Every enterprise's security team is grappling with a serious issue lurking beyond typical organizational charts: the rapid proliferation of non-human identities. These digital entities—including bots, service accounts, API keys, and machine certificates—have become ubiquitous, often outnumbering human counterparts by up to tenfold in sizable organizations. Yet, they authenticate continuously across various environments and tend to accumulate privileges without oversight, posing significant security risks. Security professionals are increasingly referring to these entities as ghost identities—an apt description for the unseen dangers they represent.
This isn't a new problem; the vulnerabilities presented by ghost identities are starkly illustrated by notable breaches. The SolarWinds attack serves as a cautionary tale, revealing how attackers exploited machine identities with extensive access, moving undetected for months across 18,000 organizations. Traditional credential theft wasn’t the issue; the compromised credentials were there all along, quietly facilitating the breach.
Then, there's the incident involving Uber in 2022, where a long-forgotten service account, unmonitored and unrotated for ages, became the gateway for attackers seeking high-level access within the organization. Just one overlooked credential opened a pathway to significant assets, leading to extensive internal chaos.
Similarly, Okta's 2023 breach highlighted a more complex situation when third-party vendor credentials, compromised elsewhere, paved the way for attackers to infiltrate Okta’s systems. These incidents underscore a troubling commonality: identities that went unmonitored and carried unverified access rights were often exploited as attack vectors.
The Scheduled Crisis
Looking ahead to 2026, the ramifications of unmanaged non-human identities will culminate in a significant operational crisis. This accumulation of risk will surface not as a breach but as a calendar event tied to the expiration of machine identity certificates—an issue many organizations are ill-prepared to handle. For years, these certificates have been issued with validity periods ranging from three to five years, and the recent, rapid digital transformation has only exacerbated the problem.
As these certificates begin to expire en masse, organizations face the threat of service outages that could lead to significant revenue losses. Picture this: a forgotten certificate expires without notice. The service it supports fails, triggering a cascade of subsequent application failures. Monitoring tools may miss alerts in the confusion, and while incident response teams scramble, the consequences escalate—leading to extended downtime and regulatory scrutiny, reminiscent of the 2020 Microsoft Teams outage that left millions offline. By 2026, a similar fate could befall many enterprises that allowed rapid growth to outpace their governance capabilities.
The Structural Gap
The root of this problem goes beyond mere negligence; it lies in organizational architecture. Current identity management tools—such as role-based access controls and privileged access management systems—are tailored for human users and rely on established ownership and review cycles. Non-human identities (NHIs), however, often emerge organically in response to immediate demands, with access granted broadly and left unattended long after the urgency has passed.
This unchecked over-provisioning heightens risk; every unreviewed service account poses a potential pivot point for attackers. Ghost identities, especially those with legacy administrative rights, can widen the blast radius of a breach to an entire organization, often with dire consequences.
What Good Looks Like
The path to addressing the ghost identity dilemma doesn’t solely hinge on acquiring new tools—though vendors would like you to think so. Governance must take precedence. It begins with a fundamental question: what non-human identities are currently active within the organization?
This inquiry may sound straightforward, but it isn’t simple. NHIs aren't centrally created; they materialize from diverse sources—developers, platform teams, or third-party vendors—each time a solution is implemented. As a result, many organizations lack a comprehensive inventory, making governance nearly impossible. The first step should involve a discovery sprint lasting four to six weeks, concentrating on high-risk sectors—prioritizing cloud environments and CI/CD pipelines. Even an imperfect inventory is preferable to functioning in the dark.
Alongside this effort, organizations should extract certificate expiration data right away. Focus on filtering those set to expire within the next eighteen months and attach a named owner to each one. Certificates without identifiable owners should be treated as ghost identities, warranting immediate attention. This proactive step can mitigate potential crises tied to certificate expirations.
Instituting a privilege audit for high-sensitivity service accounts is also essential. Treat any NHI with admin rights that hasn’t undergone review in the past year as over-privileged until affirmatively demonstrated otherwise. This process assumes excess and establishes necessity, promoting a culture of cautious access management.
None of these initiatives require vast budgets, only the determination to prioritize them before an unexpected crisis forces action.
The Broader Problem
However, it's crucial to recognize that rectifying one organization’s NHI framework won't resolve the overarching issue. While it may be a step towards reducing individual exposure, the market for machine identity management is still evolving, with definitions of NHI governance varying widely among vendors. Consensus on lifecycle standards remains elusive, limiting the guidance available to security teams.
Existing frameworks, like NIST and ISO 27001, touch on privilege but fall short in providing specific guidelines for managing thousands of unmanaged service accounts spread across diverse environments. What’s truly needed is precise, shared taxonomy and regulatory clarity that acknowledges NHI governance parallel to other identity management commitments—not as an afterthought.
Conversations regarding these necessary standards are starting to take shape; regulators are beginning to take a closer look. However, the pace of change remains frustratingly slow, as looming certificate expirations pose immediate risks that outstrip the industry’s ability to react. The timelines for certificate management and regulatory alignment aren’t aligned.
The Deadline is Built In
Ultimately, the ghost workforce doesn’t bring formal announcements. It doesn’t leave notifications when its time runs out, nor does it seek evaluation. These identities persist until an event disrupts their operation—a breach, credential expiration, or a security team’s intervention to take inventory.
As we approach 2026, organizations that haven’t accounted for their NHI environments face inevitable interruptions, whether through planned governance measures or disastrous outages. The urgency is palpable, and time is running out.
