Identity & Access Management,
Security Operations
Machine Identities Surpass Human Ones, Yet Accountability Remains Inadequate
The rapidly growing segment of users within enterprises often goes unnoticed in human resources systems. This group primarily operates through service accounts, API keys, bots, and automated workflows, representing machine identities that have already outnumbered human users in many organizations. Determining ownership, key rotation, action audits, and accountability can significantly vary depending on the individual responding to incidents, resulting in inconsistent answers.
See Also: Identity-Based Attacks – When MFA Isn’t Enough
The rise of cloud-native applications, DevOps pipelines, and AI agents further exacerbates this imbalance. Security firms such as Microsoft and CrowdStrike have alerted organizations that attackers leverage compromised service accounts to escalate privileges and evade detection. In light of these threats, the National Institute of Standards and Technology has urged enterprises to handle machine identities with the same level of scrutiny as human identities.
However, governance models that cater to human employees have been slow to adapt in the face of increasing automation. In most organizations, accountability defaults to a human role, often falling on the Chief Information Security Officer (CISO). Shruti Dvivedi Sodhi, a partner at Khaitan Legal Associates, noted, “Every machine identity should be linked to a human owner and subject to review by a cross-functional oversight team.” Without this transparency, accountability may effectively “evaporate.”
The debate over who should be ultimately responsible for machine identities continues. Grant Schneider, the president and CEO of government services firm FGS, argues that machine identities are essentially operational responsibilities, primarily the domain of the CIO. He emphasizes that while CISOs or identity management teams can establish policy, the everyday management of credentials falls under IT operations. Conversely, Aaron Painter, CEO of identity verification platform Nametag, states that ownership is contingent on enterprise culture, advocating for a collaborative approach among IT, security, and business stakeholders.
Unlike human users, machine identities do not retire or exit; they can lie dormant for extended periods and be reused across different systems. The absence of proper lifecycle management poses risks, as credentials may go unrotated, audit trails can disappear, and incident response teams may struggle to discern whether suspicious activity is legitimate or malicious. Regulatory scrutiny is increasing, with Sodhi asserting, “If an API key can unlock sensitive systems at scale, it warrants the same rigor as a privileged user account.” Breach disclosure laws in regions like Europe and India emphasize compliance, regardless of whether the compromised credential belongs to a person or a machine.
Painter further noted that misalignment in accountability can create blind spots that attackers can exploit. “Compromised keys or certificates can be misused to mimic trusted systems,” he explained. Without clear accountability linking automated actions to authorized human decisions, organizations face heightened compliance and incident response challenges.
When breaches do occur, the issue of ownership often pales in comparison to the overarching liability borne by the organization. Internally, blame is frequently distributed among CISOs, CIOs, and engineers. Painter highlighted that security teams often find themselves in difficult positions where liability falls on them, even as business pressure discourages implementing recommended security policies due to concerns about operational friction.
Some organizations are actively addressing these challenges through revised contracts with IT service providers. According to Sodhi, businesses now include machine identity obligations in master service agreements and security schedules, requiring vendors to manage credential rotations, immediately revoke compromised access, and maintain comprehensive audit logs. Non-compliance is increasingly treated as a breach of contract, a sentiment echoed by Painter, who noted that clear contractual terms can facilitate faster incident response. However, Schneider mentioned that machine identity language is not yet prevalent in many cloud agreements.
The imperative for governance is beginning to reach boardroom discussions. Directors, according to Sodhi, cannot afford to overlook machine identities, which often outnumber human ones and may provide broader access to critical systems. Ignoring these entities risks blinding the board to an escalating area of risk. Painter advised that executives should demand reporting on non-human identities, just as they do for human identity and access management, ensuring that valuable automated actions can still be traced to responsible human decisions.
