AI
AI Security Starts With Identity, Not the Model Itself
Most enterprise AI security budgets still point at the model: the training data, the prompts, the way the algorithm behaves. The people trying to break in are aiming somewhere quieter. They want the credentials, tokens and service accounts that AI agents carry, the non-human identities (NHIs, machine accounts that act without a person at the keyboard) that now outnumber staff logins by as much as 82 to one in large organizations. That gap, not the cleverness of any model, is where the next wave of breaches is forming.
That is the argument Subhalakshmi Ganapathy, Chief IT Security Evangelist at ManageEngine, the enterprise IT division of Zoho Corporation, made in a recent interview with TechCircle. Her case cuts against the prevailing instinct to treat AI risk as a data-science problem. The harder problem, she says, is mundane and operational: who, or what, is allowed to do what, and whether anyone is still watching after the agent goes live.
Why Identity Outranks Intelligence in AI Security
The loudest AI security conversations of the past two years circled model behavior: jailbreaks, prompt injection, poisoned training sets. Useful work, but it skips the part of the stack attackers reach first. Ganapathy points to a blind spot she calls delegated privilege through autonomous agents. Companies have spent years building tidy offboarding for employees. When a person changes roles or leaves, access gets pulled. AI agents and automated workflows rarely get the same treatment, so they keep inherited permissions, API (application programming interface) tokens and service-level access long after the human who launched them has moved on.
There is a second misconception underneath it. Teams assume that automating a task automatically tightens control over it. In practice the opposite tends to happen. AI deployments expand the privilege footprint faster than governance can keep up, scattering credentials across connectors and tool calls that nobody mapped.
The scale of that drift is now measurable, and the numbers are not comforting.
- 82 machine identities exist for every human identity, according to CyberArk’s 2025 survey of 2,600 security decision-makers across 20 countries.
- 68% of organizations have no identity security controls in place for their AI, the same survey found.
- 92% of leaders call governing AI agents critical to enterprise security, yet only 44% have written any policy to do it.
The Non-Human Identity Surge in Numbers
Pin down the ratio of machine identities to human ones and you get a different answer from every research house, which is itself the point: nobody has a clean count, and the spread runs from steep to staggering. The figure depends entirely on how cloud-heavy and automated the environment is. A traditional enterprise sits at one end; a DevOps shop spinning up ephemeral workloads sits far past it.
| Source / report | NHI-to-human ratio | Standout finding |
|---|---|---|
| CyberArk, 2025 Identity Security Landscape | 82 to 1 | 42% of machine identities hold privileged or sensitive access |
| Veza, 2026 State of Identity and Access | 17 to 1 | 0.01% of NHIs control 80% of all cloud permissions |
| Rubrik Zero Labs | 45 to 1 | NHIs persist indefinitely unless deliberately decommissioned |
| Entro Labs, H1 2025 | 144 to 1 | Ratio measured in cloud-native and DevOps environments |
The concentration matters more than the headline ratio. Veza’s 2026 State of Identity and Access report found that a tiny sliver of non-human accounts, one in ten thousand, holds the keys to four-fifths of cloud permissions. The average identity in that study carried close to 100,000 individual entitlements. When that much power pools in accounts no HR system tracks, a single stolen token stops being a nuisance and becomes a master key.
How Attackers Walk Through Trusted Tokens
Ganapathy’s sharpest observation is about where the real exposure sits in the AI pipeline. It is not the model. It is runtime identity and execution control: the service accounts, connectors, tokens and agent credentials that do the actual work once a system is live.
When these identities are over-privileged or poorly monitored, attackers do not need to compromise the AI model itself. They can exploit trusted pathways to access sensitive data or trigger legitimate-looking actions.
That last phrase carries the weight. An attacker riding a legitimate agent credential does not look like an intrusion. The activity reads as normal, authorized, expected. She compares the failure mode to the cloud misconfiguration era: usually accidental, rarely malicious in origin, and capable of doing serious damage anyway. The fix she prescribes is unglamorous. Map who owns each identity, keep credential hygiene tight, baseline normal behavior, watch for anomalies and build automated revocation so a suspect token can be killed without a committee meeting.
External data backs the urgency. According to Gravitee’s State of AI Agent Security 2026 report, 88% of organizations confirmed or suspected an AI agent security incident in the past year. The pattern is consistent across the field: the agents themselves are rarely the thing that gets hacked, but the identities they carry are increasingly the thing that gets abused.
This reframes the defender’s job. CyberArk’s research describes an AI agent’s entitlements as the blast radius of any attack that uses it. Shrink the entitlements, shrink the damage.
Treating AI Agents as First-Class Identities
The practical shift Ganapathy pushes is to stop treating agents as features and start treating them as identities with the same lifecycle rigor applied to a new hire. She frames an AI agent as a critical workforce member whose access, behavior and responsibilities have to be governed continuously, not granted once and forgotten. That mindset is showing up in product strategy too, as platforms like the work-management vendor reposition around native AI agents that draft, qualify and approve on a user’s behalf.
Her checklist for putting an agent under identity governance is specific:
- Clear ownership so every agent maps to an accountable human or team.
- Least-privilege access rather than the broad inherited rights agents tend to accumulate.
- Time-bound permissions that expire instead of lingering past their purpose.
- Continuous entitlement reviews to catch privilege creep before it compounds.
- Automated de-provisioning so access disappears the moment the agent or its owner moves on.
Decision Tiering and the Accountability Layer
Governance only works if it is wired into the architecture instead of bolted on as a compliance check after launch. Ganapathy’s mechanism for that is decision tiering, a way of matching oversight to consequence so that efficiency survives where stakes are low and humans stay in the loop where they are high.
- Low-impact actions can run fully automated, with no human in the path.
- Medium-impact actions pass through policy checks before they execute.
- High-impact decisions require explicit human approval, no exceptions.
Around that spine she layers policy-as-code guardrails, explainability metadata, immutable audit trails, traceable decision logs and emergency kill switches. The test for any autonomous decision, she argues, is whether it is attributable, reproducible and contestable. If a security team cannot say which agent did what, replay how it reached that action and challenge the outcome, the system is operating outside accountability no matter how accurate it looks.
What to Establish Before Scaling Agentic AI
Ganapathy is blunt that AI adoption should follow a staged maturity model, not a sprint. Rapid rollouts create hidden operating costs: governance gaps, duplicated workflows and messier incident response. She offers a concrete example from security operations itself. Drop AI alert triage into one tool and you cut noise locally while the rest of the environment keeps generating unmanaged alerts, leaving analysts to reconcile conflicting priorities. Platform-level integration with phased onboarding beats a scatter of point deployments, a logic that mirrors how vendors are now packaging AI defense, from ManageEngine’s own platform approach to OpenAI’s move into automated vulnerability detection.
Before scaling autonomous operations, she names three foundations that have to be in place: identity-centric security with full non-human identity governance; data and compliance integrity through classification, consent management, retention limits and unlearning processes; and operational resilience through red-teaming, prompt-abuse simulations and incident-response drills built for agentic systems. The throughline of all three, and of ManageEngine’s identity and access management portfolio, is that identity has become the operational perimeter.
The race ahead, in her reading, will not be won by whoever deploys the most AI. Attackers already hold the speed advantage because they operate with fewer constraints, while defenders have to balance speed against accountability. The edge shifts to whoever operationalizes intelligence best: stronger identity governance, higher-quality telemetry, faster correlation and policy-compliant response.
If enterprises govern their non-human identities before they scale agentic AI, the speed advantage attackers enjoy starts to erode. If they keep pouring autonomous agents into environments where 68% still lack any identity controls for AI, the breach surface widens faster than any model-safety budget can close it.
Frequently Asked Questions
What is a non-human identity in enterprise security?
A non-human identity is any account that acts without a person at the keyboard: service accounts, API tokens, automation credentials and AI agents. These identities authenticate to systems and carry permissions just like human logins, but they often persist indefinitely and escape the offboarding processes built for employees.
Why does ManageEngine’s Subhalakshmi Ganapathy say identity matters more than the AI model?
Because attackers rarely need to break the model itself. Ganapathy argues that over-privileged service accounts, connectors and agent credentials give intruders trusted pathways to reach sensitive data or trigger legitimate-looking actions, making runtime identity and execution control the most underestimated vulnerability in the AI pipeline.
How many machine identities does a typical enterprise have?
Estimates vary by environment. CyberArk’s 2025 research puts the ratio at 82 machine identities per human, while Veza’s 2026 report cites 17 to 1 and cloud-native research from Entro Labs reaches 144 to 1. The average enterprise runs well over 250,000 non-human identities across its cloud footprint.
What is decision tiering for AI agents?
Decision tiering matches oversight to consequence. Low-impact actions run fully automated, medium-impact actions pass through policy checks, and high-impact decisions require human approval. The approach preserves efficiency while keeping a person in the loop wherever the stakes justify it.
What should organizations do before scaling autonomous AI?
Establish three capabilities first: identity-centric security with non-human identity governance; data and compliance integrity through classification, consent management and retention controls; and operational resilience through red-teaming, prompt-abuse simulations and agentic incident-response drills. Adoption should follow a staged maturity model rather than a rushed deployment.
How can security teams reduce the risk from AI agent credentials?
Map ownership for every identity, enforce least-privilege and time-bound access, run continuous entitlement reviews, baseline normal behavior for anomaly detection, and build automated de-provisioning and revocation so a suspect token can be cut off immediately rather than after a manual review.
AI Boom Leaves Pre-ChatGPT Startups in a Funding Drought
Carnival Data Breach Exposes 6 Million in a Repeat Failure
US Smartphone Shipments Slip 3% as Memory Costs Loom
Microsoft Fixes Windows 11 KB5089549 Update Install Failure
Oregon Upgrades 911 for Smartphones in a Slow National Shift
AI Outages Drive Downtime Costs to a Record $600 Billion
Xbox’s Own Game Pass Page Leaked Seven Showcase Games Early
How to Set Up Android Guest Mode (and Why Samsung Lacks It)
Samsung Boosts Galaxy Z Fold 8 Output as Flip 8 Gets Cut
Singapore Bets on Parent Coaching, Not a Ban, on Kids’ Screens
Andreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
Cathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
Ghana CSA Plants Office In Ho As Volta Cybercrime Climbs
Hormuud Bets $19 Down Will Finally Pull Somalia Online
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
Apple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
Metalenz Polar ID Hides Face Unlock Under OLED Smartphone Screens
Google AI Overviews Adds Subscribed Label, Reddit Quotes Inline
Asha Sharma Reshuffles Xbox Leadership In Race To Project Helix
Audible Faces Nationwide Class Action Over Expiring Credits
-
CRYPTO4 weeks agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
CRYPTO3 weeks agoCathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
-
NEWS4 weeks agoGhana CSA Plants Office In Ho As Volta Cybercrime Climbs
-
APPS4 weeks ago
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
-
NEWS4 weeks agoHormuud Bets $19 Down Will Finally Pull Somalia Online
-
NEWS3 weeks agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
NEWS4 weeks agoMetalenz Polar ID Hides Face Unlock Under OLED Smartphone Screens
-
AI3 weeks agoGoogle AI Overviews Adds Subscribed Label, Reddit Quotes Inline