Anetac Report Reveals Alarming 75% of Organizations Misuse Service Accounts, Exposing Critical Security Vulnerabilities

• Three out of four organizations use service accounts as human accounts or vice versa, blurring critical security lines¹
• A significant 76%⁵ of IT security professionals acknowledged that their service accounts have direct access to the company’s crown jewels
• Real-time visibility and automated management emerge as critical factors in mitigating service account threats

LOS ALTOS, Calif. – Anetac, a Silicon Valley startup protecting companies from identity-based vulnerabilities in hybrid environments, released its inaugural Identity Security Posture Management (ISPM) Survey Report today. Based on a comprehensive survey of 201 identity security professionals conducted by Censuswide, the report highlights critical gaps in the visibility, hygiene, and control within their machine and human account landscape.

The report reveals alarming trends in machine identity vulnerabilities, including service accounts, APIs and tokens as well as human accounts that leave organizations vulnerable to potential cyberattacks. The most common, critical issues lie within the lack of visibility and oversight of service accounts.

Unmonitored service accounts pose a severe threat to organizations globally because they tend to be over privileged, misused, and many times – forgotten. This makes them prime gateways for cybercriminals to gain unauthorized access, escalate privileges and move laterally within networks undetected.

Identity security professionals are overwhelmed trying to keep pace with the rapidly evolving threat landscape, but the speed and complexity of emerging threats often outpace organizational security efforts. Visibility is the first crucial step in understanding and tackling the identity security problem.

The longer a company operates, the more complex and entrenched its identity security problems tend to become. To mitigate risks effectively, companies must transition from static, periodic reviews to dynamic, real-time monitoring solutions that can match the complex, interconnected nature of modern hybrid environments.

Key findings from the Anetac ISPM Survey Report include:

• Visibility epidemic: 44% of IT security professionals rely on manual logging for service account visibility, while 10% admit to no visibility measures at all³. Meanwhile, 47% depend on static tools, potentially missing real-time security threats.
• Hybrid account misuse: 75% of organizations report the dangerous practice of using service accounts as human accounts or vice versa, blurring the lines between automated processes and individual user actions¹. Hybrid account misuse happens both on-premises and in the cloud.
• Company assets at risk: A significant 76%⁵ of IT security professionals acknowledged that their service accounts have direct access to the company’s crown jewels—the most critical and sensitive assets. However, 40% reported that only 0-14% of their service accounts have such high-level access.
• Prolonged password rotation cycles: An alarming 53% of security professionals take 13 weeks or more to rotate service account passwords, with 35% extending this period to 16 weeks or beyond⁴. Even more concerning, 3% of respondents admit to rotating these critical passwords only once every 1-5 years.

Lack of visibility in identity management, hybrid account misuse, and poor cyber hygiene have always posed challenges in cybersecurity, but AI has significantly raised the stakes. Organizations can no longer rely solely on their teams without modern, up-to-date tools.

Anetac’s experience with customers has revealed alarming security gaps from machine identity account misuse. In one case, an administrator used a service account with elevated privileges for personal communications; in another, it was used for food delivery orders for groups of developers. These misconfigurations create serious vulnerabilities, granting attackers unauthorized access and increasing the risk of data breaches. Every machine identity account, especially those with elevated privileges, expands the attack surface, making strict management and access controls essential for maintaining a strong security posture.

“This data confirms what we’ve always suspected: the most vulnerable part of any organization is its ability to monitor and secure dynamic, ever-evolving environments with real-time measures,” said Baber Amin, chief product officer at Anetac. “The extent of poor security hygiene in machine identity accounts is staggering. To stay resilient against this growing threat, organizations must prioritize investing in cutting-edge, real-time identity security solutions capable of tackling the unique challenges posed by service accounts in today’s hybrid environments.”

Organizations can take immediate steps to address these vulnerabilities, including:

• Implementing real-time, streaming visibility into discovering all machine and human identity accounts, providing a map of their access chains and surfacing password hygiene.
• Establishing and enforcing consistent, industry standard policies for password rotation.
• Ensuring that the solution enhances the efficacy of existing control planes.

The ISPM Survey Report underscores a critical need for improved machine identity account management practices across organizations. With cyber threats evolving rapidly, prioritizing visibility, regular password rotation and strict access controls for service accounts is essential to protect valuable assets.

¹ All “Yes” answers combined.
² “13-15 weeks” to “More than 10 years, please specify” answers combined.
³ “We don’t worry about this” and “N/A We don’t gain visibility into service accounts” answers combined.
⁴ “6-20 weeks” to “More than 10 years, please specify” answers combined.
⁵ All answers except “0%” and “I don’t know” combined.

The Anetac Dynamic Identity Vulnerability and Security SaaS Platform was developed to tackle these problems, which are affecting nearly every organization across industries. Unlike static scanning tools, Anetac’s solution offers real-time streaming and visibility into service account access chains, protocols, security hygiene, privilege escalations and indicators of attack and compromise. This enables security teams to quickly identify and remediate vulnerabilities before malicious actors can exploit them.

For more information about Anetac, please visit https://anetac.com/.

Report Methodology

This research survey was conducted online by Censuswide, surveying 201 US based IT security professionals, influencers, and decision makers in the identity security field (18+) excluding sole traders. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council.

To request access to the full survey report, please reach out to anetac@treblepr.com.

About Anetac

Anetac has built a world-class Dynamic Identity Vulnerability and Security SaaS Platform that offers continuous visibility of the ever-evolving machine identity account landscape. Anetac automates the discovery of all machine and human identities; including service accounts, APIs, and tokens, and provides a map of their access chains to detect over privileged accounts. The Anetac platform also provides insights into password compliance and works across on premise, cloud, and hybrid environments. Founded in Los Altos, California in 2023, Anetac proactively solves the disconnect of static scanning tools with an innovative, streaming app.