AI Security
July 17, 202612 min

AI Agents Are Non-Human Identities Now: The 2026 Credential Sprawl Problem

Non-human identities now outnumber humans 144 to 1 in cloud environments, and most organisations still do not treat AI agents as identities with a lifecycle. Here is why agent credential sprawl became the real agentic AI risk, and how gateway-issued virtual keys close the gap.

YK

Youcef Kaddour

Founder at Odock and AI infrastructure engineer

Youcef Kaddour is the founder of Odock and an AI infrastructure engineer focused on secure LLM systems, MCP governance, runtime guardrails, and production-grade multi-provider AI architecture.

What you should take away

  • 1Non-human identities outnumber human identities 144 to 1 in cloud-native environments in 2026, up from 92 to 1 two years earlier, and AI agents are the fastest-growing category inside that number.
  • 2The gap is not awareness, most teams know agents hold credentials. The gap is lifecycle: over 16% of organisations do not even track creation of AI-related identities, and only about 22% treat agents as independent identities with rotation, scoping, and revocation.
  • 3The fix is to stop treating an agent's credential as a static secret and start treating it as a scoped, attributable, revocable identity issued and governed at the gateway, the same discipline already applied to human accounts.

Security teams spent two decades building identity programs for humans: onboarding, MFA, least privilege, offboarding. AI agents broke that model quietly, because nobody decided to treat an agent as an identity, it just started acquiring credentials, calling APIs, and spawning sub-agents the way service accounts always have, except autonomously and at a pace no static account ever moved at. The 2026 data on non-human identity sprawl says this gap is now the primary risk in agentic AI, ahead of prompt injection, ahead of jailbreaks. Here is what the numbers show and what an actual fix looks like.

The ratio that should worry you more than the prompt injection headline

Most of the 2026 conversation about agentic AI risk still centres on what a malicious prompt can trick an agent into doing. That is a real risk, and we have written about it in our MCP security risks piece. But a quieter number from this year's identity research points at something structurally bigger: non-human identities now outnumber human identities 144 to 1 in cloud-native environments, up from 92 to 1 just two years earlier, a 56% jump in the ratio in a single year, according to 2026 research aggregated by the Cloud Security Alliance and reported across the non-human identity security community. In a typical enterprise, bots, service accounts, and AI agents now outnumber human users roughly 100 to 1.

AI agents are the fastest-growing slice of that population, and they are also the least well governed slice of it. That combination, growth plus governance gap, is exactly the shape of every credential-driven breach the security industry has seen before, just compressed into a shorter timeline because agents provision and act faster than any human onboarding process ever did.

Why an agent's credential is not just another service account key

It is tempting to file "AI agent identity" under the same bucket as "service account management," a problem security teams have handled for years. The shape of the credential is similar, a key or token that authenticates a non-human caller, but the behaviour behind it is not.

A traditional service account calls the same handful of APIs in the same pattern, day after day, for years. Its blast radius is knowable because its behaviour is static. An AI agent is the opposite of static: it acquires permissions dynamically at runtime, can spawn sub-agents to delegate parts of a task, invokes external APIs and tools it was not explicitly told to call in advance, writes and executes code, and chains actions across many systems in a single session. Each of those behaviours expands what a single compromised or over-scoped credential can reach, well past what a static service account could ever have done with the same nominal permissions.

The 2026 governance data reflects exactly this gap. A Cloud Security Alliance analysis of token sprawl found more than 16% of organisations do not track the creation of AI-related identities at all, meaning an agent can come into existence, hold a credential, and act, with no inventory entry anywhere. Nearly a quarter of organisations take more than 24 hours to rotate or revoke a credential after it is potentially exposed, and 30% take over a day just to triage a high-severity leak. Meanwhile most organisations report agents are already running in production, across public cloud, on-premises, and hybrid environments. Production usage arrived before the lifecycle discipline did.

What "treating agents as identities" actually requires

The instinct in a lot of organisations is to give an agent a developer's personal token, or a shared service credential everyone already has lying around, because it is faster to ship. That shortcut is precisely what the 22% figure above describes: only about one in five organisations currently treats agents as independent identities with their own lifecycle. Doing it properly means four things, none of them exotic, all of them frequently skipped under deadline pressure.

Issue a scoped credential per agent, not a shared one. Odock's virtual API keys can be scoped to an organisation, team, or user principal, so an agent's traffic is attributable to a specific chain rather than to "whichever developer's key was handy." See scope and principals for how that chain is built.

Grant access explicitly, per model and per tool. An agent should not inherit blanket access because it is convenient. Model and MCP access grants exist precisely so an agent's reach is the intersection of what it needs, not the union of everything the organisation has ever connected. MCP security covers tool-level allow and block lists for exactly this reason.

Rotate without breaking everything downstream. The reason rotation lags for days in the wild is usually that rotating a credential means re-wiring every integration that depends on it. Odock's key lifecycle and rotation rotates in place, the key id stays constant, model access, budgets, quotas, and usage attribution stay attached, and only the secret changes. That is what turns "rotation should happen within an hour" from an aspiration into something operationally realistic.

Make every action attributable after the fact. A revoked or rotated credential answers "what can this agent do now." A usage record answers "what did this agent already do," which is the question that actually matters during an incident review.

The coming complication: agent-to-agent traffic

The identity problem gets harder as agents start talking to other agents rather than only to tools. Protocols like Agent2Agent, stewarded by the Linux Foundation since Google introduced it in 2025, let agents advertise capabilities and negotiate tasks through a machine-readable AgentCard that can declare supported auth schemes such as OAuth 2.0, OpenID Connect, API keys, or mutual TLS. That is a real step forward for interoperability, and it is explicit about what it does not solve: the protocol does not provision credentials or decide authorization for you. Researchers analysing A2A's threat surface point at fake agent advertisement, unauthorized registration, and recursive delegation loops as protocol-specific risks precisely because identity and authorization are left to whoever operates the deployment.

That gap is exactly the reason identity cannot be an afterthought bolted onto agent frameworks. Whatever protocol your agents speak to each other, something still has to answer "which credential is this, what is it allowed to touch, and can I revoke it in seconds," and that answer has to live at the layer every request actually passes through, not in each framework's own auth code.

The honest limits here

Gateway-issued identity fixes the part of the problem that is infrastructural: scoping, rotation, revocation, and attribution. It does not fix an agent being tricked by a malicious input into misusing the access it legitimately holds, that is a prompt- and content-level problem, covered by tools like Odock's SafetySec engine rather than by identity management alone. The two layers are complementary, not substitutes. An agent with a tightly scoped, rotatable identity and no content inspection can still be manipulated into misusing what it is allowed to touch. An agent with excellent content inspection but a shared, unscoped, unrotatable credential is one leaked secret away from an unbounded blast radius. You need both, and most 2026 breach data suggests organisations currently have neither in a mature state.

Where Odock.ai comes in

I built Odock's virtual API key system with exactly this gap in mind, so read the following as an interested party's take. Every application, team, user, and agent that calls through Odock gets its own scoped virtual key, with explicit model and MCP access grants, budgets, quotas, and in-place rotation, plus a usage record on every single call. That means an agent is never a shared secret pretending to be an identity, it is an actual identity with a real lifecycle, from issuance to revocation.

If your organisation already has agents in production and is part of the roughly 78% still treating them as static credentials rather than governed identities, the fix is not a bigger spreadsheet of who has which key. It is putting agent traffic behind a gateway that was built to issue, scope, rotate, and revoke identities as a first-class operation. Request a demo or start with MCP governance at Odock and give your agents an identity lifecycle before an incident forces you to build one under pressure.

Sources

What you should take away

  • 1

    Non-human identities outnumber human identities 144 to 1 in cloud-native environments in 2026, up from 92 to 1 two years earlier, and AI agents are the fastest-growing category inside that number.

  • 2

    The gap is not awareness, most teams know agents hold credentials. The gap is lifecycle: over 16% of organisations do not even track creation of AI-related identities, and only about 22% treat agents as independent identities with rotation, scoping, and revocation.

  • 3

    The fix is to stop treating an agent's credential as a static secret and start treating it as a scoped, attributable, revocable identity issued and governed at the gateway, the same discipline already applied to human accounts.

Frequently asked questions

Isn't an AI agent's API key just a service account?

It starts that way, but agents behave differently from static service accounts. A service account calls the same API in the same pattern for years. An agent acquires permissions dynamically at runtime, can spawn sub-agents, chains tool calls across many systems, and can be redirected by its own inputs. The credential is the same shape as a service account key, but the blast radius behind it is not, which is why treating it with service-account-era controls is not enough.

What does 'treating an agent as an identity' mean in practice?

It means the agent gets its own scoped credential rather than inheriting a developer's or a shared system's, that credential has explicit access grants to specific models and tools rather than blanket access, it has a budget and a quota, it can be rotated without breaking every integration that depends on it, and every action it takes produces an attributable record.

Why did non-human identity overtake prompt injection as the top agentic AI concern in 2026?

Because prompt injection is a per-request risk with a per-request blast radius, while a poorly governed agent credential is a standing risk that persists across every request the agent ever makes. IBM's data cited in 2026 identity research found 97% of AI-related security breaches involved AI that lacked proper access controls, which points at the credential layer, not the prompt layer, as the recurring root cause.

Give every agent a scoped, revocable identity

Odock issues a virtual API key per agent, team, or workflow, with explicit model and MCP access grants, budgets, and full usage records, so agent credentials stop being static secrets nobody can rotate safely.

Related articles

AI Security11 min

The 6 MCP Security Risks Every Enterprise Faces in 2026

The Model Context Protocol made it trivial to give AI agents tools. It also made it trivial to give attackers a way in. These are the six MCP security risks enterprise teams keep hitting in 2026, and the gateway controls that shut each one down.

Read article
MCP Governance8 min

MCP Server Governance: How to Give AI Agents Tool Access Without Losing Control

Agents become more powerful when they can call tools. They also become riskier unless tool permissions, audit trails, and policy checks live in a central gateway.

Read article
AI Governance11 min

Shadow AI in 2026: Why Banning Tools Fails and Governed Enablement Wins

Two-thirds of employees are already pasting real company data into AI tools nobody approved. The instinct is to block. The data says that fails. Here is the governed-enablement pattern that actually closes the gap, and how a gateway makes it real.

Read article
Security Architecture8 min

How to Build a Lifecycle-Aware AI Security Engine

Prompt safety, tool permissions, budget enforcement, and response leakage do not become visible at the same time. A real AI security engine has to enforce controls in stages.

Read article