Identity Security in the AI Era

Managing Non-Human Identities at Scale

As enterprises scale AI, cloud, and automation initiatives, identity has quietly become one of the most critical (and potentially overlooked) security priorities. The challenge around identity security has extended beyond how humans log in to now looking to how identities are created, governed and extended across an environment populated by machines, services, bots, and increasingly autonomous AI agents.

In this new landscape, identity is now a core pillar in operational resilience.

The rise of non-human identities

Historically, identity programs have been designed around people. With the rise of AI-driven identities, this model no longer reflects reality.

Modern enterprises rely on an extensive number of non-human identities, service accounts, APIs, automation scripts, bots, and AI agents that act on behalf of users or applications. According to the International AI Safety Report 2026, non-human and agentic identities could exceed 45 billion by the end of 2026. These identities operate continuously, at scale, and with broad access. They also tend to have long lifespans and limited oversight, making them high risk entities.

As agentic AI becomes more pervasive, the risk intensifies. AI agents are not passive tools. They can initiate actions, make decisions, and interact with systems autonomously. To function, they require privileges, sometimes the same privileges as humans, and sometimes more. These privileges grant rights or permissions to an identity allowing AI agents the ability to read, write, delete or modify data, as well as access sensitive resources, or execute administrative functions within a system. The broader and more powerful the privileges, the greater the potential impact an AI agent can have, for better or for worse, within an organization’s environment.

This introduces a new class of risk. Identities that operate without the natural friction which constrains human behavior, amplifying the impact of weak governance and excessive access. This can change the security equation and open the door to higher risk around managing privilege, lifecycle, and oversight.

Access complexity at scale

Many of today’s most effective attacks do not rely on vulnerabilities or sophisticated exploits. They rely on legitimate credentials. When attackers gain access to valid identities, they don’t need to break in, they blend in.

Without strong processes for onboarding, offboarding, and credential lifecycle management, organizations unintentionally create opportunities for misuse. Access that was once appropriate becomes excessive. Temporary privileges quietly become permanent. Credentials that should have been revoked persist long after their purpose has expired. These gaps are not theoretical, they are actively exploited, and as environments grow more complex, the window for error widens. When no one is clearly managing who or what should have access, it becomes far easier for the wrong people to slip through undetected.

An example of this is often with orphaned service accounts. During a rapid cloud migration, a DevOps team creates 50 service accounts for automated data transfers. When the project ends, the virtual machines are deleted, but the highly privileged credentials remain active in the identity provider. These “ghost” identities become gold mines for attackers seeking a path of least resistance.

The challenge is compounded by the fact many systems enabling AI and automation were not designed with security controls built in. In some cases, there are no native permission structures at all. Organizations are expected to layer governance onto protocols that prioritize functionality and interoperability over oversight.

The result is identity sprawl without visibility, ownership, or accountability, which makes containment, investigation, and recovery significantly harder when something goes wrong. So, what’s the solution?

The shift to modern identity models

Traditional access models assume relative stability. Permissions are assigned based on role, reviewed periodically, and changed when a job function changes. AI‑driven environments break that assumption.

An AI agent may need elevated access for minutes or hours, then require immediate de‑escalation. Static permissions are poorly suited to this environment. Over‑provisioning becomes the default, not because it is safe, but because it is convenient.

At the same time, human authentication is evolving. Static passwords, reused, shared, and easily stolen, are increasingly recognized as a weak foundation. Organizations are shifting toward authentication models based on behavior, biometrics, and context rather than memorization.

This can be defined as “contextual risk scoring” with an example being alogin attempt from a known laptop at 9 a.m. in New York is treated differently than a login attempt at 3 a.m. from a new IP address in a different hemisphere. Modern models use behavioral signals (typing speed, mouse movements, and typical app usage) to trigger a re-authentication challenge if the “human” starts acting like a “script.”

Passkeys and biometric authentication also reduce reliance on static secrets and lower the likelihood a single compromised credential can cascade into broader operational failure.

Together, these shifts reflect a broader transition: from static identity‑as‑directory thinking to dynamic contextual identity models that adapt privilege based on intent, behavior, and risk, without slowing innovation.

Conclusion

As AI becomes embedded in core business processes, identity increasingly functions as the control plane which determines what machines can see, do, and influence.

Without robust identity controls, AI agents can amplify risk at machine speed. With them, AI can be constrained, monitored, and aligned with organizational intent.

The organizations best positioned for this transition are not those that adopt AI the fastest, but those that integrate identity governance into operational design from the start. They recognize non‑human identities as first‑class citizens, design access models for change, and treat identity failures as operational risks, not just security incidents.

In the age of AI, identity is no longer invisible infrastructure. It is about trust, accountability, and resilience, and it will increasingly determine whether innovation remains controlled or becomes a source of systemic exposure.

ABOUT THE AUTHOR

Lee Waskevich

Lee Waskevich began his career in telecommunications as a PBX technician in 1996. He has held key roles, including lead network engineer at Comcast, where he earned his first CCIE in routing/switching. Currently, as VP of security and networking strategy at ePlus, he focuses on setting strategy and developing solutions to combat cyber threats. His expertise spans SDN, AI, mobility, and IoT/OT. Waskevich holds multiple CCIE certifications in routing, security, and wireless, and the CISSP certification, positioning him as a leader in cybersecurity and networking strategy.