COMMENTARY: For years, non-human identities (NHIs) were treated as a known category: service accounts, API keys, tokens, certificates, automation users, secrets, bots, and machine-to-machine access. They were important, but largely viewed as predictable actors running predefined jobs.That assumption no longer holds.Modern enterprises now run on thousands of applications, integrations, automations, and local identity paths. Many of these identities are not visible through the systems teams typically rely on, such as EntraID, Okta, SailPoint, PAM, cloud IAM, or secrets vaults.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Our recent report, The Identity Gap: 2026 Snapshot, found that invisible identity, or “identity dark matter,” now outweighs visible identity across enterprise environments, 57% to 43%. Even more important: 67% of non-human accounts are created directly inside applications, making them unseen and unmanaged by traditional IAM programs.This represents the new paradigm. We no longer think of identity as a question of who exists in the directory. It’s a question of what’s acting across the application estate, on behalf of whom, with what authority, and with what business impact.That shift matters because AI agents are changing the risk profile. Traditional NHIs were often repetitive and bounded by code. Agentic AI is different. These actors can pursue goals, find shortcuts, and use whatever access paths are available. If an environment contains unmanaged local accounts, excessive privileges, hardcoded credentials, or orphaned accounts, AI agents may discover and use those paths faster than humans can review them.It's not about blaming security or identity teams. Everyone faces this challenge. Most IAM programs were built to govern people and known systems of record. NHIs, and especially AI agents, require a different operating model: one that starts from the application layer and observes how identity actually behaves in production.Here are six practical ways to identify NHIs:NHIs ultimately function as an application identity challenge. They sit at the intersection of applications, identity infrastructure, security operations, compliance and AI readiness. As enterprises adopt AI agents, this becomes even more urgent. These new actors combine human intent with machine speed, and they operate across applications, data, and infrastructure. Organizations need to understand not only who has access, but what’s acting, where it’s acting, why it’s acting, and what impact it can have.The organizations that get this right will not treat NHI discovery as a one-time inventory project. They will build a continuous identity observability and orchestration layer across the application estate, giving teams the visibility, ownership, and control required to operate safely in the agentic AI era.Roy Katmor, co-founder and CEO, Orchid Security
- Start from the application layer: Do not rely only on the identity provider (IdP) or the identity governance and administration (IGA) system to explain which NHIs exist. Those systems are necessary, but incomplete. Many NHIs only become visible when we inspect how applications authenticate, authorize, store credentials, call APIs, and connect to downstream systems. The application is often where the identity gets created, used, and hidden.
- Map identity paths from the outside in: Identify which systems each application talks to, which databases it accesses, which APIs it calls, which credentials it uses, and whether access flows through centralized identity controls or bypasses them entirely. Our research found that 57% of applications bypass centralized IdPs, which means the real identity surface often extends well beyond the formal IAM stack.
- Correlate every NHI to ownership and business context: NHIs without context are not governable. Teams need to connect each non-human actor to an application, an owner, a business process, and a target system. We don’t just ask “does this account exist?” but “why does it exist, who depends on it, and what would break if we changed it?”
- Understand intent and behavior: Teams should look at what the NHI actually does: what it accesses, how often it runs, which systems it reaches, whether it’s interactive or automated, and whether its behavior matches its intended purpose. This helps separate legitimate operational usage from stale, risky, or unexpected activity.
- Assess hygiene and toxic combinations: Once NHIs are discovered, evaluate whether they are active, dormant, orphaned, overprivileged, locally managed, using hardcoded or clear-text credentials, being used concurrently or operating without logging. The highest risk often comes from combinations: an orphaned account with elevated privileges, an unmanaged access path with clear-text credentials, or a dormant account with no oversight
- Operationalize guardrails: Identification alone is not enough. Teams need to move from visibility to control: assign ownership, enforce least privilege, rotate or vault credentials, onboard accounts into governance workflows, monitor usage, document exceptions, and create audit-ready evidence. We don’t just want to eliminate every NHI. We want to make each one visible, understood, owned, and governed.
