Identity Sprawl Driven by Non-Human and Ephemeral Cloud Identities
Security teams are reporting a growing loss of certainty in identity and access management as enterprises accumulate large numbers of poorly governed identities across cloud platforms, CI/CD pipelines, and automation frameworks. The reporting describes this as identity sprawl—a systemic drift where identity creation, usage, and governance fall out of sync with traditional lifecycle and access review models designed for predictable human users.
A key driver is the rapid proliferation of non-human identities (service accounts, APIs, workloads, and increasingly autonomous/agentic systems) that can be created and discarded in seconds, outpacing visibility and privilege management controls. The articles cite investigations and threat analysis indicating attackers are weaponizing exposed identity data at scale, and report survey data that 72% of identity leaders say the threat level of identity-related attacks increased or stayed the same over the past year.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Experts advocate incremental identity governance over large migrations
The articles argued that large-scale identity modernization or replacement projects are risky and often fail. They recommended incremental life cycle management and operational governance to reduce unmanaged access and keep pace with ongoing identity sprawl, particularly as AI agents enter production.
Privilege growth among machine identities raises access risk
The coverage highlighted that privilege is becoming widespread and persistent, especially among non-human identities, while review cycles remain focused on workforce users. This was described as creating amplified access risk and leaving unmanaged privileges in place for too long.
Fragmented identity tooling leaves organizations with poor visibility
The reports said identity data and controls are fragmented across multiple platforms and tools, preventing many organizations from maintaining a reliable inventory of non-human identities or understanding their effective identity posture. The visibility gap was presented as a key factor undermining consistent policy enforcement.
Research highlights attacker abuse of exposed identity data at scale
Research cited in the coverage said attackers are industrializing the use of exposed identity data and combining identity fragments such as credentials, cookies, attributes, and device data. This activity was described as enabling impersonation, MFA bypass, and lateral movement.
Identity sprawl emerges as a growing enterprise security problem
Industry reporting described identity sprawl as an expanding security issue driven by cloud adoption, automation, and AI, which are causing identity life cycles, visibility, and privilege management to become misaligned. Traditional identity governance models based on predictable human joiner-mover-leaver patterns were reported as breaking down.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI and Non-Human Identity Sprawl Expands IAM Attack Surface
Reporting and commentary warn that **AI-driven non-human identities (NHIs)** are rapidly increasing the number and turnover of credentials inside enterprise IAM programs, amplifying long-standing weaknesses such as credential sprawl, unclear ownership, and inconsistent lifecycle controls. The Cloud Security Alliance’s findings highlight that many organizations treat *AI identities* like traditional service accounts or API keys, causing them to inherit existing governance gaps while adding new scale and speed pressures as identities are created programmatically, distributed across environments, and used continuously. CSO Online describes the operational drivers behind the surge—microservices, Kubernetes auto-scaling, CI/CD pipelines (e.g., GitHub Actions), and infrastructure-as-code (e.g., Terraform) generating large volumes of short-lived tokens and service principals—then argues that **agentic AI** further accelerates risk because these identities may be authorized to execute commands, move data, and change configurations autonomously. The net risk emphasized is that over-privileged AI agents and other NHIs can create breach conditions that may not resemble traditional intrusion, instead appearing as “normal” automated activity due to excessive permissions and weak visibility into post-authentication behavior.
Jun 3, 2026
Enterprise Concerns Over Securing Non-Human Identities
Organizations are increasingly challenged by the rapid proliferation of non-human identities (NHIs), such as service accounts, API keys, digital certificates, access tokens, automated bots, IoT devices, and AI agents. More than half of enterprises surveyed express uncertainty about their ability to secure these NHIs, highlighting a significant gap between the adoption of automated digital identities and the maturity of tools and processes to protect them. The complexity and diversity of NHIs, which now form the backbone of modern digital infrastructure, have outpaced traditional identity and access management strategies, leaving organizations exposed to new risks. The exponential growth of NHIs, especially in cloud-native and automated environments, has led to a situation where non-human accounts vastly outnumber human users. This expansion, combined with issues like "secrets sprawl"—where credentials are scattered across codebases and pipelines—creates opportunities for account hijacking, privilege escalation, and lateral movement by threat actors. Security experts emphasize the need for unified visibility, consistent identity policies, and automated responses to address these risks, particularly as NHIs and AI agents become more integral to business operations and the attack surface continues to expand.
Apr 9, 2026
Non-Human Identities and Permissions Sprawl in Enterprise Security
Enterprises are facing significant challenges in managing the rapidly expanding attack surface created by both human and non-human identities. Reports highlight that permissions and entitlements are growing at a pace that outstrips the ability of security teams to maintain oversight, with hundreds of millions of active entitlements and billions of permissions in large organizations. This complexity leads to persistent blind spots, including dormant and orphaned accounts that remain active and pose a risk for misuse, as well as the accumulation of 'identity debt' where excessive and unused access quietly increases risk over time. Non-human identities (NHIs), such as machine accounts, tokens, and keys, are becoming increasingly critical in cloud environments. Effective management of these NHIs is essential for reducing risk, improving compliance, and increasing operational efficiency. Automation and centralized secrets management are emphasized as key strategies for maintaining visibility and control over both human and non-human identities, helping organizations address security gaps and reduce operational costs associated with manual oversight and credential management.
Mar 21, 2026