From Human to Machine: Why a New Identity Security Playbook Is Needed in the Age of AI

Identity security is becoming more and more crucial—and that’s putting it lightly.

As Artificial Intelligence (AI) accelerates workforce transformation, the Asia Pacific (APAC) region is leading adoption. According to IDC, 70% of APAC organisations expect agentic AI to disrupt business models within 18 months. This shift brings a growing security challenge: the rise of non-human identities (NHIs), including service accounts, API keys, and automation scripts. These identities operate in the background with elevated privileges and often lack proper oversight, making them prime targets for attackers. This is the overrding context that highlights the criticality of identity security.

OWASP’s Non-Human Identity Top 10 for 2025 outlines key risks such as overprivileged machine identities and inadequate offboarding. When employees leave, their accounts are deactivated, but NHIs they have created often remain active, hard to trace, and over-permissioned.

With NHIs playing a growing role in operations, organisations must rethink their identity security approach. Securing these identities with the same level of oversight as human accounts through clear ownership, controlled access, and continuous monitoring is vital to reducing risk in AI-powered environments.

Securing Non-Human and Human Identities

Traditionally, human and non-human identities (NHIs) were managed separately, which worked in legacy environments. But with the rise of cloud and SaaS, these identities now operate in an interconnected ecosystem, making siloed management a security risk.

SaaS and IaaS identities once meant for humans are now repurposed as service accounts for automation, while machine-generated tokens inherit human permissions. Service accounts and their secrets, created by employees, blur the line between human and machine identities.

Human identities are now the foundation for NHIs, extending capabilities across platforms. This relationship is not only deeply intertwined but increasingly complex. A single technical user may create or access dozens of NHIs, each with unique credentials, access patterns, and risks.

Managing these identities without a unified approach leaves enterprises vulnerable. To stay secure, organisations must recognise and address the interdependence between human and non-human identities across their entire digital infrastructure. This is where identity security comes into play.

What Happens to Machine Identities When Employees Leave?

When a senior DevOps engineer resigns, removing their personal access is only the beginning. The real risk lies in the non-human identities (NHIs) they have created, service accounts, API keys, and automation scripts that often remain active and over-permissioned. These machine identities, originally set up for temporary use, frequently become permanent. Untracked credentials, orphaned accounts, and shared mailboxes without clear ownership add to the complexity.

Break-glass credentials that are never rotated and accounts tied to former employees can go unnoticed for months. These lingering NHIs pose critical security threats if left unmanaged.

The challenge is both technical and organisational. Human users create and manage NHIs, and when they leave, these identities persist. Without defined processes and accountability, they become hidden vulnerabilities across the enterprise.

Right Controls for the Right Identity

While both human and non-human identities (NHIs) require protection, they need different security strategies. For instance, human accounts must have multi-factor authentication (MFA) using phishing-resistant methods, as the lack of MFA is a clear security risk. However, applying MFA to service accounts is not practical, since they are built for automation, not human interaction. Instead, alternative methods like credential vaulting or IP restrictions should be used.

Least privilege also looks different for each. Human users may log in from multiple locations, home, office, or abroad, based on work needs. In contrast, service accounts should operate within a fixed IP range. Any deviation, such as access from an unexpected IP, should trigger an alert.

Recognising and segmenting these identity types helps security teams apply the right controls, reduce noise, and address real risks more effectively

Rethinking Identity Security for the AI Era

As APAC organisations overtake their global counterparts in advancing AI-powered cloud transformation journeys, the line between human and non-human identities will blur further. The solution is not to treat them as separate problems but to implement a comprehensive identity security strategy that understands the relationships between different Identity types.

By applying appropriate security controls based on context and maintaining clear ownership and lifecycle management, organisations can get on top across all identity types and their interactions.

To capitalise on the enormous potential of AI agent adoption, organisations in the region need to recognise human and non-human identities as two interconnected aspects of the same security issues—and this can be best done with proper identity security measures.