ACCORDING to the SANS Institute, the race to embed AI into enterprise workflows risks outpacing security efforts, revealing widespread credential hygiene failings across more than 500 security professionals surveyed globally in its 2026 State of Identity Threats & Defenses Survey.
The findings show that three-quarters (76%) of organisations report growth in non-human identities such as service accounts, API keys, automation bots and workload identities, with a rising number tied to agentic AI that requires credentials. The report claims that the number of NHIs operating within organisations is quietly doubling or tripling as a result.
Agents that require credentials and privileged access can interact directly with critical infrastructure and data, and, unlike fixed-logic NHIs, agentic AI can interpret instructions and take unpredictable actions, effectively behaving like an over-privileged insider at machine speed, with a risk of hallucination. Forrester warned last year that an agentic AI deployment could cause a publicly disclosed data breach by the end of 2026, underscoring calls for a minimum viable security approach.
The study also highlights governance gaps, noting that 92% fail to rotate machine credentials on a 90-day cycle, with 59% rotating fewer than half of their NHI credentials quarterly and 15% not knowing their rotation rate.