Skip to content
AM-204
← Back to ledger
Holding·last review5 Jun 2026

By mid-2026 non-human identities (service accounts, API keys, OAuth tokens and AI-agent credentials) outnumber human identities by roughly an order of magnitude (Cloud Security Alliance: an average of 45 to 1, up to 144 to 1 in cloud-native environments) while most enterprises lack any documented policy to provision or retire them (78% per CSA), making NHI the fastest-growing unmanaged enterprise attack surface, and the binding first control is an inventory with owner and lifecycle, not additional perimeter security.

Anchored on three May 2026 datasets: CSA AI Safety Initiative whitepaper 'The Non-Human Identity Governance Vacuum' (20 May 2026 — 45:1 average / 144:1 cloud-native NHI-to-human ratio, 78% no policy to create/retire AI identities, 51% no clear ownership, 20% formal API-key offboarding); Sophos 'State of Identity Security 2026' (12 May 2026, n=5,000 across 17 countries — 71% suffered an identity breach in the past year, $1.64M mean recovery cost, weak NHI management a factor in 41% of incidents, CISO Ross McKerchar quote); Gartner 'Six Steps to Manage AI Agent Sprawl' press release (28 Apr 2026 — over 150,000 agents per average Fortune 500 firm by 2028 vs <15 in 2025, only 13% believe they have adequate agent governance, six-step sequence starting with governance policy then centralised inventory). VERIFIED 2026-06-05: CSA labs page, Sophos press release, Gartner newsroom press release (Gartner page 403s to crawlers; figures and URL confirmed via WebSearch returning the canonical newsroom URL verbatim). Distinct from CSA's earlier 26 Jan 2026 'State of NHI and AI Security' survey — the 45:1/78%/20%/51% figures are exclusively from the 20 May 2026 whitepaper. 90-day cadence. Triggers: (1) a later large-sample dataset showing the ratio or policy-gap figures compressing materially; (2) a standards or platform shift (e.g. broadly adopted workload-identity attestation) making lifecycle governance a default; (3) breach data showing perimeter controls, not inventory, separate affected from unaffected. Siblings: AM-167 (NHI procurement clause gap), AM-176 (Okta vs specialist NHI vendors), the agent-identity IAM architecture read.

Published
5 Jun 2026
Last reviewed
5 Jun 2026
Next review
+89d· 3 Sep 2026
Source piece
The non-human identity governance vacuumRead piece →
Primary sources
Permalink/holding/AM-204/
Embed this claimiframe + oEmbed
HTML iframe
Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.

Watch this claim

Email-me when AM-204's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.

The claim: By mid-2026 non-human identities (service accounts, API keys, OAuth tokens and AI-agent credentials) outnumber human identities by roughly an order of magnitude (Cloud Security Alliance: an average of 45 to 1, up to 144 to 1 in cloud-native environments) while most enterprises lack any documented policy to provision or retire them (78% per CSA), making NHI the fastest-growing unmanaged enterprise attack surface, and the binding first control is an inventory with owner and lifecycle, not additional perimeter security.

About this register

The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.

Recent corrections in Reporting

  • AM-003 · Partial · 28 May 2026

    Pricing/model drift: a $100/mo Pro tier now sits beside the $200 tier (added 9 Apr 2026) and the premium model is GPT-5.5 Pro. Core thesis holds; the single-$200-tier framing no longer matches. Re-verify current tiers at chatgpt.com/pricing.

  • AM-002 · Not holding · 06 May 2026

    URL state changed. The /the-agentic-ai-revolution-real-world-success-stories-and-strategic-insights-from-2024-2025/ slug now serves a deliberately rewritten retrospective (claimId AM-130, "Agentic AI 2024-2025 retrospective", published 04 May 2026) against audited primary sources. The 28 Apr 2026 redirect to /retractions/ has been lifted to allow that. AM-002 the claim remains Not holding — the original $3.50/dollar + 70% failure-rate framing was withdrawn and is not restored. AM-130 is a separate claim with its own evidence chain. Readers arriving at /holding/AM-002 see the withdrawal here; the article link surfaces the new piece at the URL the original lived at, with this entry as the audit trail.

  • AM-121 · Holding · 2 May 2026

    Klarna walk-back primary-source upgrade — added Siemiatkowski verbatim quotes via Bloomberg-cited-by-Fortune (9 May 2025) and the Uber-style freelance hiring detail via Entrepreneur. Closes the highest-priority evidence gap from the source dossier.

Reviews coming up in Reporting

  • AM-020 · Holding · next +12d (18 Jun 2026)

    The 40-60% TCO underestimate on enterprise agentic-AI deployments is not a cost-visibility failure — it is a cross-depa…

  • AM-023 · Holding · next +12d (18 Jun 2026)

    The 10 Apr 2026 Google AI Mode rollout to eight markets is the first vertical (restaurant booking) where agentic search…

  • AM-001 · Holding · next +12d (18 Jun 2026)

    70% of AI-implementation failure is people and process, not technology — cultural transformation is the strongest predi…