Leaders overestimate their organizations’ handle on machine identities

Sponsored by

Your machine data knows things: Unlock it with Splunk and get game-changing insights—plus a critical resource to power AI. Tapping into machine data can boost your security and reliability. See more.

Executives and identity and access management (IAM) practitioners aren’t on the same page when it comes to their organizations’ ability to keep tabs on machine identities.

Eight in 10 C-suite and high-level executives believe they tracked dormant or orphaned machine identities in a comprehensive manner, according to a recent ManageEngine report. Despite that confidence, only 50%–70% of surveyed mid-level managers and IT pros confirmed machine identities were monitored thoroughly within their company.

The kicker is that just 15% of junior managers admit their organization doesn’t track privileged accounts (i.e., accounts with above normal permissions and access) at all.

Why execs and practitioners aren’t seeing eye-to-eye. The findings are based on a 2025 survey of North American decision-makers who oversee IAM within their organizations. ManageEngine blames several factors for the misalignment, including overconfidence in tools, a lack of understanding of reporting metrics by top leaders, and a cultural mismatch between executives and practitioners.

Dwayne McDaniel, developer advocate at security platform GitGuardian, told IT Brew this disconnect between executives and lower-level managers is not a new phenomenon in IT, as the latter is usually the group that sees firsthand what’s actually happening in their company.

“They know where the servers are under desks. They know where that shadow IT is,” McDaniel said. “They hear stories of it all the time.”

AI vs. AI. The number of non-human identities (NHIs) within organizations is continuing to surpass their human counterparts. Almost half (46%) of surveyed companies say they have between 101 and 250 machine identities per human identity. McDaniel said AI is partly behind this growth as companies embrace agents, digital twins, and other forms of the tech.

“In all reality, though, all AI is just a process running on hardware somewhere, virtual hardware container somewhere, and that therefore falls under the definition of non-human identity,” McDaniel said.

Companies are also using AI to better manage identities. More than 9 in 10 (91%) of organizations are currently piloting, evaluating, or actively using AI in their IAM operations. Meanwhile, less than 10% have widely deployed AI in their IAM processes.

“To quote William Gibson, ‘The future is already here. It’s just not evenly distributed,’” McDaniel said. “That’s kind of where we’re at.”

Identity theory. McDaniel said organizations can’t fully secure identities if they aren’t aware of what they have, making it important for executives to understand how they are tracking machine identities. McDaniel also suggested leaders take inventory of existing vaults within their company.

“Know what you have in those vaults,” McDaniel said. “Know that full inventory, know what’s been rotated, and keep an eye out for any other plain text secrets, no matter where they pop up.”