Humans, machines and mayhem: Why cybersecurity needs a new identity playbook

A surge in machine identities has outpaced human identities in the enterprise by a ratio of 43:1, creating dangerous cybersecurity blind spots and prompting calls for a radical redesign of identity governance systems. A new study "The Human-Machine Identity Blur: A Unified Framework for Cybersecurity Risk Management in 2025" submitted on arXiv proposes a Unified Identity Governance Framework that treats human and machine identities as a spectrum rather than as separate domains, challenging a foundational assumption in modern cybersecurity architecture.

The study, authored by independent cybersecurity researcher Kush Janani, warns that the exponential rise of machine identities, ranging from APIs and service accounts to AI agents and IoT devices, is rapidly overwhelming traditional identity access management (IAM) systems. 

According to the research, the average enterprise now manages over 250,000 machine identities in 2025, compared to just 5,800 human accounts. These machine identities are not only more numerous, but also more vulnerable: 50% of surveyed organizations reported breaches tied to compromised machine credentials within the past year, leading to application delays, system outages, and unauthorized access to sensitive data.

Security incidents involving machine identities have surged, with API keys and SSL/TLS certificates accounting for 68% of reported breaches. Compromised machine identities resulted in 51% of affected organizations experiencing application launch delays, 44% suffering outages, and 43% reporting unauthorized access to core systems. Meanwhile, weekly certificate-related outages have nearly quadrupled since 2022, rising from 12% to 45%.

The research critiques current identity governance practices as outdated and fragmented. While human identities are generally managed through Identity Governance and Administration (IGA) tools, machine identities fall under separate frameworks like Certificate Lifecycle Management (CLM) or Cloud Infrastructure Entitlement Management (CIEM). This siloed approach, the study finds, creates critical vulnerabilities and prevents organizations from detecting hybrid threats - such as when AI agents act on behalf of human users with delegated authority.

One of the report’s key insights is the development of a "human-machine identity spectrum," which charts a continuum of identity types from fully human-controlled accounts to fully autonomous AI agents. Hybrid forms, such as AI-assisted users or collaborative AI systems with partial autonomy, fall between the extremes. Each identity type requires a unique combination of authentication, oversight, and accountability mechanisms, but most cybersecurity systems still operate on binary assumptions.

To address these challenges, Janani proposes a Unified Identity Governance Framework built on four principles: treating identity as a continuum; applying risk-based controls uniformly; implementing continuous verification under zero trust architecture; and enforcing governance across the entire identity lifecycle - from creation to decommissioning.

In testing this framework against case studies and industry data, the study found that organizations applying unified governance experienced 47% fewer identity-related security incidents and reduced incident response times by 62%. The approach emphasizes mapping all identity types - including AI agents, APIs, service accounts, and IoT devices - alongside their relationships and delegated authorities.

The proposed implementation roadmap outlines practical steps for security leaders: conduct a complete identity inventory, apply consistent provisioning and deprovisioning protocols, deploy monitoring tools that can baseline both human and machine behavior, and restructure identity teams to bridge the gap between security operations, development, and compliance functions. New organizational roles, such as a “Machine Identity Security Architect,” may be required to enforce unified policies.

Fragmentation of responsibility is another critical issue highlighted in the report. Only 53% of machine identities are governed by security teams, while the rest fall under development or platform operations. Thirty-four percent of organizations still rely on manual processes for certificate rotation, despite rising risks associated with shorter certificate lifespans and the threat of post-quantum cryptographic attacks.

Beyond technical and operational concerns, the study raises urgent regulatory and ethical implications. As AI agents become more autonomous, questions of accountability and identity attribution will become harder to resolve. 

The study frames the current moment as a tipping point for cybersecurity. It urges preparation for emerging challenges, including quantum computing’s impact on cryptographic infrastructure and the integration of advanced biometrics or brain-computer interface data into identity systems. The author also provides the following recommendations for organizations:

Key recommendations:

• Inventory all identities, including AI agents, service accounts, and API credentials.

• Apply zero trust principles across the entire identity spectrum - verify continuously, assume breach, and use least privilege access.

• Unify identity policies, audit mechanisms, and compliance workflows across human and machine actors.

• Prepare for AI autonomy by developing governance models, revocation tools, and attribution mechanisms.

• Address quantum risk by transitioning toward crypto-agile systems and quantum-resistant algorithms.