Two-Thirds of Nonhuman Accounts Are Unseen and Unmanaged, According to Orchid Security’s Identity Gap Report
Two-Thirds of Nonhuman Accounts Are Unseen and Unmanaged, According to Orchid Security’s Identity Gap Report
May 19, 2026, 3 min read
Table of Contents
New York, United States, May 19th, 2026, CyberNewswire
New research shows identity dark matter continues to expand and erode enterprise identity, resulting in a fragile foundation for agent AI readiness and adoption
Orchid Security, the company solving identity at its core, today released its Identity Gap: 2026 Snapshot report, revealing that the majority of enterprise identity now exists outside the view of identity and access management systems.
The report found that invisible identity (“identity dark matter”) now outweighs visible identity across enterprise environments, 57% to 43%. Further, 67% of non-human accounts are created directly within the application, unseen and unmanaged by IAM programs.
This finding comes at a critical moment—organizations rapidly deploy AI agents, which in turn accelerates identity exposure. Traditional IAM was built to govern people. It was not built for autonomous systems that inherit credentials, act without human oversight, and often operate within the blind spot that identity dark matter creates.
Additional Significant Findings
70% of enterprise applications contain an excessive number of privileged accounts, dramatically increasing the potential impact of misuse or compromise
57% of applications bypass centralized identity providers
40% of accounts are orphaned, remaining available after their users have gone
36% of all credentials are hardcoded and in clear text within applications
“Enterprise identity has crossed a dangerous threshold: the identities we can’t see now outnumber the ones we can,” said Roy Katmor, CEO and co-founder of Orchid Security.
Nonhuman Accounts Are a Huge Blindspot, At the Worst Time
The established IAM model for non-human identities has always carried risk: these accounts are typically granted broad, standing access locally (67% of the time, according to analysis of enterprise applications), based on the assumption that their behavior is predetermined and repetitive.
However, that all changes with the latest emerging class of actor, Agent AI. While technically nonhuman, Agent AI are far from predetermined and repetitive in their actions. Rather, they are unpredictable and relentless in pursuit of their prompt.
Applications are Overpermissioned, Unmanaged, and Vulnerable
There is a growing disconnect between formal identity controls and how access actually functions.
While many organizations have strengthened corporate IAM systems with a strong stack consisting of a centralized identity directory, strong authentication from an identity provider (IdP), privileged access management (PAM), and increasing identity governance and administration (IGA), Orchid found that these controls are frequently bypassed.
Almost 3 out of 4 applications have excessive privileged accounts, more than 1 out of 2 applications allow authentication through local or unmanaged pathways, and 1 out of 3 applications contain credentials stored in clear text, embedded directly in code or configuration files.
“Organizations have invested heavily in securing the front door, but the research shows identity risk is increasingly concentrated in the side doors,” Katmor said.
Compounding Risk: The Rise of “Toxic Combinations”
Beyond individual exposures, the report identifies what Orchid calls “toxic combinations.”
This includes:
Orphaned accounts with elevated privileges
Applications that bypass centralized identity providers while storing credentials in clear text
Dormant accounts operating without logging or oversight
Individually, these gaps are concerning; together, they create unmonitored access paths that can dramatically increase the potential level of compromise.
The Bottom Line: AI Agents Are Accelerating Identity Exposure
As organizations rapidly deploy AI agents to automate business processes, these identity gaps are not only increasing but are also becoming more visible and more exploitable.
“AI agents discover and exploit identity control gaps and exposures in a way and at a speed we’ve never seen before,” Katmor said.
A Growing Gap Between Identity, Intent, and Reality
The findings suggest that many organizations are approaching Agent AI implementation with an incomplete understanding of how access actually works across their environments.
Without first shoring up the foundation of enterprise identity, enterprises expose themselves to increasing cyber, compliance, and operational risks—now at machine scale.
“Identity programs look strong on paper, but most identity activity happens outside them,” said Katmor.
About the Report
Identity Gap: 2026 Snapshot is based on anonymized telemetry collected from enterprise applications deployed across North America and Europe between April 2025 and March 2026.
Identiverse 2026
Orchid Security will be onsite at Identiverse 2026 at Booth #239 from June 15–18.
Sessions:
When “Lazy” AI Agents Meet Broken Identity Hygiene
Tuesday, June 16 | 1:15 PM – 1:30 PM | Oceanside E
From Seeing to Knowing: The Identity Observability Frontier
Wednesday, June 17 | 7:15 AM – 8:15 AM | Oceanside E
About Orchid Security
Orchid Security delivers the industry’s first Identity Control Plane, transforming IAM complexity into clarity, compliance, and control.
Subcribe to our monthly newsletter and join others to receive exclusive cyber security
content and tips directly to your inbox. Access our exclusive content now!
