AI, Identity

The AI Identity Gap Nobody in My CISO Groups Is Solving Yet

3 hours ago
8 min read
Add comment Watch Later Cinema Mode
Machine identities now outnumber human identities in the enterprise 109 to 1. That was one in a long list of surprising things I recently learned. Here we look at machine IDs, the secret zero conundrum, SPIFFE, and more.

Machine identities now outnumber human identities in the enterprise 109 to 1. That was one in a long list of surprising things I recently learned, and something almost all enterprises are struggling with. The rest of them have the same problem, they just lack enough visibility (or self-awareness) to know it’s a problem.

I’m in several CISO chat and message groups on various platforms. They’re ad-hoc, just friends swapping war stories, trading tricks, and sharing both wins and frustrations of CISO-ing in today’s climate.

Wrangling shadow AI and AI agent identity in general has been at the top of most discussions of late, so I paid extra attention when I had the opportunity to sit down with Uzi Ailon. He’s the VP of Machine Identity Solutions at CyberArk, now part of Palo Alto Networks, and he’s been eyeballs deep in solving the challenges of machine and non-human identities for years.

I know next to nothing about the identity space of cybersecurity, at least compared to Uzi. So I’m sharing a few interesting things I learned talking to him, and a few related alarming stats out of the Verizon 2026 DBIR and CybarArk/Palo Alto Networks 2026 Identity Security Landscape Report.

What “Machine Identity” Encompasses

When we say “machine identity”, we mean anything that isn’t a human that needs access to systems, data, or other resources. That includes:

  • Service accounts — the workhorses of enterprise IT, often shared, rarely rotated, and almost never deprovisioned, because no one knows what they’re for, who added them, or when
  • API keys — the credentials that let applications talk to each other, frequently hardcoded into source code (although they shouldn’t be)
  • OAuth tokens — short-lived (in theory) authorization tokens; in practice, often long-lived and forgotten
  • Certificates — TLS/SSL and client certs that authenticate systems and services
  • Workload identities — containers, microservices, and cloud functions that spin up, do a job, and spin down
  • CI/CD pipeline credentials — the secrets baked into your build and deployment automation
  • AI agents — autonomous or semi-autonomous software that reasons, makes decisions, and takes actions on behalf of users or other systems; every agent is its own identity
  • Bots and RPA (robotic process automation) — scripted automation that logs in and acts like a user, but isn’t one
  • IoT and OT devices — sensors, controllers, and operational technology endpoints that authenticate to networks and management systems
  • SaaS integration tokens — the credentials connecting your third-party apps to each other (think: Slack to Salesforce, Klue to Salesforce…)
  • SSH keys — often generated by developers, rarely tracked, almost never audited

Secret Zero

I am extremely embarrassed to say this phrase was new to me. It describes the complication of giving a machine/workload/AI agent its first credential… which itself requires that credential ‘live’ somewhere.

Secret zero is the original bootstrapping problem of machine identity: to give a machine its first credential, you need a credential to do it. That credential has to live somewhere — and historically, it gets hardcoded into the application or stored in the code. Which means it’s static, it can’t be rotated, it never expires, and anyone who can see the code can see the secret.

As Uzi put it: it’s like a lock with a key hidden under the doormat. It’s always there, and you never really know who picked it up and used it. (Ring doorbell cameras aside, stay with me people; it’s an analogy).

The reason it matters now is scale. One hardcoded credential in a legacy app is a problem. Multiply that times thousands of workloads, containers, AI agents, and cloud services — all with their own static secrets baked in — and you’ve created a sprawling attack surface that most organizations don’t even have a full inventory of.

The Resurrection of SPIFFE

SPIFFE — the Secure Production Identity Framework for Everyone — is a standard for giving workloads a cryptographic identity based on what they are and where they run, rather than a password they know. It’s an acronym I remember hearing years ago but had forgotten about completely.

The analogy Uzi used is the clearest version I’ve heard: a traditional key tells you someone opened the door, but not who. A fingerprint tells you exactly who walked in, and nobody else can use it. SPIFFE is the fingerprint for machines, and it solves the secret zero conundrum.

Instead of a static credential stored in code, a SPIFFE identity is derived from the workload’s actual environment — what’s running in Kubernetes, Jenkins, a cloud container, etc. The environment itself becomes the proof of identity. The result is short-lived, rotating credentials that can be audited — you know which workload accessed which data, when, and you can revoke it. No more shared keys, no more secrets baked into source code.

It’s been around for years but adoption was low because it required heavy developer effort. What’s changed is that the major cloud providers have aligned on it as the de facto identity standard for AI agents, and vendors like CyberArk (with IDERA under Palo Alto) have built tooling to make it much easier to implement. Uzi was clear that while he feels they’ve solved the problem in novel ways, that many vendors in this space are removing the barrier to SPIFFE entry.

Their AI Agent Deleted an Entire Database

Not a test database. Not a staged development database. A production database. So, what had happened was...

A developer at an organization Uzi worked with built an AI agent to simply query/read a database. But no one told the permission layer it should be read-only. Meaning, the planned operational scope was just reading, but the overly-permissive access meant the the AI agent actually had full permissions. Because, let’s face it — that’s just easier and least privilege is often nothing more than a gleam of hope in a developer’s eye.

A user made a query that the AI agent interpreted as a request to delete the entire database. It had the required permissions, and so it did.

An AI agent is non-deterministic. It reasons, interprets instructions, and makes decisions. Including bad ones. Long ago, I heard someone described AI like a drunk toddler and that’s stuck with me.

The lesson: with traditional automation, over-permissioning is a security risk. With AI agents, over-permissioning is a loaded gun pointed in an unpredictable direction — because you genuinely cannot anticipate every path the agent’s reasoning might take.

More Surprising Stats

From the Identity Security Landscape Report and Verizon DBIR 2026.

  • 109:1 machine-to-human identities — and it was 82:1 last year, and 50:1 two years ago. The growth curve is accelerating, not flattening, because every AI agent is a new machine identity
  • 9 in 10 organizations experienced a successful identity-related breach in the past 12 months
  • 40%+ of AI agents already running in enterprise environments have direct access to critical data — IP, PII, financials
  • 99% of organizations are already running AI agents, managed or not
  • Fewer than half apply any runtime controls to those agents
  • 61% of privileged access is still granted as standing access rather than just-in-time
  • 67% of users are accessing AI services from corporate devices using non-corporate accounts — please read that again…
  • 45% of employees are now regular AI users at work (authorized or not), up from just 15% the previous year — that’s a 3x jump in one year
  • Shadow AI is now the third most common non-malicious insider action in DLP data, a fourfold increase in one year

Why I’m Fascinated as a Network Security Architect

Traditional on-prem network infrastructures have been the red-headed step child of cybersecurity efforts.

We can’t create ‘true’ zero trust architectures. For years (decades?) we’ve struggled with meaningful device identities (proven by the fact that still only a small percentage of endpoints use certificates to authenticate to networks/services).

Microsegmentation is nearly impossible, and barely achievable even with a full hardware refresh.

But — datacenters, workloads, microservices, cloud infrastructure, and now AI agents happen at a volume and a speed that demand superior cybersecurity capabilities. Better identity, better authentication, least privilege and just-in-time authorization, automation that scales. All the creature comforts we lack with traditional on-prem infrastructure. So I’m always fascinated to learn how other parts of technology are solving problems in hopes that we may borrow and learn from their efforts!

Watch/Listen to the Full Conversation

This is the most un-sponsor-y sponsored episode.

You can listen to the full episode on your favorite podcast app, or watch it on YouTube.

Look for Packet Protector Episode 115: Reality of 109 to 1: Securing Machine Identities and AI Agents

On a recent episode of Packet Protector, I had the opportunity to talk to Uzi Ailon, someone who works deeply in the non-human identity space.

FacebookXEmailLinkedIn

jj

Author, speaker, and recognized authority on network and wireless security architectures, Jennifer (JJ) Minella helps organizations solve technical problems and align teams.

View all posts

Add comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Let’s Connect!