The gist: Unmanaged non-human identities represent a systematic security gap that will manifest as a mass outage in 2026 when expired machine certificates in millions of enterprise-dependent services expire simultaneously.
In large organizations, service accounts, API keys, and machine certificates often outnumber human identities by a factor of ten to one – uncontrolled, unrotated, and inconspicuous. These “ghost identities” have already proven to be a direct attack vector in incidents like SolarWinds, Uber, and Okta.
Non-human identities — bots, service accounts, API keys, OAuth tokens, machine certificates — dominate the IT infrastructure of modern enterprises, running continuously, authenticating across all environments, and leaving no audit trail when inactive. They accumulate privileges without automatically “retiring.” Security teams refer to these uncontrolled access points as “ghost identities.”
Historical incidents demonstrate the concrete risk: In SolarWinds (2018), attackers did not gain entry through brute force methods but silently exploited non-human identities with substantial access rights. 18,000 organizations were compromised undetected for months. Uber (2022) fell victim to a forgotten service account whose credentials had not been rotated and were stored in a network share — the direct path to the PAM system followed. Okta (2023) showed that critical credentials in third-party environments became unavailable, but retained access to Okta’s independent systems.
Starting in 2026, the threat intensifies due to an architectural problem: Machine identity certificates have limited validity periods of typically three to five years. Between 2020 and 2022, many organizations conducted cloud migrations and automation in compressed timeframes without establishing governance. These certificates are now expiring in masses — not individually, but in whole waves. An expired certificate can trigger cascading failures: the supported service goes down, dependent applications no longer function, monitoring tools on the same infrastructure miss the alert. The incident response team operates without full understanding of dependencies. An overlooked certificate expiration date becomes a multi-hour or all-day service interruption — see Microsoft Teams 2020. This type of outage will occur simultaneously in 2026 across organizations that grew rapidly but governed poorly.
The problem is not negligence of individual teams, but a governance deficit in the architecture. The established tools for identity management — role-based access control, privileged access management, access certification — are designed for human identities and do not scale for non-human identities operating at millisecond pace.
Source: www.csoonline.com · Published June 15, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.