Machine identities per human in the enterprise hit 109:1 this year, up from 82:1 last year. And 77% of organizations expect that number to keep climbing.
The composition is changing, too. It's not just API keys and certificates anymore. According to the 2026 Identity Security Landscape Report, 99% of organizations have adopted AI agents. 40% of those agents already have access to organizational data. The machines aren't just multiplying. They're getting smarter, more autonomous, and harder to track.
Most organizations still lack consistent controls for the machine identities they've already deployed. Only 37% can revoke an AI agent's credentials. Only 30% have immutable audit logging for what those agents do. And AI-assisted attacks can move from initial access to exfiltration in 25 minutes, according to the Unit 42® Incident Response Report.
That puts security teams in a tight spot. They’re being asked to support more automation, more cloud services and more AI agents without a complete view of the machine identities already operating across the business.
At Impact 2026 in Austin, we kicked off the Machine Identity Security track with a maturity framework that gives security teams a way to measure where they are, what they're missing, and what to prioritize next. In this post, we’ll review key takeaways from that session and offer a practical starting point for baselining machine identity security KPIs this quarter.
Citation Magnet: 109 machine identities for every human in the enterprise, up from 82:1 last year. (2026 Palo Alto Networks Identity Security Landscape)
Why Secrets Management Fails to Secure AI Agents at Machine Speed
Secrets management got most organizations through the first wave. You had hundreds of secrets, maybe thousands. You centralized them in a vault, set up rotation policies, and moved on.
That model wasn't built for a world where containers spin up and die in seconds, where every cloud platform authenticates differently, and where AI agents need their own identities, not just borrowed credentials.
Secrets management is still foundational, but it's no longer sufficient on its own. When your fastest rotation policy measures in hours and attackers move in minutes, the math doesn't work. You need identity, not just credentials.
That shift shows up in three places:
- AI agents need cryptographic identity, not static API keys.
- Workloads need universal authentication across legacy VMs, containers, serverless and multi-cloud.
- Security teams need a single inventory of every machine identity in the enterprise, not a scavenger hunt across six different vaults.
The next phase of machine identity security must address which machines exist, what they can access, who owns them and how quickly access can be changed when risk changes. As autonomous systems begin making access decisions at machine speed, vault sprawl translates to serious business continuity, audit readiness and risk management issues.
Where Are You on the Machine Identity Maturity Curve?
While the drivers for this shift are straightforward, the steps required to get there may not be. Enterprises are complex, frequently operating with disparate and uneven levels of maturity across organizational silos, which makes charting a cohesive, real-world strategy challenging.
With these challenges in mind, we’ve built a five-level maturity index for machine identity security. Most enterprises will not align to a single level. That’s normal. Security teams don’t need to get to level five overnight. The goal is to see the full picture and develop a strategy that identifies and closes gaps while also aligning with business priorities.
Critical Machine Identity KPIs
The five levels below move from “we don’t know what exists” to “we can continuously discover, govern, rotate, revoke and audit machine identity access across cloud, on-premises, CI/CD pipelines, SaaS environments and AI agents.”
However, a maturity model is only useful if you can measure movement through it. Here are the specific KPIs that tell you whether you're actually advancing or just checking boxes.
Level 1 to Level 2: From Blind to Visible
What machine identities exist across cloud, on-premises, CI/CD and SaaS environments?
- Percentage of Secrets Inventoried. This applies across all environments (cloud, on-prem, CI/CD, SaaS). If you can't answer this with a number, you're still at level 1.
- Number of Unmanaged Secrets Surfaced. Using Idira™ Discovery and Context, teams can now support Secrets Manager and gain visibility into secrets and vaults you didn't know existed across your environments. That first inventory is usually a shock. The gap between what teams think they have and what's actually running is wider than anyone expects.
- Number of Unmanaged Vaults Identified. Vault sprawl is the silent killer. Most organizations have more secret stores than they think.
If you can’t produce a current inventory, your first KPI this quarter should be inventory coverage. Visibility is the baseline for every maturity level that follows. This is where basic Zero Trust architecture becomes real: you can’t verify what you can’t identify.
Level 2 to Level 3: From Visible to Controlled
Are the secrets you know about actually governed by consistent policy?
- Percentage of Secrets Under Centralized Management. Target: 100% of production secrets under policy-driven rotation.
- Mean Time to Rotate a Compromised Credential. If this is measured in days, you have a problem. Target: minutes to hours.
- Vault Sprawl Ratio. Lowering the number of active secret stores per environment is critical for capital discipline and lowering TCO.
- Policy Coverage. Percentage of secrets with enforced rotation and access policies, not just documented ones.
Level 3 to Level 4: From Secrets to Identity
Are workloads still relying on static credentials, or are they using identity-based authentication?
- Reduction in Static, Long-Lived Credentials. Every static credential you eliminate is one less permanent backdoor.
- Percentage of Workloads with Cryptographic Identity (SPIFFE). This is the transition point from credential-based to identity-based security.
- Percentage of Connections Using Identity-Based Authentication versus shared secrets or API keys.
- Mean Time to Provision a New Workload Identity. If onboarding a new service takes a ticket and a three-day wait, you're not ready for level 4.
Level 4 to Level 5: From Identity to Governance at Scale
Can machine identity lifecycle management keep up across environments, workloads and AI agents?
- Percentage of AI agents Governed with Workload Identity. The 2026 Identity Security Landscape survey found that only 37% of organizations have credential revocation capability for AI agents. That's the gap.
- Mean Time to Revoke Agent Credentials. When an agent goes rogue or gets compromised, how fast can you cut access? The survey says most organizations can't answer this question.
- Percentage of Environments with Immutable Audit Logging For Agents. Only 30% of organizations report having this. Without it, you can't answer “which agent accessed what, and when?”
- Identity Lifecycle Automation Rate. Provisioning through deprovisioning without human intervention. At scale, manual identity management is a vulnerability, not a process.
Three Metrics That Matter at Every Level
Whether you’re building your first inventory or governing AI agents at scale, these three signals reveal the true operating health of your program:
- Audit Readiness Time. Hours to produce a complete machine identity inventory. If the answer is “we'd need a few weeks,” that tells you everything.
- Percentage of Machine Identities with Known Owners. Orphaned identities are open doors.
- Mean Time to Detect a Compromised Machine Identity. The Unit 42 Incident Response Report shows AI-assisted attacks moving from access to exfiltration in 25 minutes. Your detection window needs to be shorter than your attacker's kill chain.
Is Your Infrastructure Ready for Agentic AI?
Without levels 1, 2, and 3 locked down, you're unlikely to effectively secure your agentic workforce. Levels 4 and 5 are what verify that you can scale it.
Agents are non-deterministic. They make their own decisions about what tools to invoke and what data to access. They can also go rogue because that's what non-deterministic systems do. Without identity governance, there's no way to know which agent accessed what, or to shut one down when it misbehaves.
The maturity index doubles as an AI readiness gut-check. Where you sit on it determines whether your organization can deploy AI agents safely or whether you're adding autonomous machines to an environment you can't see or control.
The Idira™ Era: New Capabilities Unveiled at Impact 2026
The Machine Identity Security track at Impact 2026 covered new capabilities across the maturity spectrum, now unified under the Idira™ Identity Security Platform:
Discovery and Context
Instantly surface secrets, workloads, and AI agents across hybrid clouds and third-party vaults to deliver the continuous context required to govern the 109:1 machine-to-human ratio.
Provides a universal cryptographic identity for every workload, verifying access in real time, regardless of where the workload originates or resides.
Vault Sprawl Reduction
Centralized management of legacy and third-party vaults lowers TCO and simplifies operational overhead for infrastructure teams.
Any-to-Any Access
Securely connect any workload to any target using the most appropriate access method (identity-based or secrets-based) without introducing friction into the CI/CD pipeline.
New AI-driven tooling automatically identifies hardcoded secrets in the IDE and converts them to secure API calls.
Start with What You Can Measure
Machine identity security will not mature in one jump. The first step is knowing where you are on the curve. The next is choosing the KPIs that will prove you are moving forward.
Pick three KPIs from the list above that match your current maturity level, and baseline them this quarter. If you don't know your numbers, start with Idira Discovery & Context to get visibility, because you can't improve what you can't see.
The maturity index gives you direction. The benchmarks tell you if you're moving.
Read more in the 2026 Identity Security Landscape Report.
FAQs
What is the machine identity security maturity model?
It's a five-level diagnostic framework (Exposed, Visible, Managed, Access, Scale) that lets security teams baseline where their organization actually sits on machine identity security, and prioritize what to fix next. It's not aspirational. It's meant to expose the parts of the environment you don't have control over yet.
Why isn't secrets management enough for AI agents?
Secrets management was built for hundreds or thousands of static credentials with predictable rotation cycles. AI agents are non-deterministic and autonomous, often needing access in seconds. Static API keys can't keep pace, and rotation measured in hours can't outrun attackers who exfiltrate data in 25 minutes. Agents need cryptographic identity, not borrowed credentials.
What is the difference between secrets management and workload identity?
Secrets management focuses on protecting and rotating static credentials like API keys, passwords and tokens. Workload identity gives the workload itself a unique (often short-lived), verifiable identity, reducing reliance on permanent credentials that attackers can steal, reuse or abuse.
How do I know if my organization is ready to deploy AI agents safely?
If you're below level 3 on the maturity model, you really should broaden your aperture and make sure you have a strong, resilient foundation before deploying AI agents at scale. Without centralized secrets management, automated rotation, and basic audit, you have no way to govern what an autonomous agent does once it's running. Levels 4 and 5 (cryptographic workload identity and identity lifecycle automation) are what make agentic AI deployable at scale rather than as a controlled pilot.
Which KPIs should we baseline first?
Pick three KPIs that match your current maturity level and measure where you stand today. Those starting numbers become your reference point for whether you're actually moving forward. If you're at level 1 or 2, start with: percentage of secrets inventoried, number of unmanaged vaults identified, and mean time to rotate a compromised credential. If you're at level 3 or above, add the percentage of workloads with cryptographic identity and mean time to revoke agent credentials.
How does machine identity affect Zero Trust adoption?
Machine identities are foundational to Zero Trust in cloud and AI environments. Without a verifiable identity for every workload, service and AI agent, organizations cannot consistently enforce “never trust, always verify.” The result is often overprivileged access, hidden lateral movement paths and weak auditability.