The digital world has undergone a quiet but absolute inversion. For decades, the primary entity on a network was a human being. Today, user accounts are not only the minority, but their makeup of the total number of identities that need to be managed continues to shrink. The proliferation of microservices and the increased adoption of AI agents continue to push us deeper into a world dominated by machine identities.
The modern enterprise is no longer defined by employees logging into workstations, but by a sprawling, invisible workforce of microservices, the ever-growing use of access-related APIs, and the increasing use of AI agents that interact and direct them. Research has shown that on average organizations run 50 machine identities per human identity1 In advanced cloud environments1.
The changing identity and access management requirements are driven by two fundamental shifts in computing architecture.
Microservices continued march
Early on, pioneers like Amazon and Netflix pushed toward microservices: small, independently deployable services, each owning a clear business capability and its own data, deployed on emerging cloud and container platforms. Later, microservices became the default ambition for “modern” systems. Kubernetes, API gateways, and service meshes exploded in popularity. Many organizations eagerly decomposed monoliths into dozens or hundreds of services—then ran into the hard reality of distributed systems: complex debugging, fragile networks, inconsistent observability, and “microservice sprawl.” This forced a new approach where implementers set up well-defined boundaries between their own services and the services they interact with.
The rise of Agentic AI
Historically, microservices primarily served human-facing clients. Today, many organizations are introducing an explicit “orchestration brain” in front of their core services. Instead of a frontend coordinating calls to a handful of microservices, an agent gateway or orchestrator service exposes a catalog of tools, handles grounding and policy checks, and encapsulates retries, compensating actions, and error handling. Core microservices are kept narrower and more deterministic2.
Why “human” IAM fails machine identities
The core crisis lies in the failure to apply standard IAM disciplines—Joiners, Movers, and Leavers—to the machine world. This highlights the need for IAM solutions built for both human and machine identities that can automate lifecycle governance and scale across services. We have sophisticated HR systems to manage human access, but many organizations lack a similar process when releasing new services.
When a human joins, they go through identity proofing. When a machine “join” (is spun up by a developer), it is often hastily given a hardcoded credential found in a .env file or a private GitHub repository. To retrieve a secure credential from a vault, a machine needs a credential to access the vault. This “Secret Zero” is frequently hardcoded, creating a permanent weak point in the chain of trust.
Privilege creep
Human employees change roles, and ideally, their access rights change with them. Machines, however, rarely have their privileges reviewed.
- The Path of Least Resistance: Developers frequently assign “Admin” or “Read/Write All” permissions to a service account to avoid debugging permission errors. As the workload evolves (moves) to new tasks, it retains its old access rights.
- Result: A simple reporting bot might accumulate the power to delete databases or modify production code over months of “hot fixes,” becoming a high-value target for attackers.
Zombie accounts
When an employee quits, HR triggers an immediate revocation of access. When a microservice is decommissioned or a project ends, its service account often lives on, unnoticed. These “Zombie Accounts” sit dormant in Active Directory or cloud IAM roles, unmonitored but fully active. Because they don’t complain about password rotations or MFA prompts, they are the perfect vehicle for attackers to establish persistence without triggering alarms.
Segregation of duties and AI
As machines become more autonomous, we are seeing failures in advanced IAM concepts like Segregation of Duties (SoD). The principle of SoD dictates that the entity requesting a payment cannot be the same entity that approves it. In the rush to automate, organizations often compress these roles into a single identity. If compromised, an attacker can inject malware and push it live instantly, by passing the checks that human teams would normally provide.
The Agentic AI blind spot
AI Agents introduce “Non-Deterministic Access.” Unlike a script that follows a set path (if X, do Y), an AI Agent is probabilistic (“Optimize cloud spend”). An agent may decide it needs access to a new database to answer a user’s query. Traditional IAM is static; it cannot handle an entity that “invents” new access requirements on the fly. This leads to over-provisioning, where agents are granted broad “God Mode” access just to ensure they don’t get stuck2.
Wrapping it up
The demographic shift is complete. The average enterprise is now a digital ecosystem where humans are vastly outnumbered by microservices, bots, and AI agents. Continuing to manage machine identities with a human-centric approach —spreadsheets, manual rotation, and static passwords—is an invitation to the maleficent.
Serving as a core tenant of zero trust, a machine identity centric security approach management is fundamental to securing microservices that operate outside of what some may perceive to be “inside the safe perimeter.” Every call is a remote call, meaning that you must know exactly who or what is talking to what. With microservices, you don’t just manage user identities, you manage a swarm of machine and other non-human identities in the form of services, jobs, bots, and AI agents. If you don’t have strong identity, any one compromised token, secret, or service account can fan out across dozens of services and databases.
Beyond the difficulty of properly provisioning microservices, the fact that most of them have been over privileged3 is a phenomenon akin to drawing a big bull’s eye cyber environment. Done right least-privilege access based on need, not hardcoded checks, but the task if truly understanding access requirements of highly modular and interactive microservices often proves overwhelming. One thing that I do feel safe forecasting into the future is that the cost programmatic vulnerabilities will far exceed the ones that exist for humans.
See how OpenText can help you govern all human and machine identities.
Sources
1 – Omdia, Fundamentals of Non-Human Identity; 2025
2- Microsoft, Agentic Architecture; 2025
