In the intricate tapestry of modern enterprise IT, a silent yet powerful force has emerged: the quiet majority of machine identities. 

 

These non-human identities (NHIs)—most commonly application programming interface (API) tokens used to authenticate automated IT processes, but also certificates, containers, automation tools, or service accounts—now outnumber human users by 45 to 1. And that number rises to as much as 100 to 1 in some enterprises. Typically, once these identities are set in motion, they quietly go about their business, executing tasks without much intervention or oversight. How do you spot (and manage) the novel risks this quiet majority of machine identities introduces to increasingly sprawling data estates? 

Is Identity the New Perimeter?

Recent research shows a shocking increase in the use of stolen identities in cyberattacks. Crowdstrike’s 2025 Global Threat Report reveals that identity-based attacks (including phishing and social engineering) surged, with access brokers advertising nearly 50% more credentials than in 2023. The same report found that valid account abuse was responsible for 35% of cloud-related cyber incidents. Clearly, threat actors see identity compromise as a valuable gateway to broader enterprise environments. 

 

Microsoft reports blocking more than 600 million identity-based attacks daily, underscoring the scale of the threat. And Crowdstrike found that 79% of 2024 intrusions were malware-free—a significant rise from 40% in 2019 that shows  adversaries are increasingly relying on identity theft and exploitation of trusted credentials rather than traditional malware.

 

The expanding, malign interest in identity exploits runs parallel with continued expansion of cloud architectures in the enterprise. According to a survey of more than 1,600 IT and Security decision makers (half of whom were CIO/CISO titles) conducted by Wakefield, 66% of IT and security leaders said they are planning to shift toward using more cloud and SaaS-based services over the next year. These same respondents also revealed their biggest cloud conerns: 35% see securing sensitive data across multiple environments as their primary challenge in the coming year; 30% are concerned with the lack of centralized management; 29% worry they lack visibility and control over cloud-based data.

 

The use of non-human service accounts and APIs among clouds and the enterprise will likely keep pace. And those concerns will likely deepen. So it’s clear why Identity is now a central IT risk. 

 

But this ascent is not without precedent. Indeed, it is similar to the way perimeter security threats and mitigation tactics evolved. At one point in the past, a network perimeter was fortified with firewalls, virtual private networks, and intrusion detection systems. But as the threat landscape evolved, it became clear that no amount of security technology and know-how could absolutely prevent successful hacks. So, security teams had to adapt and embrace a posture of resilience, devise new strategies to mitigate the impact of inevitable cyber intrusions, and help recover quickly from successful hacks.

 

Perimeter defense shifted from prevention to detection as breaches became inevitable. Identity security needs to do the same. 

 

Identity Tech Must Evolve

Basic identity management tools and strategies were adequate when network access was primarily focused on managing human users, armed with usernames and passwords that could be centrally managed. But as cloud adoption, remote work, and the use of interconnected devices increased, so did the complexity of the very concept of a network “identity.” Non-human identities began to proliferate, and the attack surface expanded beyond the protection of existing identity management policies and practices.

 

The expanding, quiet NHI majority is essential for growth. But machine identities have created a new layer of risk that’s harder to see and manage. Machine identities lack the oversight humans receive—no policies from Human Resources govern their creation or retirement. They often persist with outdated credentials or excessive privileges, making them prime targets. A compromised machine identity can grant attackers silent, persistent access that bypasses traditional defenses. 

 

Without centralized tracking, organizations struggle to map which machines access what data, leaving sensitive information exposed. Indeed, data sprawl plus unmanaged machine identities is a recipe for disaster.

 

Prevention—through multi-factor authentication, role-based access controls, or strong passwords—remains essential, but attackers wielding stolen credentials can bypass these barriers. The quiet majority’s scale and obscurity further drives this shift. What we need is advanced detection.

 

Identity Threat Detection and Response (ITDR) technology will play a pivotal role in that early response. ITDR monitors human and machine identities in real-time, using AI to detect anomalies. If any identity starts misbehaving—accessing irrelevant data or attempting to log into adjacent applications—the ITDR system can trigger responses, such as credential revocation. 

 

The Culture Question: Who is in Charge of the Machines? 

Organizations seeking to improve their security posture and resilience must pivot their identity policies and practices to a detection-centric mindset, recognizing that they will not suddenly reduce the number of non-human (or human) identities. But to get there, organizations will need to address a real cultural tension about who, whether it be IT or Information Security, has the ultimate say in policies that govern the use of NHIs. 

 

It’s natural for IT to push for innovation and speed. IT generally promotes policies that lower the barriers for deploying machine identities. IT doesn’t want to wait days or weeks for someone in InfoSec to review the API they want to spin up to share data between cloud instances. Or have someone looking over their shoulder when creating a test dev environment that may use NHIs to pull in production data for use in a product prototype. The friction created by this kind of intervention is contrary to the whole point of IT: to use technology to bring speed, efficiency, and innovation to an organization.

 

But it’s naive to ignore the real security issues that can result in IT’s unchecked use of NHIs. If no one takes inventory of the API in that test environment, it could remain connected to production data long after the new product launches. And if no one shuts down or maintains that environment, it could become increasingly insecure and susceptible to exploitation. While dozens of abandoned NHIs may churn along for years with incidents, it only takes one failure for the pendulum to swing away from IT’s move fast/make things mentality to prefer the more cautious approach of InfoSec. 

 

This tension is not new: ask any security professional about the fights they have with IT (and vice versa). But in an increasingly uncontrolled computing environment, no one benefits from wild swings between unrestrained IT innovation and InfoSec lockdown.

 

We have to meet the identity threat with some kind of measured middle approach.

What Next?

It will take the right technology and culture to effectively confront the identity management challenge. Here are some steps to consider:

 

Understand Your Risk Exposure: Map the identity environment—human and machine—considering business size, industry risks, and entry points. A regulated organization with sprawling cloud assets faces higher stakes than a small, localized one. Taking an effective inventory of NHIs is step one.

 

Get the Right People in the Room: Bridge the IT-InfoSec divide with regular, structured dialogue, whether it’s through a center of excellence, committee, or some type of stakeholder group. IT craves agility; InfoSec seeks security. Facilitate conversations to balance these imperatives, aligning on the emerging identity risks.

 

Create a Process for Identity Resilience—But Don’t Overdo It: Translate dialogue into lightweight policies that govern the quiet majority without stifling innovation. Define credential lifecycles and access controls that both sides tolerate, improving resilience incrementally.

 

Implement the Right Technology: Deploy ITDR to monitor and respond to the quiet majority’s threats. Its real-time detection and automation turn cultural consensus into actionable security, safeguarding the enterprise.

Transform the Quiet Majority into a Managed Asset

The quiet majority of machine identities has silently redefined enterprise security, amplifying risks in ways traditional models can’t address. Their rise—evidenced by surging identity attacks and malware-free breaches—demands a cultural shift. IT and InfoSec must unite, balancing agility and protection to tame this silent threat. 

 

By understanding exposure, fostering collaboration, crafting resilient processes, and leveraging ITDR, enterprises can transform the quiet majority from a liability into a managed asset. In this new era, adapting business culture isn’t just strategic—it’s survival.