point difference is the measurable ROI of NHI governance investment – and it is from one control before any of the other five above are in place.
Every AI interaction that is intercepted and inspected by Polygraf has an identity. At the input layer we check if the identity making the request is allowed to request what it is requesting. At the output layer we check if the identity is sending data that it is allowed to send. At the tool layer we enforce which identities can call which tools with which arguments.
This implies that Polygraf's inspection layer is a compensating control for NHI governance gaps upstream, but the correct posture is defense in depth: NHI governance upstream, inline policy enforcement at the agent boundary and structured audit logs that link every action to a specific identity for forensic reconstruction.
The Salesloft-Drift breach could not have been prevented by any single control. The initial access was through GitHub credential hygiene. The pivot was through AWS environment access. The exploitation was through use of legitimate OAuth token. The failure to detect was through lack of agent-specific behavioral baselines. Four separate governance failures – each preventable in isolation, collectively disastrous.
Gartner has identified "Identity and Access Management Adapts to AI Agents" as the #1 cybersecurity trend for 2026 (published February 2026). Their advice: companies need to expand IAM frameworks to cover AI agents as first-class identity subjects with unique identity, scoped credentials, behavior monitoring and automated lifecycle management. Not as a future roadmap item. As an operational requirement.
Polygraf's Behavioral Control Plane links every AI interaction to an agent identity – it enforces what each identity is allowed to input, output and execute in real time. Every action is logged with identity context for forensic reconstruction. Sub-100ms. On-premise. Zero data leaves your environment.
At Polygraf, we envision a future where AI augments human capabilities without compromising safety, privacy, or ethical standards. Trust in our commitment to building this future with you.
© 2026 Polygraf AI. All rights reserved.
Our Solutions 
Regulations Your download will start now.
Please provide information below and we will send you a link to download the white paper.
Data Privacy 
Data Provenance 
Content Generation