A July 23 Entro Security report found that non-human identities (NHIs) continue to outpace human accounts, with the average growing in the past year from 92:1 to 144:1 – a 56% jump in just one year.“An identity gap of 144:1 isn’t just a stat — it’s a seismic shift in how risk scales across modern environments,” said Itzik Alvas, co-founder and CEO of Entro Security. “Agentic AI and automation are fueling a machine identity explosion, but most of these NHIs are invisible, ungoverned, and overprivileged. You can’t secure what you can’t see, and attackers know it.”The Entro report found that nearly half of all exposed secrets are discovered outside of code in workflows, messaging app channels, and other collaboration tools like Confluence.According to Entro, the No. 1 most exposed secret type is tied to Slack bots that are often wired into security systems, alerting tools, and internal workflows, making Slack tokens easy to generate and just as easy to expose.Alvas said security teams should be concerned about some of the reported trends because these NHIs are often created automatically, poorly governed, long-lived and unrotated, and lacking clear ownership or visibility.
“In this environment, attackers don’t need to phish a user, they just need to find a credential or token tied to an overprivileged NHI,” said Alvas. “The risk scales with the sprawl, and many security teams are still trying to apply human-centric IAM practices to machine-driven architectures.”James Maude, Field CTO at BeyondTrust, added that the Entro report highlighted what a lot of organizations are rapidly realizing when it comes to NHIs: the horse may have already left the barn.“Many organizations have been so focused on securing human identities that non-human identities and agentic AI have gotten away from them,” said Maude. “This vastly increases their identity attack surface and opens up new path-to-privilege where an attacker can compromise a human identity and then pivot into a highly privileged non-human identity by grabbing credentials from Slack.”Shane Barney, chief information security officer at Keeper Security, said NHIs aren’t a new or emerging risk: they’ve been at the center of some of the most high-profile breaches in recent memory: From SolarWinds to CodeCov to CircleCI, attackers have repeatedly exploited poorly managed service accounts, tokens, and secrets to gain deep, undetected access.“That’s what makes this report so frustrating,” said Barney. “Despite years of clear warnings and real-world consequences, many organizations still lack basic visibility and control over their non-human credentials. It’s not that the risk is misunderstood — it’s that it’s being deprioritized. This should be a wake-up call.”
“In this environment, attackers don’t need to phish a user, they just need to find a credential or token tied to an overprivileged NHI,” said Alvas. “The risk scales with the sprawl, and many security teams are still trying to apply human-centric IAM practices to machine-driven architectures.”James Maude, Field CTO at BeyondTrust, added that the Entro report highlighted what a lot of organizations are rapidly realizing when it comes to NHIs: the horse may have already left the barn.“Many organizations have been so focused on securing human identities that non-human identities and agentic AI have gotten away from them,” said Maude. “This vastly increases their identity attack surface and opens up new path-to-privilege where an attacker can compromise a human identity and then pivot into a highly privileged non-human identity by grabbing credentials from Slack.”Shane Barney, chief information security officer at Keeper Security, said NHIs aren’t a new or emerging risk: they’ve been at the center of some of the most high-profile breaches in recent memory: From SolarWinds to CodeCov to CircleCI, attackers have repeatedly exploited poorly managed service accounts, tokens, and secrets to gain deep, undetected access.“That’s what makes this report so frustrating,” said Barney. “Despite years of clear warnings and real-world consequences, many organizations still lack basic visibility and control over their non-human credentials. It’s not that the risk is misunderstood — it’s that it’s being deprioritized. This should be a wake-up call.”
