



For most businesses, "identity" in cybersecurity means one thing: a person logging in. An employee with a username, a password, and maybe an MFA prompt on their phone. Security teams built entire careers around managing that one human-to-system relationship.
That's no longer where most of the logins in a company actually are.
Across the average enterprise, non-human identities like service accounts, API keys, and increasingly, autonomous AI agents now outnumber human ones by roughly 80 to 1, according to KPMG's Cybersecurity Considerations 2026 report. Separate research from CyberArk puts the figure at 82:1. Entro Security, which tracks credential sprawl for cloud native setups, found that the ratio has climbed to 144 machine identities for each human. This is up by 56% in just a year. The exact number depends on whoâs counting and what they consider in-scope. But every version of it says pretty much the same thing: organizations have gotten outnumbered inside their own systems, and most people still havenât really clocked it. AI agents are the newest and fastest growing slice of that population. And unlike a static service account that sits in one place doing one job, an agent can log into other systems on its own, call APIs, and make decisions about what to do next. All without a person in the loop checking whether it should.
That's the part that should give US business owners pause. Your AI agents don't just have access anymore. They have logins. And in a lot of companies, nobody's entirely sure how many or what those logins can actually do.
A traditional service account is boring by design. It was set up once, for one purpose, and it does that one thing until someone remembers to turn it off. Research suggests that it can take years longer than it should.
An AI agent is a different kind of animal. For it to actually do the job, an agent usually has to authenticate into a companyâs CRM, its email environment, its cloud storage, and maybe a customer database too, or even the payment processor. Each one of those links tends to demand its own credentials, like an API key or a service account. So, you can have one agent kind of living with five, ten, or honestly even more separate access sets running at the same time, without much drama.
Then it gets more complicated. Multi-agent systems in which one orchestration agent delegates tasks to several specialized sub-agents are becoming standard in enterprise AI deployments. Each sub-agent typically needs its own credentials too, and can spin up more sub-agents to handle smaller tasks, each with its own access. The OWASP Top 10 for Agentic Applications, which is the security community's current reference list for this exact problem, names this "Identity and Privilege Abuse" as one of the top risks facing agentic systems. Agents inherit high-privilege credentials, session tokens, and delegated access that then get reused or passed along to other agents without anyone reviewing whether that access is still appropriate.
Security researchers have taken to calling this whole category "non-human identity" or NHI. It has become one of the defining phrases in cybersecurity in 2026. The tools built for managing human logins and password policies were never designed for credentials that get created automatically and are used by something that doesn't sleep or take breaks. That's why NHI is becoming such a big deal in 2026.
It's one thing to say AI agent login security is a growing risk. The data backs up just how fast and how unprepared most companies actually are.
Sophos's State of Identity Security 2026 report, based on a survey of 5,000 IT and security leaders published in May, found that 71% of organizations suffered at least one identity-related breach in the past 12 months. Weak non-human identity management specifically was cited as a root cause in 40.6% of those incidents. And when a breach did stem from weak NHI management, the consequences were measurably worse: organizations in that position were 27.9% more likely to experience financial theft, 24.4% more likely to face extortion, and reported recovery costs that ran nearly $150,000 higher than the survey's overall average of $1.64 million per breach.
The Cloud Security Alliance's own 2026 survey of IT and security professionals found a similarly uncomfortable picture. Only 12% of organizations said they were highly confident in their ability to prevent an attack via a non-human identity. More than 16% admitted they don't even track the creation of new AI-related identities. This means that a growing pile of tokens and service accounts exists completely outside any formal inventory. Less than a quarter of organizations have documented, formally adopted policies for creating or removing AI identities in the first place.
It gets more specific once you look at how those credentials are actually managed day to day. According to Sophos's data, only about one in three organizations (34%) regularly rotate or audit their service accounts and non-human identities, and just 11% do it continuously. Separate research cited by the Non-Human Identity Management Group puts the figure even lower: 71% of NHIs aren't rotated within any recommended timeframe at all, and only 20% of organizations have formal processes for offboarding and revoking API keys when they're no longer needed.
Then there's the visibility problem. One vendor guide on agentic AI security, drawing on Cloud Security Alliance survey data, found that 68% of organizations can't reliably distinguish AI agent activity from human activity inside their own systems. If a company canât tell the difference between an employee logging in and an agent doing things on that employeeâs behalf, itâs not exactly in a strong position to spot when one of those agents starts acting a little strangely.
Put together the scene that Sophos, CSA, KPMG, and CyberArk are describing, itâs basically the same. The count of non-human identities in the average business has really shot up while the supervision hasnât caught up. Itâs in that gap where the actual incidents are taking shape.
None of this is theoretical. Over the past few years, several incidents have happened that show how an AI agent login security becomes a cybersecurity problem.
The software platform Vercel disclosed a breach in April 2026 that started nowhere near its own systems. An employee had connected a third-party AI office tool to their Google Workspace account. An attacker compromised Context.ai and used the OAuth connection the employee had granted it to pivot straight into Vercel's internal systems, exposing environment variables and internal data. Vercel didn't get breached because someone broke through its front door. It got breached because an employee trusted an AI tool with access, and that tool's own security wasn't strong enough to hold up.
Around the same period, a campaign researcher has nicknamed TeamPCP worked its way through a chain of software supply-chain targets including the security scanner Trivy, then Checkmarx KICS, then the AI development tool LiteLLM using credentials stolen from each compromised target to reach the next one. In the LiteLLM case, the attackers didn't exploit a flaw in the software itself. They compromised the security scanner used in its CI/CD pipeline. They then stole a maintainer's registry credentials and pushed a backdoored version directly to roughly 47,000 downloads before it was caught. The lesson security researchers have drawn from the cascade is blunt. Once an attacker has one set of automation credentials, they often have a map to the next one.
The AI-agent social network Moltbook offered a version of the same story on a more public stage. What looked at first like a novelty turned out to expose real human data once it emerged that the underlying setup involved loosely governed APIs and service accounts with broad, unreviewed access. As one cybersecurity strategist put it at the time, what got described as "emergent AI behavior" was really just automation moving fast through gaps that had been sitting there all along.
In one of the more serious cases reported this year, researchers say theyâve documented that a single attacker leaned on mainstream AI coding assistants to breach several government agencies in Mexico. In the end, they reportedly got into systems spanning tax, civil registry, and electoral services, taking hold of tens of millions of records. The exact details of that incident are still being sifted through, but the general pattern researchers keep pointing to feels pretty consistent. Excessive permissions get handed over to systems that can act on them at machine speed and there is no real human checking in along the way.
None of these incidents needed an exotic zero-day. They traced back to access credentials that were scoped too broadly or simply trusted by a system that didn't have a dependable way to tell the difference between a legitimate request and a harmful one.
It would be reasonable to read all of this and assume the fix is simply "watch the AI agents more closely." That's part of it, but it undersells the actual shape of the problem.
The harder issue is that agents don't just use credentials. Some of them create new ones. A multi-agent system can spin up a sub-agent to handle a discrete task, and that sub-agent typically needs its own access to do its job. That new identity often gets created automatically, without a security review, without a defined owner, and without an expiration date. Multiply that across a business running dozens of automated workflows, and you end up with what researchers increasingly describe as an ever-growing population of "orphaned" identities: credentials that outlive the task, the project, or even the employee who originally set the whole thing up.
One 2026 analysis cited by the Cloud Security Alliance found that 51% of organizations report no clear ownership over their AI identities at all. Separate reporting found that 8% of enterprise identities have no link back to any HR system once the person who created them leaves the company. Thus, meaning nobody is formally accountable for shutting them down. Those credentials don't announce themselves. They just sit there, valid and often over-permissioned, until someone with bad intentions finds them.
This is also where the SANS Institute's 2026 survey findings are worth sitting with. No single safeguard against risky AI agent actions is used by more than about 40% of organizations and even the most common one is only in place at roughly four in ten companies. Most businesses are relying on a patchwork of partial controls rather than any one dependable system, which is exactly the kind of gap that shows up quietly, until it doesn't.
The good news, if there is any, is that the industry isn't starting from zero. A handful of control patterns keep coming up across the research as the ones that actually hold up when an agent's credentials are compromised, rather than just making a breach less likely on paper.
The first is scoping access down to the task, not the system. Instead of an agent holding one broad credential that can touch an entire database, the more resilient setups give it narrow, purpose-built permissions for exactly what that specific job requires, nothing more. The Cloud Security Alliance's guidance on securing non-human identities in the age of AI agents leans hard on this idea, alongside a second one: just-in-time provisioning, where credentials are generated for a specific task and expire automatically once it's done, rather than being issued once and left active indefinitely.
The second pattern is treating an agent's behavior, not just its credentials, as part of its identity. One researcher writing on agentic AI defense patterns described this well. An agent that typically makes 50 API calls an hour has a behavioral baseline. If that same credential suddenly starts making 5,000 calls at 3 a.m. and reaching into data it's never touched before, something has changed. Static credential checks can't catch that. Runtime monitoring can.
The third is more of a discipline than a tool: knowing what you have. The CSA survey found that only a minority of organizations can say with confidence how many AI-related identities exist in their environment at all. Before a company can scope permissions properly or catch anomalous behavior, it needs an actual inventory. Every agent, every credential, every API key, with an owner attached to each one who's accountable for reviewing and eventually retiring it.
None of these are exotic. They're the same fundamentals that have underpinned good identity security for years, applied to a category of identity that didn't really exist in most businesses three years ago and now, by some counts, outnumbers the human employees using the same systems by nearly a hundred to one.
Large enterprises are struggling with this. Data from the IANS and Artico Search CISO Compensation and Budget Survey found that identity and access management spending consume about 6% of the security budget at companies under $400 million in revenue, rising to 12% at companies above $5 billion. That gap says a lot: the businesses least equipped to build a dedicated AI identity governance program are also the ones spending the least on the problem, relative to their size.
Most small and mid-size US businesses don't have a security team whose entire job is tracking which AI tools have access to what, auditing service accounts on a schedule, or revoking API keys the moment a project wraps up. They have an IT generalist, or a lean internal team, already stretched across help desk tickets, onboarding, and whatever's on fire that week. Adding "audit every AI agent login security and credentials on a recurring basis" to that list isn't unreasonable in theory. In practice, it's the kind of task that gets pushed to "next quarter" indefinitely, right up until an incident makes it urgent.
That doesn't mean the fundamentals here are complicated. They're the same principles that have always underpinned good identity security, just applied to a new category of user: know what has access to what, give it only the access it actually needs, set credentials to expire rather than live forever, and review the list regularly enough that "orphaned" isn't a word that applies to anything in the environment. The businesses adopting AI agents fastest right now are, almost by definition, the ones least likely to have that groundwork already in place which is usually where a managed IT or security partner earns its keep: not replacing those fundamentals, but making sure someone is actually watching the list of logins a company has handed out to systems that never sleep.