Unmanaged machine identities have continued to tick up at a rapid clip, furthering a trend that finds non-human identities (NHIs) outpacing human accounts — and, to the chagrin of security experts, exposing credentials, new research on the first half of 2025 reveals. 

The Entro Security H1 2025 NHI & Secrets Risk Report found that in just a year, the non-human identity (NHI)-to-human ratio increased by more than 56%. NHI growth, 44% year over year, not surprisingly has been fueled in part by AI agents and an automation-first approach to development, Entro Labs says after an analysis of more than 27 million NHIs. 

“The Entro report highlights what a lot of organizations are rapidly realizing when it comes to non-human identities, the horse may have already bolted,” says BeyondTrust Field CTO James Maude, who contends that “many organizations have been so focused on securing human identities that non-human identities and agentic AI have gotten away from them.” 

A troubling result of the unfettered, unmanaged growth of NHIs is the toll they take on security. Hundreds of thousands of secrets from global enterprises, including the Fortune 500, have been exposed, and nearly half of those were discovered in collaborative tools, such as messaging apps and workflows, outside of code. The popular collaborative platform Slack accounted for the top type of exposed secrets. Slack is particularly vulnerable because its bots are often hooked into security systems and internal workflows as well as alerting tools. The same thing that makes it easy to generate Slack tokens makes exposing those tokens a cinch. 

“This vastly increases their identity attack surface and opens up a new path to privilege where an attacker can compromise a human identity and then pivot into a highly privileged non-human identity by grabbing credentials from Slack,” says Maude.

Also alarming: A small, but significant portion of AWS machine identities — 5% — come with full-administrative privileges, meaning that they’re primed to multiply risk. Just under 10% are not only overprivileged, they also remain idle. And some NHIs hang around for quite a bit — 7.5% live for 5-10 years, in some cases outliving their human owners and their original mandates. 

“It isn’t just the identities that organizations should be concerned about; it is the privileges and access they have,” says Maude. “These are what inflict the damage in the event of compromise, so a key aspect to securing NHIs is to focus on least privilege and building full lifecycle controls into discover, manage and monitor the privileges that the rapidly growing numbers of NHIs have within your organization.” 

As Maude points it, it would be “totally unacceptable” to let a human “permanently hold the keys” to the kingdom. Yet, NHIs get a pass. 

That’s because, as Rom Carmel, co-founder and CEO at Apono, notes that NHIs, unlike employees, “don’t go through standard joiner-mover-leaver processes” and are rarely monitored. That buildup of forgotten, overprivileged accounts leaves them open to attackers. 

“There is a ‘did-it-work’ bias for technical work – the fastest and easiest way to set up an account when troubleshooting or operating under time pressure is an account with overly broad permissions,” says Bugcrowd CISO Trey Ford. “Best practices dictate following up to narrow to appropriate permissions once troubleshooting or initial setup is complete, and this is regularly missed.” 

Shane Barney, Keeper Security CISO, expressed frustration at the report’s findings. “Despite years of clear warnings and real-world consequences, many organizations still lack basic visibility and control over their non-human credentials,” he says. “It’s not that the risk is misunderstood – it’s that it’s being deprioritized. This should be a wake-up call.” 

To mitigate that risk, Oasis Security co-founder and chief product officer Amit Zimerman urges security teams to “implement automated monitoring, enforce least privilege, and establish clear policies for AI-driven NHIs.” Those guardrails, put in place early, he says, will let organizations “embrace AI automation without compromising security.” 

Noting the difficulty in managing NHIs is akin to doing so with hard-coded secrets (passwords/passkeys), Trey says, “their inventory, rotation and monitoring sounds like a great idea,” though it is “harder to implement, hence all of the research and innovation in this space.”