Thought Leaders

Agentic AI Turns NHI Sprawl Into an Ungovernable Attack Surface

mm
Published

Modern cloud environments are built on thousands of non‑human credentials that quietly hold powerful access and rarely receive the scrutiny they deserve. Service accounts, API keys, OAuth tokens, and other non‑human credentials quietly authenticate application behavior, yet are often poorly inventoried, rarely rotated, and difficult to govern. Mandiant’s M‑Trends 2026 report, drawing from more than 450,000 hours of incident response, confirms what many security teams have suspected for years: these machine identities have become a primary attack vector in cloud breaches. Threat actors are harvesting long-lived OAuth tokens, compromising third-party SaaS vendors to steal hard-coded keys, and then using those secrets to pivot in environments for large-scale data theft. The finding does not really surprise anyone tracking this space, but what is alarming to these practitioners is what is being layered on top of the problem. Organizations fighting to govern service accounts they already have are simultaneously deploying agentic AI systems that mint new non-human identities at a rate that pre-AI governance processes were never designed to handle. That collision, between a known problem and a new accelerant, is where the exposure lives.

The Arithmetic of Non-Human Identity Sprawl

The ratios are difficult to accept until you work through the math. Another recent study published earlier this year found non-human identities outnumber human users 82-to-1 in enterprise environments. In their Identity Security Outlook 2026 report, ManageEngine reported that nearly half of organizations they surveyed see ratios above 100-to-1, with some sectors reaching 500-to-1. Between H1 2024 and H1 2025 alone, the average enterprise saw a 44% increase in NHI volume.

The proliferation of non-human identities in enterprise environments was already underway before agentic AI systems became widespread. This growth was largely driven by the shift to cloud computing, the adoption of microservices architectures, and the increasing integration of SaaS platforms. However, agentic AI does not merely add to this existing challenge in a linear fashion. It will fundamentally alter the pace and scale of the problem in the future. Each agent deployed to autonomously investigate alerts, orchestrate workflows, or access data repositories requires its own identity infrastructure. As a result, organizations are experiencing a rapid increase in the number of credentials, access tokens, and permission scopes, along with the emergence of sub-agents that possess their own identity chains. Consequently, traditional tools will likely no longer be capable of reliably tracking or quantifying the number of active non-human identities within an organization at any given time.

Why This Is a Threat Intelligence Problem

The attack surface arithmetic shifts when agents are involved. An attacker who compromises a privileged human account has gained access to one identity. An attacker who gains access to a misconfigured agent credential, or poisons the data an agent reasons over, or injects instructions into an agent’s input pipeline, inherits the permissions of an autonomous system connected to dozens of downstream services.

The incidents are already materializing. In 2025, AppOmni disclosed CVE-2025-12420 in ServiceNow’s Virtual Agent integration, a flaw that allowed unauthenticated attackers to impersonate any user using only an email address, bypassing MFA and SSO to execute AI agents with administrative privileges. The OpenClaw vulnerabilities that surfaced in early 2026, affecting an open-source AI agent framework with over 135,000 GitHub stars, demonstrated that a malicious website could hijack a developer’s AI agent without requiring any plugins or user interaction. Mandiant’s own casework documented threat actor UNC6395 stealing OAuth tokens from a SaaS vendor’s Salesforce integration to access customer environments across more than 700 organizations.

The blast radius of an identity compromise is no longer bounded by what one person can access. It is bounded by what one agent was authorized to do, which in many production deployments today means it is not practically bounded at all.

The Governance Gap Is Architectural

The Cloud Security Alliance and Strata Identity surveyed security leaders in late 2025 and found that only 18% expressed high confidence that their IAM tools could manage agent identities. Only 28% could trace agent actions back to a human sponsor across all environments. The top concerns driving investment tell the story: sensitive data exposure (55%), unauthorized actions (52%), credential misuse (45%), and the inability to discover or register agents (40%).

These figures describe an environment where security teams know agents are running but cannot reliably answer who owns them, what they are authorized to access, what they have accessed, or how to revoke their credentials cleanly. The identity frameworks that underpin most enterprise security programs assume the ability to attribute actions to a principal. When an agent spawns a sub-agent, which chains another action, which triggers a third system, attribution becomes a graph problem rather than a lookup. Most organizations do not have the tooling to traverse that graph.

Cisco’s State of AI Security 2026 report quantified the preparation gap from the other direction: while most organizations planned to deploy agentic AI, only 29% reported being prepared to secure those deployments. The remaining 71% lack preparation not because attacks are hypothetical, but because the attacks do not resemble what existing tools were designed to catch.

The Rate Problem

Organizations that will handle this best are the ones that treat agent identity with the same lifecycle discipline they apply to privileged human accounts. Specifically, defined ownership, least-privilege scoping, rotation schedules, and a credible kill switch. Machine-speed identity creation cannot be governed by human-speed approval processes. The governance tooling needs to operate at the same pace as the deployment tooling. For most organizations, that tooling does not exist in production. What is missing is not awareness that non-human identities are a risk. It is governance infrastructure that can operate at the same clock speed as the systems creating those identities. Every week that gap persists, the distance between what security teams can see and what is actually running widens by another generation of agent deployments.

mm

Josh Taylor is a lead cybersecurity analyst at global cybersecurity company Fortra with extensive experience in cybersecurity optimization and strategy. He specializes in leveraging data analytics, and human-centered defense approaches to create proactive and resilient security environments. Josh is also a recent graduate of UC Berkeley's Master of Information and Cybersecurity (MICS) program.