The new workforce is here. For every human employee, there are now estimated to be 82 machine identities operating within one enterprise. These identities correspond to service accounts, API keys, bots and autonomous AI agents that run the modern digital infrastructure. They work 24/7, never taking a vacation, getting sick, or logging out. Yet, they always have access to your most sensitive data.
Outdated Strategy Competing with a Crisis
As it stands today, we are fighting a 2026 challenge with a 2010 strategy. Perhaps it’s because we’ve spent decades perfecting the identity and access management (IAM) industry to secure human users. Yet, we are watching that model break down in real time. Today, access privilege is based on responsibility, not on a neat job title. Powerful access now lives in the hands of executives as well as developers, operators and automated scripts.
The danger is in the double standard. Humans are governed by the rigorous lifecycle controls of HR — vetting, onboarding and offboarding, but machines do not. We have failed to apply the basic IAM discipline to the machine workforce, despite the fact that they now outnumber us 82 to 1, run without interruption, and operate with pervasive, unmonitored access privilege. We have created both a security gap and an engineering crisis where our most powerful actors are the ones we understand the least.
Solving the Math
You have to look at the math to understand the scale of the problem. If you have 10,000 employees, for example, you likely have over 820,000 machine identities. In this equation, your people are a rounding error.
Yet, look where the budget goes. We spend millions of dollars on phishing training, biometric scanners and single sign-on (SSO) for employees. We subject them to background checks, interviews, performance reviews and strict offboarding protocols.
Consider the machine. A developer can spin up a new service account in seconds. Often, to save time, they grant it “admin” privileges — the digital equivalent of giving the summer intern the master key to the building. Once that project is done, the developer moves on, but the identity remains. It sits there, dormant but active, a sort of zombie account waiting for an attacker to find it.
We have created an environment where the most powerful actors in our networks are also the least supervised.
The Missing Discipline: Identity Security for Machines
The solution is to fundamentally change our operational philosophy. We need to apply the rigorous discipline of identity security to our machine workforce. We need the same level of visibility and control that our HR discipline enables for humans. And we need to treat both machines and AI agents as high-risk users.
If we managed our digital workforce the way we manage our human one, we would see three immediate shifts.
1. Discovery and Onboarding During the Hiring Process
Humans cannot simply walk into an office and start working. They need an offer letter, a role, access privileges, a manager and credentials. In the machine world, however, “silent births” are the norm. Identities appear out of nowhere, created by scripts or automated processes without any oversight. The engineering fix is to move toward Identity-as-Code. In this model, no machine identity should exist without a defined purpose, owner and planned lifecycle. Put simply, if it doesn’t have a sponsor, it doesn’t get access.
2. Performance Review Controls
We review human performance yearly, quarterly or sometimes monthly to check whether employees are excelling at their jobs, achieving the desired outcomes, or underperforming. We rarely apply this same scrutiny to service accounts, despite the fact that they operate continuously.
This endurance becomes a fundamental data problem that requires continuous behavioral monitoring. We need to know instantly if an API key, which usually only talks to the billing server, is suddenly trying to access the customer database at 3:00 a.m. That level of performance issue necessitates immediate intervention.
3. Termination-Lifecycle Management
When a human leaves the workplace, we use a checklist that includes taking the laptop, cutting access and saying goodbye. But, when a cloud instance is spun down or a microservice is deprecated, the identity often lives on in perpetuity. To solve this, we need to build a kill switch directly into the CI/CD pipeline. Automated deprovisioning ensures that, when the code dies, the identity dies with it.
From Policy to Engineering
For years, we have tried to solve identity through policy. We have written PDFs detailing “Best Practices for Access Management” and hoped developers would read them.
The page has turned and the chapter has closed. You cannot govern over 800,000 entities with a PDF. You must govern them with code.
Conversations must move from the CISO to the VP of engineering, because identity is now an infrastructure problem. It is about how we architect our cloud environments, manage secrets and deploy code.
The “Unsecured Front Door” is now the thousands of browsers and API endpoints connecting your enterprise to the world. If your strategy relies on manual reviews and spreadsheets, you have already lost. The attackers are using automation, scanning for these overprivileged, unmonitored accounts at machine speed. We cannot fight them with a decade’s old mindset.
Creating a Safe and Successful Organizational Chart
Ultimately, all of this demands a moment of radical honesty in the C-suite. We need to admit that the organizational chart is nostalgic fiction. It captures the people, but it misses the power.
The 82:1 ratio is a structural reality that isn’t going away. We can continue to pretend that the 1% are the only ones who matter, or we can accept the reality of our new workforce.
Governance has evolved beyond security compliance to now be about operational control. If you don’t have an automated, code-based system to hire, manage and fire your machine workers, you aren’t running a tight ship; you are running a ghost ship.
Curious what else Amy has to say? Check out her other articles on Perspectives.
