AI agents are minting non-human identity at a pace no enterprise governs. Here is why agent sprawl is the audit gap of 2026 and how to close it.
What is non-human identity and why is it the 2026 audit gap?
45:1
NHI-to-human ratio in the modern enterprise
Rubrik Zero Labs; up to ~144:1 in cloud-native estates
68%
of orgs cannot distinguish agent from human activity
CSA / Aembit survey, March 2026
73%
expect AI agents to be vital within a year
Same survey; demand is outrunning controls
A non-human identity is any credential that authenticates a machine rather than a person: a service account, an API key, an OAuth token, a workload certificate, and now an autonomous AI agent. It is the 2026 audit gap because AI agents create these identities faster than any governance program can inventory them, and most organizations have no record of when one was minted, who owns it, or how to switch it off.
The scale already dwarfs the human side of the directory. Rubrik Zero Labs pegs the non-human identity to human ratio at roughly 45-to-1 in the modern enterprise, and in cloud-native and DevOps environments researchers report ratios climbing toward 144-to-1. Every human you onboard with an offer letter and a background check is shadowed by dozens of credentials that arrived through a deploy script or an agent spinning up a sub-task.
Agentic systems change the shape of the problem, not just the count. A human identity is created deliberately by HR. An agent identity is created at runtime, sometimes recursively, often to perform one action and then linger. That is sprawl: identity created as a side effect of work rather than as a governed decision. When auditors ask ‘who can touch this system,’ the honest answer for most teams in 2026 is ‘we are not sure,’ and that uncertainty is the gap.
This matters because the blast radius is real, not theoretical. CSA and Aembit found that 68 percent of organizations cannot clearly distinguish AI agent activity from human activity in their logs, even though 73 percent expect agents to be vital to operations within a year. You cannot govern, audit, or defend what you cannot tell apart from a person.
How fast is agent sprawl multiplying non-human identity?
Agent sprawl is multiplying non-human identity faster than any prior wave of machine identity, and the leaked-secrets data is the clearest proxy we have for the velocity. GitGuardian’s State of Secrets Sprawl 2026 found 28.65 million new hardcoded secrets pushed to public GitHub in 2025, a 34 percent year-over-year jump and the largest single-year increase the firm has recorded.
The AI-specific slice is growing even faster. GitGuardian detected 1,275,105 leaked secrets tied to AI services in 2025, up 81 percent year over year, including 113,000 leaked DeepSeek API keys. AI-assisted commits leak credentials at roughly double the baseline rate, and the report measured a 3.2 percent secret-leak rate on Claude Code-assisted commits versus 1.5 percent across all public commits. The tooling that writes more code also writes more secrets into it.
The surrounding orchestration layer is the worst offender. GitGuardian reports that AI infrastructure around the core model providers is leaking about 5x faster than the providers themselves, with retrieval and orchestration tools posting eye-watering surges. Model Context Protocol configuration files alone exposed 24,008 unique secrets, of which 2,117 were confirmed valid, because popular MCP setup guides still tell people to paste keys straight into config. If you are running agents, the connective tissue is where your non-human identity is hemorrhaging.
These numbers are leaked-credential proxies, not a clean census of every agent identity, and they understate the problem rather than overstate it. Internal repositories are 6x more likely to contain a hardcoded secret than public ones, and most of those never get scanned at all.
| Signal | 2025 figure | Year-over-year |
|---|---|---|
| New hardcoded secrets in public GitHub | 28.65 million | +34% |
| Leaked secrets tied to AI services | 1,275,105 | +81% |
| Unique secrets found in MCP config files | 24,008 (2,117 valid) | New category |
| Claude Code-assisted commit leak rate | 3.2% | vs 1.5% baseline |
| 2022 valid secrets still exploitable Jan 2026 | 64% | Persistent |
Why does non-human identity governance keep failing?
Non-human identity governance fails because legacy identity tooling was built for humans who join, change roles, and leave on a predictable cadence, while agents are created in milliseconds, act autonomously, and are rarely decommissioned. The result is a documented governance vacuum that the Cloud Security Alliance has been measuring all year.
Start with visibility. CSA’s research found that roughly 16 percent of organizations do not track the creation of new AI-related identities at all, and only about 21 percent maintain a real-time registry of their agents. The rest rely on stale records, plan to build a registry ‘next year,’ or have nothing. You cannot offboard an identity you never recorded creating.
Then ownership. The CSA whitepaper reports that 51 percent of organizations lack clear ownership or accountability for AI identities, and a separate CSA and Aembit survey found only 28 percent can trace agent actions back to a human sponsor across all environments. In nearly three-quarters of enterprises, agents are effectively acting with no accountable principal, which is the audit equivalent of a building full of unbadged contractors.
Finally, the priority-versus-policy gap, the heart of the 2026 story. Security teams overwhelmingly call this critical yet have not codified governance. CSA’s May 2026 State of AI Cybersecurity found 92 percent of security professionals are concerned about the impact of AI agents, yet only 37 percent of organizations have a formal AI policy at all and just 44 percent have a formal governance framework specifically for agents, per Strata-cited research. Concern is near-universal; control is the exception. Legacy IAM cannot close it: 78 percent of organizations admit they have no documented policy for creating or removing AI identities.
CSA reports that 47 percent of non-human identities remain unchanged for more than a year. Each one is a standing key with no rotation, often no owner, and frequently more privilege than the task ever needed. Sprawl is not only new identities arriving; it is old ones that never leave.
What does real non-human identity governance look like?
Real non-human identity governance rests on five moves: inventory every credential, assign a human owner, issue short-lived credentials, scope them to the task, and enforce lifecycle offboarding. CSA frames this as a layered model built on identity lifecycle management, zero standing privilege, and cryptographic workload attestation. None of it is exotic; the discipline is applying it to machines as rigorously as we apply joiner-mover-leaver to people.
Inventory comes first because nothing else works without it. Every non-human credential belongs in a centralized registry that captures the identity, its owner, its business purpose, the systems it can reach, its privilege scope, and an expiration date. If your agent runtime can mint a token, it must register that token in the same call, so there is never an ungoverned credential to discover during an incident.
Short-lived, scoped credentials are the structural fix for sprawl. Zero standing privilege means an agent receives time-limited, scope-limited permission at the moment of need and loses it on task completion, rather than holding a persistent broad key. SPIFFE/SPIRE-style workload attestation lets you issue short-lived cryptographic certificates tied to verifiable deployment properties, which eliminates the orphaned credential before it can become a dormant liability. Target a time-to-revoke measured in minutes, not hours.
Lifecycle and offboarding close the loop, and this is where most programs quit early. Document a creation justification for every agent identity, run regular access reviews, and automate credential revocation the instant an agent is decommissioned or an exposure signal fires. Crucially, extend the same standard to third-party and vendor agents: scoped OAuth token issuance rather than broad API key grants, contractual security requirements, and continuous anomaly monitoring. The mechanics of that token-scoping pattern are worth their own read in our OAuth for AI agents guide.
1. Inventory: register every credential at creation
Maintain a single source of truth capturing identity, owner, business purpose, accessed systems, privilege scope, and review date. Wire registration into the issuance path so discovery is never retroactive. If 16 percent of orgs do not track creation at all, simply tracking it puts you ahead of the field.2. Ownership: bind every agent to a human sponsor
No agent identity exists without a named accountable person. Store the sponsor in metadata, not a wiki. This is what lets you answer ‘who is behind that action,’ the question 72 percent of enterprises currently cannot answer across all environments.3. Short-lived credentials: zero standing privilege
Default to just-in-time, task-scoped credentials that expire on completion. Use SPIFFE/SPIRE workload attestation for certificates tied to deployment identity. Aim for time-to-revoke in minutes. This directly attacks the 47 percent of NHIs that sit unrotated for a year.4. Scoping: least privilege per task, not per agent
Grant permissions to the specific action, not the broad role. CSA found 74 percent of agents receive more access than necessary; scoping per task is the antidote and shrinks blast radius when a credential leaks.5. Lifecycle and offboarding: automate revocation
Document creation justification, schedule access reviews, and pre-authorize revocation workflows that trigger on high-confidence exposure without waiting for manual approval. Apply identical rules to third-party agents via scoped OAuth and continuous monitoring.Who owns non-human identity, and where do most teams start?
Most teams should start by naming an owner for non-human identity and standing up an inventory in the next 30 days, because ownership ambiguity is the single failure that blocks every downstream control. Today the picture is fragmented: CSA and Aembit found only 9 percent of organizations name their IAM team as the primary owner of AI agent identity and access, which means accountability is scattered across platform, security, and whoever shipped the agent.
Pick the owner deliberately. In practice the IAM or identity platform team should own the registry and lifecycle policy, while application teams own the sponsor relationship for the agents they deploy. The anti-pattern is leaving it with ‘whoever built it,’ because builders move on and the identity does not. A clear RACI beats a perfect tool.
Sequence the work so you get audit-defensible coverage fast rather than a flawless rollout late. The realistic 90-day arc is: weeks one to four, discover and inventory existing non-human identities and tag dormant ones; weeks five to eight, assign owners and revoke the obvious orphans; weeks nine to twelve, route new issuance through a sanctioned short-lived-credential path so the inventory stays current by construction.
Make the sanctioned path the easy one. Developers paste keys into MCP configs because it is faster than doing it right; the GitGuardian numbers are downstream of that friction. If issuing a scoped, expiring credential is a single call in your platform, governed access becomes the path of least resistance and shadow agents stop being worth the trouble. That is the lever I lean on hardest building Cyntr: the secure default has to be the lazy default.
If you run agents, audit your MCP and orchestration configs first. They are leaking secrets about 5x faster than the model providers themselves, and a single pasted key there can hand an attacker the same reach as your most privileged agent.
| Phase | Focus | Audit-defensible outcome |
|---|---|---|
| Days 1-30 | Discover and inventory all NHIs; tag dormant credentials | A registry you did not have, beating the ~16% who track nothing |
| Days 31-60 | Assign human sponsors; revoke obvious orphans and over-permissioned keys | Every live credential maps to an accountable person |
| Days 61-90 | Route new issuance through short-lived, scoped credentials | Inventory stays current by design; time-to-revoke in minutes |
The bottom line on non-human identity in 2026
Govern non-human identity now, or inherit an ungovernable estate
The agents are already inside your infrastructure; the only open question is whether the non-human identity they leave behind is governed or merely accumulating. The data converges on one conclusion: identity creation has been industrialized by AI while identity governance is still a manual, human-paced discipline, and that mismatch is the audit gap.
The good news is that this is a known problem with a known playbook. Inventory, ownership, short-lived credentials, tight scoping, and automated offboarding are not research projects; they are the same lifecycle rigor we have applied to human accounts for two decades, pointed at machines. The organizations that win in 2026 will not be the ones with the most agents. They will be the ones that can answer, for any credential in their estate, who created it, who owns it, what it can touch, and how fast they can turn it off.
“The winners in 2026 are not the teams with the most agents. They are the teams that can answer, for any non-human identity, who owns it and how fast they can revoke it.”
Surya Koritala, founder of Cyntr and Loomfeed
Builder’s take
I build Cyntr, an agent orchestration runtime, and Loomfeed. Every orchestration cycle I run spins up service principals, scoped tokens, and short-lived workload credentials that no human ever sees. The uncomfortable truth I have learned shipping this is that the agent is the easy part; the identity it leaves behind is the liability.
- Treat every credential an agent touches as inventory the moment it is minted, not at audit time. If your runtime can issue a token, it must also register and expire it. We bake creation justification and a TTL into the issuance path so there is no ungoverned token to discover later.
- Default to zero standing privilege and just-in-time scoping. In Cyntr no agent holds a long-lived key; it gets a task-scoped, minutes-long credential and loses it on completion. This single design choice deletes most of the 47 percent of NHIs that sit unrotated for a year.
- Bind every agent to an accountable human sponsor in metadata, not in a spreadsheet. If you cannot trace an action back to a person, you cannot offboard, you cannot audit, and you cannot defend it to a regulator.
- Make the governed path the path of least resistance. Developers reach for hardcoded keys because the secure option is slower. If sanctioned issuance is one call away, shadow agents stop being worth the effort.
Frequently asked questions
A non-human identity (NHI) is any credential that authenticates a machine instead of a person, including service accounts, API keys, OAuth tokens, workload certificates, and autonomous AI agents. In 2026 these outnumber human identities by roughly 45-to-1 in the typical enterprise and up to about 144-to-1 in cloud-native environments, per Rubrik Zero Labs and industry research.
Because AI agents mint non-human identities at runtime faster than any governance program inventories them. CSA found roughly 16 percent of organizations do not track AI identity creation at all and only about 21 percent keep a real-time agent registry, so auditors routinely find credentials no one recorded creating, owning, or expiring.
GitGuardian’s State of Secrets Sprawl 2026 detected 1,275,105 leaked secrets tied to AI services in 2025, up 81 percent year over year, inside a total of 28.65 million new hardcoded secrets on public GitHub (up 34 percent). MCP configuration files alone exposed 24,008 unique secrets.
Legacy identity tooling assumes humans who join, change roles, and leave on a predictable schedule. Agents are created in milliseconds, act autonomously, and are rarely decommissioned. CSA reports 78 percent of organizations have no documented policy for creating or removing AI identities and 47 percent of NHIs go unchanged for over a year.
Five moves: inventory every credential at creation, bind each to an accountable human owner, issue short-lived credentials with zero standing privilege, scope permissions to the specific task, and automate lifecycle offboarding and revocation. CSA recommends a centralized registry, SPIFFE/SPIRE workload attestation, and a time-to-revoke measured in minutes.
The IAM or identity platform team should own the registry and lifecycle policy, while application teams own the human-sponsor relationship for agents they deploy. Today only 9 percent of organizations name their IAM team as the primary owner, which is why ownership ambiguity is the first gap to close.
Primary sources
- The State of Secrets Sprawl 2026 — GitGuardian
- The Non-Human Identity Governance Vacuum (whitepaper) — Cloud Security Alliance
- More Than Two-Thirds of Organizations Cannot Distinguish AI Agent From Human Actions — Cloud Security Alliance / Aembit
- The AI Agent Identity Crisis: New Research Reveals a Governance Gap — Strata Identity
- State of AI Cybersecurity 2026: 92% of Security Professionals Concerned About AI Agents — Cloud Security Alliance
Last updated: May 31, 2026. Related: Identity Provenance.
