We locked the front door. The back door has been open this whole time.
Why the NHI explosion is different this time
Machine identities are not new. What changed is the velocity. Five years ago, a typical enterprise application was a monolith talking to a database. Today, that same application is 50 microservices, each needing credentials to talk to the others. Every Kubernetes pod that spins up during auto-scaling creates workload identities. Every GitHub Actions workflow generates tokens. Every Terraform run provisions service principals. I watched a single deployment pipeline create more machine identities in 20 minutes than our entire company had human users.
Then came agentic AI, and the problem accelerated again. These are not chatbots answering questions. They are systems authorised to execute commands, move production data, modify configurations and trigger downstream workflows autonomously. Microsoft Copilot has access to your SharePoint. GitHub Copilot can commit to your repos. The AI assistant your marketing team just deployed can pull customer records from Salesforce. One Identity is predicting 2026 will see the first major breach traced back to an over-privileged AI agent. The terrifying part? It will not look like an attack. It will look exactly like the system doing what it was designed to do.
