In early 2026, the Cloud Security Alliance (CSA), in collaboration with Oasis Security, released the “2026 Survey Report on Non-Human Identities and AI Security,” based on insights gathered from IT and security teams across 383 global enterprises. Spanning the Americas, Europe, the Middle East, Africa, and Asia-Pacific, the survey included participants from critical sectors such as technology, finance, healthcare, and government. It examined four key dimensions—AI identity awareness, governance frameworks, tooling capabilities, and operational efficiency—to paint a comprehensive picture of the current state of non-human identity (NHI) security worldwide.
The report’s core findings highlight a critical industry contradiction: while enterprise adoption of AI is accelerating rapidly, identity security management remains stuck in outdated, manual, fragmented, and reactive paradigms. Four systemic issues—lack of governance, ambiguous ownership, insufficient automation, and uncontrolled token management—have emerged as the primary risk drivers in the AI era, simultaneously revealing a clear roadmap for building next-generation Identity and Access Management (IAM) systems. The results are alarming:
- Over 78% of organizations lack formal AI identity governance policies.
- Nearly half take more than 24 hours to respond after detecting high-risk credential exposure.
- 51% admit their AI identities commonly suffer from excessive permissions and no assigned owner.
This is not alarmism. As autonomous agents like GPT Agents, AutoGen, and Clawbot are rapidly deployed within enterprises, a long-overlooked security blind spot is expanding dramatically: the loss of control over Non-Human Identities (NHIs).
1. AI Identities ≠ New Species—They’re Amplifiers of Old Problems
The survey reveals significant misconceptions about AI identities. Most organizations fail to recognize them as a distinct identity category, instead lumping them into traditional NHI buckets—a fundamental flaw that seeds downstream security failures:
- 72% of respondents equate AI identities with “service accounts.”
- 67% view them merely as “API keys or tokens.”
- Only 42% acknowledge more advanced forms (e.g., containerized, decision-making AI agents).
This means enterprises are still applying “static script” management logic to intelligent agents capable of self-replication, cross-system invocation, and continuous credential generation. Consider an AI agent that, during task execution, autonomously spawns sub-agents, requests temporary tokens, and invokes cloud functions—all within milliseconds—while security teams remain unaware of its very existence.
The risk isn’t new—it’s being exponentially amplified by AI’s speed, scale, and autonomy.
2. Governance Gaps: Policy Void + Ownership Ambiguity = Unconstrained Risk
2.1 Governance Vacuum: Missing Accountability, Broken Deactivation
- Only 22% of organizations have formal, documented policies for creating or deleting AI identities.
- 51% admit there’s “no clear owner,” leading to stalled permission reviews.
- 46% harbor large numbers of “orphaned identities”—accounts that remain active long after projects end.
For example, when a sales department abandons an AI assistant, its CRM read/write permissions may linger for months. If credentials are compromised, attackers gain a “legitimate” pathway straight into core business systems.
2.2 Tooling Failure: Legacy IAM Can’t Keep Pace with AI
- Only 8% of respondents express “high confidence” that their current IAM systems can manage AI-related risks.
- Traditional IAM was built for human users or predefined services, not for:
- Dynamically generated temporary identities
- Cross-cloud, cross-application permission chains
- Context-aware, just-in-time authorization
Consequently, NHIs are often treated as exceptions, bypassing standard access reviews and deprovisioning workflows—effectively becoming “ungoverned zones” within the identity ecosystem.
2.3 Operational Chaos: Token Sprawl + Lagging Lifecycle Management
- 16% of organizations don’t even track when AI identities are created.
- 24% require over 24 hours to rotate credentials after exposure.
- 29% spend more than 24 hours per month manually auditing NHIs.
In a fast-moving AI environment, such delays are tantamount to leaving the door wide open. A single unrecovered API token can become an attacker’s permanent foothold for lateral movement.
3. The Way Forward: From Reactive Defense to Agentic IAM
The report is unequivocal: patching legacy systems won’t suffice in the agentic era. Enterprises must build a next-generation identity infrastructure designed for the future.
3.1 Unified Identity Visibility: See All “Non-Humans”
Break down silos by integrating service accounts, bots, AI agents, CI/CD pipelines, and more into a centralized identity directory, enabling:
- Automatic discovery of newly created NHIs
- Mapping to applications, owners, and permission scopes
- Anomaly detection (e.g., high-frequency calls outside business hours)
3.2 Automated Lifecycle Management
- Bind policies at creation (least privilege, expiration, use case)
- Automatically revoke permissions upon task completion
- Support risk-based dynamic de-escalation (e.g., freeze access upon anomalous IP detection)
Only 14% of organizations currently achieve full automation—making this the key differentiator over the next three years.
3.3 Establish Ownership & Accountability
- Assign each NHI a business owner (not just a technical contact)
- Include NHI permission reviews in quarterly compliance cycles
- Implement On-Behalf-Of (OBO) models: AI permissions = user permissions ∩ agent capabilities
3.4 Embrace Zero Trust–Style Credential Management
- Default to short-lived tokens with automatic rotation
- Bind credentials to specific tasks, not long-term secrets
- Require all access requests to carry verifiable identity claims (e.g., SPIFFE/SPIRE)
Conclusion: Non-Human Identity Security Is No Longer Optional—It’s Essential
The rise of AI is irreversible. As AI scales, the number of non-human identities—from service accounts and API keys to autonomous agents—will grow exponentially. NHIs are now integral components of the enterprise digital ecosystem, and securing them is no longer a choice but a mandatory capability.
The CSA 2026 report not only exposes the stark realities of today’s NHI security challenges but also offers a clear path forward: enterprises must accelerate their identity strategies to match the pace of AI innovation. This requires a holistic upgrade across mindset, governance, tooling, and operations—treating non-human identities not as edge cases, but as core elements of the modern identity fabric.
