Published on the 20/01/2026 | Written by Newsdesk
Silent superusers go from overlooked to urgent…
They outnumber human identities, hold the highest privileges and operate silently within your organisation. Yet in most organisations machine identities – service accounts, API keys, certificates, microservices and bots – are not just unmanaged, but invisible to the organisation, something that is quickly being exploited by hackers.
“Fundamentally, machine identities are now an organisation’s most powerful user, and unfortunately, the least controlled,” Raymond Dickinson, SailPoint New Zealand country manager, tells iStart.
Meanwhile, attackers are increasingly targeting them because they provide silent, powerful access into enterprise systems, Dickinson says.
“If you can’t see it, you can’t secure it.”
“Without strong machine identity governance, organisations unknowingly leave their highest privilege access points unprotected,” he says.
Modern businesses rely heavily on automation, cloud services and DevOps pipelines, all of which generate machine identities at scale. Every new integration spins up more service accounts and keys, often with excessive privileges – and that includes in the OT environment, not just IT. And unlike human identities, in many organisations there is no on-boarding or off-boarding process, no lifecycle management and no visibility into who owns them, or even where they are.
“When there is a lack of ownership, no one really cares about the thing, and you end up not putting in the right governance processes. If you can’t see it, you can’t secure it. With machine identities, which often have excessive privileges, that’s a real concern.”
Dickinson points to the SolarWinds Orion breach in 2020 and a 2021 Microsoft Exchange Server breach as key examples – among many – of breaches using machine identities.
In the case of the SolarWinds breach, which triggered a supply chain incident affecting thousands of organisations including government, defence and enterprise, attackers
infiltrated the SolarWinds software build environment. They then used machine identities to sign malicious code with SolarWinds’ legitimate code signing certificates, abuse automated build service accounts and push compromised software to 18,000+ organisations.
Similarly, the Microsoft Exchange Server breach exploited unmanaged service accounts and OAuth tokens to maintain insider access.
The incidents underscore a harsh reality for organisations: Machine identities are low hanging fruit for attackers. Once a breach occurs, reports suggest hackers actively hunt for these accounts because they know they are rarely monitored.
A business problem
Dickinson stresses that unmanaged machine identities are not just a technology problem, they’re a business risk, creating significant operational, financial, compliance and cybersecurity exposure. “Getting boardroom support on machine identity is always a challenge, but the conversation is about securing them as a business risk decision, not a technology decision.”
For boards and executives, the conversation needs to start and finish with risk: Protecting revenue, ensuring business continuity, meeting regulatory obligations, reducing operational costs and enabling safe AI adoption.
As organisations adopt AI and automation, the stakes rise even higher. Without strong machine identity governance, organisations risk undermining the very technologies designed to drive efficiency and innovation. (And a side note here: An AI agent, which performs multiple tasks rather than a single defined task, is different from a machine identity as defined in the market today.)
Good governance 101
So, what does good machine identity governance look like?
According to Dickinson, it’s very similar to human identity governance and the first step is gaining visibility.
“You have to have full visibility into all machine accounts and know exactly where they all are.”
A discovery scan can identify every machine across an organisation – service accounts, API keys, certificates, bots and workloads. Expect a shock. Dickinson says most organisations underestimate their machine identity volumes by five to 10x.
Assigning ownership and purpose for each identity follows.
Automating the lifecycle – from creation through modifying, rotating and retiring identities – is also needed, along with enforcing least privilege – just as you’d do with a human worker.
“It’s very common for these machine accounts to be given the holy grail of all access even though they don’t need that level of access, simply because giving them domain level access is an easy thing to do.”
Securing credentials and ensuring robust certificate management is key to good machine identity governance, along with continuous monitoring and anomaly detection.
And, Dickinson warns, there needs to be good integration across cloud, DevOps and automation workflows.
“Don’t just think about your on-prem, you have to think about cloud. And you’ve got to look at where a lot of these are created – in the DevOps process – and make sure they are all picked up in the early stages and follow good governance.”
Rounding out Dickinson’s list of ‘key fundamentals’ is having strong auditable compliance and certification processes to enable tracking and logging of what is happening.
“Once you start putting all these key fundamentals in, it reduces risk, supports automation better and prepares government agencies and enterprises for the next step, which is really around the AI-driven operations side.”
He warns too, that it’s not a quick fix. Full governance can take one to three years, requiring collaboration between IT, identity teams and business stakeholders. The payoff, though, is resilience, safer automation and readiness for future technology.
