Non-human identities push identity security into uncharted territory

Enterprises are grappling with an identity attack surface that keeps expanding and slipping out of reach, according to Veza.

Permissions growth outstrips oversight

Permissions now grow faster than teams can track them. Enterprises often operate with hundreds of millions of active entitlements, each defining what an identity can do in a system. Veza measured more than 230 billion permissions across its dataset.

This volume creates persistent blind spots. Security teams manage access requests, audits, and incidents at the same time that new permissions are added through cloud services, SaaS tools, and automation. Over time, unused and excessive access accumulates. The report describes this buildup as identity debt, a condition where access risk compounds quietly inside day to day operations.

“When you see the complexity of relationships across billions of permissions at scale, the magnitude of the challenge of achieving least privilege comes into focus,” said Rich Dandliker, head of strategy at Veza. “It is no surprise that enterprises are struggling with it. This is a difficult and important problem.”

Dormant and orphaned accounts remain active

The executive summary highlights the scale of inactive identities that still hold access. Veza found roughly 3.8 million dormant accounts across the dataset, representing 38% of all identity provider users. These accounts showed no activity for at least 90 days and continued to authenticate.

Orphaned accounts add another layer of exposure. Researchers identified 824,000 active identities with no associated owner in HR systems, about 8% of all identity provider users. These accounts typically persist after incomplete offboarding or system changes, and they often escape routine review.

The growth trend is steep. Dormant accounts nearly doubled year over year, while orphaned identities increased by about 40%. Each lingering account expands the pool of credentials available for misuse.

Human identities carry extensive access

The average worker in the dataset held 96,000 permissions spanning applications, data stores, and infrastructure. These entitlements reflect years of role changes, temporary access grants, and inherited group memberships.

Veza also found that 78,000 former employees still retained active credentials, representing 3% of all users. Even when HR systems flagged accounts as inactive, 38% of those identities continued to hold live entitlements in core business applications.

This pattern shows how access outlives employment status. Identity lifecycle gaps leave business systems exposed long after a role ends, especially when access reviews rely on snapshots instead of continuous validation.

Non-human identities dominate the landscape

Service accounts, API keys, tokens, and automation credentials now outnumber human users by a ratio of 17 to 1. Every automated workflow introduces additional identities, many created without a defined owner or expiration.

Privilege concentration stands out in the data. Just 2,188 machine identities, about 0.01 percent of the total, controlled 80% of cloud resources, giving a small group of accounts extensive authority across environments.

Non-human identities persist indefinitely unless revoked. Unlike employees, they lack natural lifecycle triggers. Their access often spans infrastructure, data, and deployment pipelines, which amplifies the impact of any single compromise.

Bad permissions multiply through daily operations

The report categorizes problematic access into four groups: over privileged, residual, ungoverned, and policy violating permissions. Each category emerges from routine business activity such as onboarding, job changes, local account creation, or bypassed controls.

Permissions classified as safe and compliant dropped from 70% in 2024 to 55% in 2025. Ungoverned permissions drove most of the shift, rising from 5% to 28% of the total.

Local accounts created outside centralized identity tools contributed heavily to this growth. These accounts bypass standard workflows and remain invisible to governance systems.

MFA gaps leave predictable openings

Authentication controls show limited improvement. 13% of enterprise users in the dataset still lacked MFA. Among users with MFA enabled, many relied on SMS or email verification, which accounted for 6% of Okta users measured in the study.

Weak authentication often overlaps with dormant and orphaned identities. Accounts with minimal protection and no owner persist over time and generate fewer alerts, which makes them easier to misuse.

Identity risk becomes a business metric

The report frames identity security as an enterprise wide issue. Boards, regulators, and insurers increasingly ask for proof of control over who can access systems and data. Veza’s data shows that many organizations lack continuous visibility across human and non-human identities.

The research points to a shared pattern across industries: identities accumulate, permissions spread, and oversight lags behind growth. These conditions shape the access layer that attackers target most often.

“With billions of permissions to manage, security and identity teams are struggling to maintain and enforce the principle of least privilege across their organizations,” noted Phil Venables, a cybersecurity leader, partner at Ballistic Ventures, and former CISO of Google Cloud. “Excessive privileges, dormant accounts, and over permissioning are widespread.”