In the latest episode of Identity Insider, I sat down with Chris Hughes, a cybersecurity expert who's involved in OWASP's work on non-human and machine identity security. Unsurprisingly, our discussion centered on the rapidly changing cybersecurity landscape, driven by the rise of artificial intelligence (AI), particularly agentic AI, which is giving systems unprecedented autonomy within the enterprise.
You can watch our full discussion here:
The conversation reinforced something I've been thinking about for a while: we're entering a new phase of identity security. It's no longer just about protecting people's access; it's about protecting the data, systems, and trust boundaries that people and machines interact with.
For years, identity security has been centered on humans, ensuring that the right person has the right level of access to the right resources. But now, the same principle applies to non-human entities: machines, APIs, bots, and increasingly, AI agents. These new "digital actors" authenticate, access sensitive information, execute workflows, and even make decisions, often faster and at greater scale than any human ever could.
That shift means our focus as security leaders must evolve from simply asking "Who is the person?" to asking "What entity, human, machine, AI, is accessing my data, and can I trust it?"
Today, for every human identity, an enterprise may have dozens of machine identities—automatically created, rarely tracked, and often left behind. With cloud-native architectures, microservices, and automation, this sprawl has exploded. Unfortunately, attackers have noticed too. Compromised machine credentials are now among the most common initial access vectors in major breaches.
In just the past year, agentic AI has advanced at an extraordinary pace. Unlike traditional AI that only generates text or insights, agentic AI gives large language models (LLMs) “arms and legs”, enabling them to take real actions on behalf of humans.
These autonomous agents can log into systems, execute workflows, interact with APIs, and even make decisions about data and security operations. Each carries credentials, tokens, or entitlements. In other words, each represents a new non-human identity with real privileges in your environment.
This introduces a new challenge: replicated privilege at machine speed. A single employee using an AI agent could unknowingly multiply their access tenfold, creating a web of high-privilege entities acting semi-independently under their account.
Combined with the existing sprawl of service accounts and cloud integrations, the attack surface expands dramatically—where a single compromised agent or API key can move laterally across environments with devastating speed.
Visibility remains the hardest problem. Enterprises now juggle identities across SaaS apps, multiple clouds, and on-prem environments. Even with advanced tools, many can’t confidently answer:
At Delinea, we refer to this as discovery, and it's the essential first step. Our platform uncovers machine and agentic identities wherever they reside and maps how they interact. Once visibility is achieved, organizations can move to governance and control.
Managing machine entitlements is difficult because, unlike humans, machines don't protest excessive access. Engineers often over-provision credentials to ensure workflows run smoothly, leading to persistent, unnecessary privileges, a key factor in many breaches.
As AI agents gain autonomy, privilege management becomes both more challenging and increasingly critical. Delinea’s philosophy is simple:
You can’t protect what you can’t see, and you can’t secure what you don’t govern.
We focus on enabling organizations to discover, right-size, and protect every identity—human, machine, or AI.
AI is a double-edged sword. It's both a new risk vector and a powerful enabler for defense.
Attackers are already using AI to automate reconnaissance, craft realistic phishing campaigns, and exploit leaked credentials more quickly than human teams can respond. On the other hand, defenders can utilize AI to enhance visibility, detect abnormal behavior, and expedite responses.
At Delinea, we view AI’s role in two ways:
As AI becomes increasingly autonomous, the distinction between "identity" and "agent" will blur. Securing that boundary will be one of cybersecurity's defining challenges.
Organizations beginning to address this issue should start with these practical actions:
Identity security isn't a one-time project; it's a continuous lifecycle of discovery, governance, and control.
Looking ahead: securing autonomy
We’re moving into an era where software not only executes instructions but also makes decisions. Machine identities and AI agents are now active participants in enterprise operations.
This evolution demands a new model of identity security, one that scales beyond human oversight, uses automation to enforce least privilege, and provides continuous insight into how trust is exercised.
The machines are rising, and our responsibility is to ensure they rise securely.