Machine Identities Outnumber Humans 80:1

CyberArk's 2025 State of Machine Identity Security Report quantifies what identity practitioners have long suspected: the machine identity surface has grown far beyond organizational governance capabilities.

The headline finding is that machine identities (service accounts, API keys, certificates, tokens, and automated workloads) outnumber human identities by a ratio exceeding 80:1 in most enterprise environments. Nearly half of these machine identities have sensitive or privileged access to production systems, databases, and cloud infrastructure.

Yet most machine identities remain outside formal identity governance programs. They are created by developers, provisioned by DevOps teams, and forgotten by everyone. They do not appear in IAM dashboards. They are not subject to access reviews. They do not expire.

The report also found that 88% of organizations face increasing pressure from cyber insurers to demonstrate enhanced privilege controls for machine identities, a clear signal that the insurance industry has recognized NHI as a material risk.

This data reinforces a fundamental architectural principle: if your identity governance program only covers human users, you are governing less than 2% of the identities in your environment. The other 98%, the service accounts, API keys, and machine credentials, represent the fastest-growing attack surface with the least architectural oversight.

Identity architecture must be designed for all identity types from the foundation, not retrofitted for machines after the human governance program is "done."