Security vendor CyberArk today released its 2025 State of Machine Identity Security Report. The research, based on a survey of 1,200 security leaders across the USA, UK, Australia, France, Germany and Singapore, shows the growing gap between machine identity creation and appropriate security measures accounting for those identities. CyberArk’s SVP of Innovation Kevin Bocek shared his insights on the research in an interview with Channel Insider.
Machine identities outnumber humans but remain unprotected
Machine identities are created as technologies connect across tech stacks. They continue to grow in quantity throughout organizations as APIs, SaaS applications, AI agents, and various cloud technologies are adopted at larger scale.
“Each instance requires a unique identity to authenticate and communicate securely, adding to the already staggering growth in machine identities—particularly as organizations begin to embrace agentic AI,” the report states.
A few of the many statistics provided in the report including the following:
- More than one-third (36%) of security leaders predict an 11-50% increase in machine identities in the next year, while 16% project radical growth of more than 50%.
- 50% of security leaders reported security incidents or breaches linked to compromised machine identities in the last year.
- 45% experienced weekly certificate-related outages over the past year – a 33% increase from 2022
- 81% of surveyed leaders believe machine identity will play a critical role in securing the future of AI
“Machine identity is crucial because identity is how all of our tech operates. You need to know your cloud from someone else’s cloud,” Bocek said. “This is also a multiplying factor in that coding assistants, the incoming demand for AI agents, the continued move towards cloud and different platforms, it’s all creating more and more identities.”
As with most things in the tech world, threat actors have also taken notice of the rise in machine identities, and they are exploiting the often weaker security controls around them. As Bocek points out, CISOs and other IT and security leaders might have a harder time approaching the risks with identities they cannot fully see.
“Leaders might be able to point to a number and say oh we have this many identities spread out everywhere, but you can’t tangibly see them the way you can your people,” Bocek said. “But, at this point, there are two kinds of actors in every modern business: the human and the machine. Both require security attention.”
What MSPs and their customers should do in response
The silver lining here, according to Bocek, is that this is a problem with a tangible solution. Machine identity protection can become one arm of any organization’s wider security approach, though there will be some pain points in getting there.
According to the report, “respondents reported their machine identity security programs lacked a cohesive strategy (42%), challenges adapting to shorter machine identity lifecycles (37%) and the possibility of adversaries exploiting stolen machine identities (37%).”
Bocek’s advice for partners and clients is to take what is already working with identity threat protection and expand those programs and processes to the virtual identities, too.
“I know security professionals see this issue and want to address it, and it certainly isn’t like people with security expertise don’t see the threat here,” Bocek said. “My hope is when leaders see our report and the findings, it reminds them that identity isn’t just about people. They need to take their humen identity security and find ways to apply it to the various machine identities they create as well.”
“The good news here, if you can call it that, is that this isn’t really a new type of malware or a new threat group no one is prepared for. This is still basic identity access security, just with a different target.”
Security is a top priority for nearly all organizations. Learn more about how to best prepare for ransomware attacks according to recent research.