New industry data just released suggests otherwise.
On May 19, 2026, Orchid Security announced the results of the Identity Gap: Snapshot 2026. Among the findings, “identity dark matter” (invisible and unmanaged elements of identity) overshadows visible elements by 57% vs. 43%. And it couldn’t have come at a worse time, with enterprises embracing agent AI with open arms (and unfortunately, as Orchid co-founder Robert Wiseman explains, with more than one eye closed).
You may be wondering why we are concerned.
By design, AI agents tend to seek shortcuts. Given a task, it is trained to use the speed of a machine and the creativity of a human to find the most efficient way to complete it. Denied access to a required system? Use hard-coded credentials stored in clear text within the application. Need information they don’t have the right to read? “Borrow” credentials with higher privileges. Are you constantly exposed to challenges across different systems? Get a widely accepted token. Truly, the creativity of Agent AI is remarkable. It just cuts both ways.
Just because an AI agent can find a way to access an application, system, or database doesn’t mean it should. But where coding limits traditional non-human actors and requires human pause for conscience, AI agents almost always have no such constraints or scruples.
Therefore, well-managed identity and access management is a critical foundation for keeping Agent AI activity within permitted limits. One need only look at the cloud outages reported at the beginning of the year to understand the importance of this.
Of course, IAM shortcuts, gaps, and exceptions have accumulated over the years. Even for decades. Therefore, it is not reasonable to expect everything to be cleaned up at once. That’s why this year’s Identity Gap Snapshot findings – the most common revelations for businesses in North America and Europe – are so important and timely.
Top 3 findings
Hiding non-human accounts: Two out of three non-human accounts are configured locally in the application itself. This makes them unrecognized and unmanaged by the central IAM program. I understand machine accounts and service accounts. Dangerous for autonomous AI agents. Overprivileged: 70% of all applications have an excessive number of privileged accounts. The area of “least privilege” access has gone far beyond expectations and is at great risk given today’s threat actors and the AI agents mentioned above. Orphaned Accounts: Across enterprise environments, we found that 40% of all accounts have outlived their authorized user lifespan. These “orphan” accounts are clearly unmanaged and perhaps unseen, making them ripe for exploitation by threat actors and AI agents.
These are just some of the highlights from the complete identity gap snapshot. We encourage you to read the full report.
what you can do
If you’re not sure how to address these (and similar) issues in your organization, or even how prevalent each issue is in your environment, our team of security researchers has published an Identity Security Readiness Checklist. If your organization is preparing for (or has already participated in) an Agent AI transformation, now is the time to act.
Source link
