Machine Identities Outpace Human Ones, But Accountability Lags Behind
The fastest-growing user group inside the enterprise typically doesn’t show up in HR systems. It logs in through service accounts, API keys bots and automated workflows. It’s a machine identity – which already outnumber human users in many organizations. Who owns them, who rotates their keys, audits their actions and takes the fall when something goes wrong often depends on who’s responding, and the answers rarely align.
See Also: When Identity Protection Fails: Rethinking Resilience for a Modern Threat Landscape
Cloud-native applications, DevOps pipelines and artificial intelligence agents only accelerate this imbalance. Microsoft and CrowdStrike have both warned of attackers exploiting compromised service accounts to escalate privileges and evade detection. The National Institute of Standards and Technology has urged enterprises to treat machine identities with the same rigor as human ones.
But governance models designed for employees have not kept pace with automation.
In most enterprises, accountability has to land on a human desk, and in practice, the CISO is best placed to own machine identities, said Shruti Dvivedi Sodhi, partner at Khaitan Legal Associates, a multinational law firm with offices in India and the United Kingdom. “Every machine identity should be mapped to a human owner and reviewed by a cross-functional oversight group,” she told Information Security Media Group. Otherwise, they’ll see “accountability evaporating into thin air.”
Experts are divided on where ultimate responsibility for machine identities should reside. Grant Schneider, president and CEO of government services firm FGS, said that machine identities are ultimately an operational concern. “Ultimately, the CIO owns it,” said the former U.S. federal CISO and Defense Intelligence Agency CIO. CISOs or identity management teams can set policy, but Schneider sees the day-to-day stewardship of credentials as part of IT operations.
Aaron Painter, CEO of Nametag, an identity verification platform offered another perspective: ownership depends on enterprise culture. “There is no one-size-fits-all answer,” he said. “Effective governance requires collaboration between IT, security and business stakeholders while success requires clear authority backed by shared accountability.”
Unlike human users, machine identities do not retire or leave the organization: they can stay dormant for years and be reused across systems. Without proper lifecycle management, credentials go unrotated, audit trails vanish and incident response teams struggle to determine whether unusual activity stems from legitimate processes or malicious intrusion.
Regulators and auditors are starting to force the issue. “If an API key can unlock sensitive systems at scale, it deserves the same rigor as a privileged user account,” Sodhi said. Breach disclosure rules in Europe and India apply regardless of whether the compromised credential belongs to a person or a bot. “When the enterprise is not aligned on this, the fallout looks like regulators knocking on your door, auditors probing and reputations taking a hit.”
Painter said that failing to align creates blind spots attackers exploit. “Compromised keys or certificates can be abused to impersonate trusted systems,” he said. “Without clear accountability linking machine actions back to authorized human decisions, organizations also face greater compliance and incident response challenges.”
When breaches occur, the question of ownership pales to insignificance since ultimately it’s the company as a whole that’s held liable. But, internally, blame is parsed out among CISOs, CIOs and engineers. Painter added that security teams often find themselves cornered. “Liability often falls on IT or security teams but often, these teams are told that the policies and controls they recommend aren’t acceptable because they place too much friction on business processes.”
Some organizations are beginning to address the vacuum through contracts with IT service providers. Sodhi said enterprises now write obligations around machine identities into master service agreements and security schedules. Vendors may be required to rotate credentials on a fixed schedule, revoke them immediately if compromised and provide detailed audit logs. “Non-compliance is no longer brushed aside; it is treated categorically as a breach of contract,” she said. Painter agreed that clearer contractual terms reduce ambiguity and speed up incident response, though Schneider said he has yet to see machine identity-specific language in most cloud agreements.
The governance imperative is now reaching the boardroom. Sodhi said that directors cannot afford to look away. “Machine identities often run in larger numbers than human ones and may carry broader access to critical systems. Ignoring these machine identities leaves the board blind to a growing area of risk.” Painter urged executives to demand reporting on non-human identities “in the same way they do for human identity and access management,” ensuring that high-value automated actions can still be traced back to an accountable human decision.