89% of IT Leaders Can't Track Their Machine Identities -- Annual Assessments Aren't Built for What's Growing Fastest
Your annual security assessment asks one question about identity: who has access?
It never asks what has access. And that's the gap that's costing you.
A report published this month surveyed 3,200 senior IT leaders globally. 89% said managing their organization's growing identity footprint is a challenge. Not a minor inconvenience. A challenge that 96% say is made worse by disconnected security tools creating exploitable gaps.
The thing those leaders are struggling with isn't human accounts. It's the other kind.
The ratio nobody planned for
For every human identity in your environment, there are roughly 144 non-human identities. Service accounts. API keys. OAuth tokens. CI/CD runners. AI agents. Automated workflows that someone spun up for a demo six months ago and never decommissioned.
That 144:1 ratio is up from 92:1 just a year earlier. Some organizations report ratios as high as 500:1. The average enterprise went from 50,000 machine identities in 2021 to 250,000 in 2025. A 400% increase in four years.
These aren't abstract numbers. Each one of those identities has permissions. And 97% of them have more permissions than they need.
Here's the stat that should make you pause: 0.01% of machine identities control 80% of cloud resources. A tiny fraction of your non-human accounts hold the keys to nearly everything.
Nobody owns this problem
The conversation around NHI (non-human identity) security tends to focus on the count. How many do you have? How fast are they growing? But count isn't the real issue.
The real issue is ownership.
DevOps creates a service account for a deployment pipeline. Security doesn't know it exists. IT governance doesn't track it. When the project wraps, nobody decommissions it. It sits there with elevated privileges, unrotated credentials, and zero monitoring.
Jacob Warner of a major identity security consultancy calls this "identity debt." AI agents and automated workflows create a shadow ecosystem of privileged access that no single team is responsible for.
71% of non-human identities aren't rotated within recommended timeframes. Nearly half are over a year old. Some are over a decade old. And only 20% of organizations have a formal process for revoking API keys when they're no longer needed.
That's not a security posture. That's a collection of forgotten doors with the locks rusted open.
Annual audits were built for a different speed
Here's the structural problem. A human identity might change roles once a year. Maybe twice. Your annual assessment catches that just fine.
A CI/CD pipeline spins up and tears down service accounts daily. An AI agent gets provisioned with API credentials on a Tuesday and starts making authenticated calls to production systems by Wednesday. A developer creates an API key for testing, pushes it to a config file, and moves on to the next task.
The audit cadence (annual, quarterly at best) was designed for a world where identities were stable. Where the set of "things that can authenticate against your systems" changed slowly and predictably.
That world is gone. And only 15% of organizations feel highly confident they can prevent NHI-related attacks.
80% of identity-related breaches now involve compromised non-human identities. Not stolen passwords. Not phished credentials. Compromised service accounts, leaked API keys, and over-privileged machine tokens that nobody was watching.
The M&A signal tells you everything
When major security vendors spend over a billion dollars acquiring NHI startups in a six-month window, they're telling you something. They can't build this capability fast enough. The gap is too wide and growing too fast.
One vendor paid $400 million specifically to secure AI agents, API keys, service accounts, and OAuth tokens. Another spent $628 million on real-time access orchestration. These aren't speculative bets. These are panic purchases.
And still, only 24% of organizations have guardrails to control what their AI agents can do.
What a real assessment looks like
The question isn't whether you need to assess your identity surface. It's whether your current assessment even sees the full surface.
Most assessments inventory human accounts, check password policies, verify MFA enrollment, and call it done. That covers maybe 1% of your actual identity footprint.
A real assessment starts with a complete inventory. Humans and machines. Service accounts, API keys, OAuth grants, CI/CD credentials, AI agent tokens, and every automated workflow that authenticates against anything. You can't secure what you haven't counted.
LTFI's security assessment platform runs 25+ AI-powered assessment agents across 7 specialized departments, orchestrating 500+ integrated security tools. Each assessment is completely isolated on dedicated infrastructure. No shared resources, no cross-customer data access.
The difference between an annual checkbox audit and a real assessment is the difference between asking "who has access?" and asking "what has access, what can it do, and when was the last time anyone checked?"
The inventory problem is the security problem
You can't rotate credentials you don't know exist. You can't enforce least privilege on accounts you haven't cataloged. You can't detect anomalous behavior from identities you aren't monitoring.
The 89% of IT leaders struggling with identity sprawl aren't struggling because the tools don't exist. They're struggling because their assessment model was built for a workforce that changes quarterly, not one that changes hourly.
Machines now outnumber humans in your environment by orders of magnitude. Your security assessment should reflect that reality.
If your last assessment didn't count your non-human identities, it didn't assess your identity surface. It assessed a fraction of it and called it complete.