Skip to content
Cyber Resilience & Data Security

Machine Identities and the Governance Gap

Did you know that the fastest growing risk within your organization is Machine Identity?   And most organizations aren’t ready for it.

Vidya Shankaran, Field CTO for Cloud, Security, and Emerging Technology, Commvault

We’ve spent years focusing on identity security in the context of people – who have access, what they can do, and how to control it. That model made sense when most activity in the environment was driven by human users.

But that’s no longer the case.

Machine identities – applications, services, APIs, and automated workloads – now play a central role in how modern systems operate. They authenticate, communicate, and execute tasks, often without direct oversight. And in many environments, they already outnumber human identities by a wide margin.

In this episode of STRIVE, I sit down with Dan Conrad, Principal Technologist and a fellow Field CTO at Commvault. We take a closer look at what that shift means – not just from a security perspective, but also from a governance standpoint. And we explore why so many organizations are still treating this as a secondary concern.

Watch the full episode.

Key Takeaways: Where the Risk Is Shifting

  • Machine identities are growing faster than human identities, often by orders of magnitude.
  • Governance models haven’t kept pace, creating blind spots in access and control.
  • Visibility is the core challenge. Many teams don’t fully understand how machine identities behave.
  • Privilege sprawl extends beyond users, with machine identities often holding persistent access.
  • Resilience depends on understanding and managing the remit of these machine identities before they become a problem.

The Identity Model Has Changed

For a long time, identity management was relatively straightforward. You could map users to roles, define access policies, and build controls around predictable behavior. Even with complexity, the model was still anchored in human activity.

Machine identities have broken that model.

They’re created dynamically, often as part of development or deployment processes. They interact across systems in ways that aren’t always visible or well-documented or audited. And unlike human users, they don’t follow a clean lifecycle – they aren’t onboarded and offboarded in the same structured way.

That creates a different kind of challenge. It’s not just about controlling access anymore. It’s about understanding how that access is being used, how it evolves, and how it connects across the environment.

Sneak Peek: You Can’t Phish a Non-Human Identity

In this moment from the STRIVE discussion, Dan describes how attackers aren’t targeting non-human identities directly through phishing – they’re malicious actors using compromised human accounts through social engineering, as a steppingstone to escalate privileges and impersonate powerful machine identities. Once inside, techniques like pass-the-hash and overprivileged service accounts allow attackers to move laterally and vertically, even after passwords are reset.

The Governance Gap

The real issue isn’t that machine identities exist , it’s how they’re governed.

In most organizations, there’s a clear process for managing human access:

  • Requests are approved.
  • Permissions are reviewed.
  • Changes are tracked.

There’s a level of discipline that comes from years of focus on user identity. However, machine identities often fall outside of that structure. They’re created quickly to support applications or automation. They’re granted the permissions needed to function, sometimes more than necessary. And over time, those permissions persist. These overprovisioned accesses are rarely audited, reviewed, and more importantly rarely reduced.

That’s where the gap forms.

It becomes difficult to answer basic questions about access. Not because the information doesn’t exist, but because it hasn’t been organized or managed in a way that makes it usable.

Visibility Before Control

When organizations start to address this problem, the instinct is often to tighten controls.

  • Limit permissions
  • Restrict access
  • Apply new policies

But control without visibility doesn’t solve much.

If you don’t understand how identities are being used, the business context of it in terms of  where they connect, what they interact with, and how they move across systems, then any attempt to restrict them becomes reactive and could result in slowing down business operations.

That’s why visibility needs to come first.

Once you can see how machine identities behave, patterns start to emerge. You can begin to understand where access is excessive, where dependencies exist, and where risk is concentrated. From there, governance can become more precise and more effective.

A Different Kind of Privilege Problem

Privilege sprawl isn’t new. Most organizations have spent years trying to manage excessive access among human users.

Machine identities introduce a similar issue, but with a different dynamic. Their access is often embedded into systems. It’s persistent, automated, and rarely questioned once it’s in place. That makes it harder to detect and easier to overlook.

And when something goes wrong, those identities can become a pathway for malicious actors to exploit

Where to Begin

For most organizations, the challenge isn’t awareness, it’s knowing where to start.

The first step isn’t a major transformation. It’s building clarity. Understanding how many machine identities exist. Where they’re being created. What permissions they have. How they’re used. And most importantly, confirming that a human user is mapped to a collection of non-human identities for the purposes of auditability and accountability.

Those questions sound simple, but they’re often difficult to answer. And that’s exactly why they matter. Because once you can answer them, you’re no longer operating in the dark.

Watch the Full Episode

In this installment of STRIVE, we go deeper into how machine identities are changing the way organizations should think about access, governance, and resilience. It’s a practical conversation about what’s happening now – and what needs to change moving forward.

Watch now.

Resource

If you’re interested in learning more about this topic, check out this e-book on non-human identities.

FAQs

Q: What is a machine identity?

A: A machine identity is a non-human identity used by applications, services, or systems to authenticate and interact with other resources.

Q: Why are machine identities becoming a bigger risk?

A: Because they are increasing in number, often have persistent access, and are not always governed as strictly as human users.

Q: How are they different from user identities?

A: They operate continuously, are embedded in automated workflows, and often lack structured lifecycle management.

Q: What is the biggest challenge organizations face in governing non-human identities?

A: Visibility. Many teams don’t have a clear understanding of how many machine identities are created, used, or interconnected.

Q: How does this impact resilience?

A: If compromised, machine identities can enable a malicious actor’s rapid movement across systems, making incidents harder to contain and recover from.

Q: Where should organizations start?

A: By identifying machine identities, understanding their permissions, and building governance practices that match their scale and complexity. And most importantly, confirming that a human user is mapped to a collection of non-human identities for the purposes of auditability and accountability

Vidya Shankaran is Field CTO at Commvault.

More related posts

Thumbnail_Blog_Identity-Resilience-Vishing_2026

Are You Ready for the Industrialized Vishing Attack?

Read more
Thumbnail_Blog-Identity-Resilience-MachineID-2026-Linkedin

The Machine Identity Blind Spot Is Now a Primary Attack Surface

Read more
Thumbnail_Blog-Help-Desk-2026-Linkedin

When the Help Desk Becomes the Front Door to Your Entire Network

Read more