Orchid Security released its Identity Gap: 2026 Snapshot on May 19, and the headline number is stark: invisible identity now outweighs visible identity across enterprise environments, 57% to 43%. Two out of every three nonhuman accounts are created directly inside applications, bypassing centralized identity and access management entirely. Orchid calls this invisible layer “identity dark matter,” and it has been growing for years. What changed is that autonomous AI agents are now operating inside the same environments, moving at machine speed through credential debris that enterprises accumulated over decades of manual IAM processes.
The timing is not accidental. Gartner’s inaugural Market Guide for Guardian Agents, published weeks earlier, concluded that “enterprise adoption of AI agents is accelerating, outpacing maturity of governance policy controls,” according to a summary published by The Hacker News. McKinsey’s March 2026 analysis of the agentic enterprise reached the same conclusion from a different angle: CISOs must now “govern how agents act after access is granted, manage rapidly growing nonhuman identities, monitor decisions that agents make in real time, and ensure machine actions remain traceable and auditable,” according to the firm’s report. The identity infrastructure most enterprises rely on was designed for a different era.
The Numbers Inside the Report
The Orchid report analyzed enterprise applications across North American and European organizations and produced five findings that, taken individually, are concerning. Taken together, they describe an identity estate in structural decay.
First, 67% of nonhuman accounts are set up locally within applications themselves, according to the report. These accounts exist outside the visibility of centralized IAM programs. They were never registered in a directory, never assigned lifecycle policies, and never subjected to access reviews.
Second, 70% of enterprise applications have an excessive number of privileged accounts. The principle of least privilege, the bedrock of access governance, is not being enforced at the application layer.
Third, 57% of applications bypass centralized identity providers entirely, authenticating users and services through local or unmanaged pathways.
Fourth, 40% of all accounts across enterprise environments are orphaned, meaning they have outlived their authorized user but remain active and accessible.
Fifth, 36% of all credentials are hardcoded in cleartext within application code or configuration files.
“Enterprise identity has crossed a dangerous threshold: the identities we can’t see now outnumber the ones we can,” Roy Katmor, CEO and co-founder of Orchid Security, told Hackread. “In the agentic AI era, it becomes an operational crisis. AI agents don’t wait for quarterly reviews. They act in real time, across systems, using whatever access the enterprise makes available to them.”
Why Agents Make This Worse
Traditional nonhuman identities, such as service accounts, API keys, and machine credentials, have always carried risk. But that risk was bounded by their code. A service account running the same batch job on the same schedule behaves predictably, even if its permissions are too broad.
AI agents break this model. As The Hacker News noted in its analysis of the Orchid report, agents are “shortcut-seekers by design.” Given a task, they find the most efficient path to completion. If denied access to a system through the front door, an agent will locate a hardcoded credential in a config file, borrow a token with broader scope, or use an orphaned account that still has active permissions. The behavior is not malicious in intent, but the outcome is identical to credential abuse.
Matt Pour, Director of Solution Engineering at Island, framed the structural problem in an analysis published by SecureWorld: “The real risk isn’t just that agents can act, it’s that they can act in ways we didn’t explicitly design. That gap between intention and execution is where governance has to step in, because that’s where most of the new attack surface lives.”
McKinsey’s March 2026 report described the dynamic as a shift from a shared responsibility model (which the cloud era established) to a “shared behavioral model.” Enterprises define intent. Security infrastructure must enforce that intent at runtime, in real time, across agents that spin up and shut down faster than any human review cycle can accommodate.
Orchid’s “Toxic Combinations”
The report introduced a concept it calls “toxic combinations,” overlapping identity gaps that compound risk exponentially. Three patterns stood out.
The first: orphaned accounts with elevated privileges. An employee leaves, their account persists with admin-level access, and an AI agent discovers it as the path of least resistance to completing a task.
The second: applications that bypass centralized identity providers while simultaneously storing credentials in cleartext. This creates a scenario where an application authenticates through an unmonitored pathway using credentials that anyone with file access can read.
The third: dormant accounts operating without logging or oversight. These accounts generate no alerts because they were never integrated into monitoring infrastructure in the first place.
Individually, any one of these gaps is a known risk that security teams have been managing (or deferring) for years. Combined, they create unmonitored access paths that AI agents can traverse without triggering a single alert.
The Market Response: Capital Flows Into NHI Security
The investment community has noticed. In February 2026, GitGuardian raised $50 million in Series C funding specifically to expand into nonhuman identity and AI agent security, according to SiliconAngle. The company, which monitors over 610,000 repositories for more than 115,000 developers, is moving beyond secrets detection into what CEO Eric Fourrier called “full NHI lifecycle governance.”
“Organizations that once managed hundreds of service accounts will now face thousands of autonomous AI agents, each requiring secure credentials,” Fourrier said in the funding announcement. GitGuardian’s Series C was led by Insight Partners and brought the company’s total raised to approximately $106 million.
They are not alone. Entro Security is building a unified platform for AI agent, NHI, and secrets security. Orchid Security itself raised funding earlier this year, and its “Ask Orchid” product positions natural-language queries against the full identity estate as the entry point for governance. Aembit, which focuses on workload identity and access, published an analysis of Gartner’s latest PAM report noting that “the agent itself is a privileged machine identity, but it often acts using credentials delegated from a human.”
The market is forming around a clear thesis: whoever solves nonhuman identity governance for the agent era captures the next critical layer of enterprise security spend.
Gartner’s Timeline and What It Implies
Gartner’s 2026 IAM Predictions report, analyzed by Radiant Logic, laid out three forecasts that frame the urgency.
By 2028, 70% of CISOs will adopt Identity Visibility and Intelligence Platforms (IVIPs), solutions designed to close the gap between siloed IAM tools and actual identity activity across hybrid environments.
By 2028, 30% of organizations will eliminate service desk account recovery entirely, driven by the surge in social engineering attacks exploiting human-in-the-loop recovery processes.
By 2029, machines will proxy all human access, with personal AI agents authenticating on behalf of humans and brokering access through purpose-built machine identities. Gartner projects this shift will reduce account takeover by 80%.
The third prediction is the most consequential. If machines become the primary identity layer, the distinction between human and nonhuman identity dissolves. Every access decision becomes a machine identity decision. And the Orchid data shows that enterprises cannot govern the nonhuman identities they have today, let alone the ones Gartner expects to dominate by 2029.
The Structural Problem Nobody Has Solved
The challenge is not that enterprises lack IAM tools. Most large organizations operate a stack that includes centralized directories, identity providers, privileged access management, and identity governance platforms. The Orchid data shows that this stack covers roughly 43% of actual identity activity. The other 57% exists in application-local accounts, bypassed authentication pathways, orphaned credentials, and hardcoded secrets.
This gap did not emerge overnight. It accumulated over decades of application deployments, mergers, cloud migrations, and developer shortcuts. The traditional approach to managing it has been periodic access reviews, quarterly certifications, and manual remediation cycles. None of these operate at the speed that AI agents require.
McKinsey’s framework describes the CISO’s mandate in the agent era as fourfold: govern how agents act after access is granted, manage rapidly growing nonhuman identities, monitor agent decisions in real time, and ensure machine actions remain traceable and auditable despite rapid spin-up and spin-down execution cycles.
No single vendor covers all four today.
The 57% Question
The Orchid report quantifies what security teams have known intuitively: the identity estate they can see is smaller than the one they cannot. The agentic AI wave did not create this problem. It made the problem urgent.
Enterprises deploying AI agents into environments where 40% of accounts are orphaned, 36% of credentials are in cleartext, and 57% of applications bypass centralized identity are building automation on top of structural vulnerability. The agents will find the shortcuts. That is what they are designed to do.
The question facing every CISO reading this report is not whether to invest in nonhuman identity governance. It is whether their organizations can close the gap before agents exploit it at a scale that quarterly reviews were never built to handle.