The Other 99%: The Non-Human Identities Quietly Running — and Wrecking — Your Network

👋 Welcome to Unlocked

Earlier this year, a social network called Moltbook sprang a leak. The twist: almost none of its users were people. Moltbook is a playground for AI agents, and a single misconfigured database handed anyone who wandered by 1.5 million API authentication tokens — the credentials those agents use to act, spend, and sign in on behalf of the humans who built them.

No password was phished. No employee clicked anything. The keys were just sitting there, waiting.

Moltbook is a curiosity. The thing it points at is not. The most valuable credentials in your environment increasingly don't belong to a person at all — they belong to a script, a service account, an API integration, or an AI agent that nobody remembers creating. And those identities now outnumber your employees by a margin that should keep you up at night.

This week we dig into the fastest-growing and least-governed attack surface in security: the non-human identity — why the machines logging into your systems vastly outnumber the people you spend all day protecting, and why attackers have already noticed.

🔑 What's Actually Happening

For twenty years, "identity security" meant people. You provisioned a human, gave them a password, bolted on MFA, and offboarded them when they left. The whole discipline was built around a person sitting at a keyboard.

That model is now a rounding error. Every API key, OAuth token, service account, certificate, workload credential, and bot login is a non-human identity (NHI) — and modern software runs on millions of them. Agentic AI poured gasoline on the fire: every AI agent you deploy spins up its own credentials to reach the tools, databases, and SaaS apps it needs, and it does so at machine speed, minting new secrets faster than any human team can track.

This isn't a forecast anymore. Sophos's State of Identity Security 2026, published in late May, found that weak management of non-human identities was the single root cause of 41% of successful identity breaches over the past year. The World Economic Forum calls NHIs "agentic AI's new frontier of cybersecurity risk." The blunt version: most organizations have no idea how many machine identities they have, who owns them, or what they can touch — and attackers have figured out that an unmanaged token is a far easier way in than a human password.

📉 The Numbers

• 40–100:1 — the ratio of machine identities to humans in a typical enterprise environment.
• 4.2 million — non-human identities discovered at one Fortune 500 bank that went in expecting to find roughly 50,000 human accounts.
• 71% — organizations hit by at least one identity-related breach in the past year (Sophos, May 2026).
• 41% — share of those breaches whose root cause was weak management of non-human identities.
• $1.64 million — average cost to remediate a successful identity breach.
• 12,520 — internet-exposed MCP services counted by Censys, most of them unauthenticated.
• 1.5 million — API tokens exposed in the Moltbook leak, from a platform whose users are bots.

🔍 Three Reasons Non-Human Identity Is the New Front Line

1. Agents create identities faster than anyone can govern them.

A human joins once. An AI agent provisions credentials continuously — a key for the database here, an OAuth grant for the CRM there, a token for the internal API over there — and it never stops. Most teams still manage all of this the way they did in 2019: spreadsheets, manual rotation schedules, and shared keys that quietly never expire. You cannot govern at machine speed with a process built for annual access reviews.

2. The plumbing for AI agents shipped insecure.

The Model Context Protocol (MCP) is the standard wiring connecting agents to enterprise tools — and it ships with no authentication enabled by default. The damage is showing up in real time. In June alone, researchers at Adversa AI disclosed SymJack, a symlink-hijack flaw that broke six AI coding agents at once, and TrustFall, a one-click remote-code-execution bug that reached Claude Code, Cursor, Gemini CLI, and GitHub Copilot through a single regressed trust dialog. A separate automated sweep of roughly 40,000 MCP server repositories produced 67 new CVEs, and the NSA published its own guidance on locking MCP down. When the Clawdbot agent ecosystem was breached earlier this year, exposed instances gave up full conversation histories, environment variables, API keys, and internal service tokens. The default configuration was the vulnerability.

3. Nobody offboards a robot.

When an employee leaves, a process kicks in. When a service account or AI integration is abandoned, nothing happens — the credential lingers, fully privileged, often for years. These identities rarely get MFA, rarely get rotated, and almost never get a leaver workflow. The pattern keeps repeating: in early May, AI-evaluation startup Braintrust had to tell every customer to rotate their keys after its AWS account was breached, and the April Vercel breach showed how one OAuth trust relationship, inherited from a compromised third-party AI vendor, can cascade straight into internal systems. One unmanaged trust, one quiet door left open.

🛡️ What This Means for Your Access Layer

Inventory before you govern.

You cannot protect what you've never counted. The first move is an honest census of every API key, service account, token, certificate, and agent in your environment — and a name attached to each. Most teams are genuinely shocked by the number.

Kill the long-lived secret.

The static key that never expires is the NHI equivalent of a sticky note under the keyboard — and "deleted" doesn't always mean dead. In May, researchers found that Google API keys still worked for up to 23 minutes after deletion, long enough to run up Gemini charges and pull cached data. Move to short-lived, automatically rotated credentials issued from a vault. A secret that lives for minutes is worth far less to an attacker than one that lives forever.

Treat every agent like a privileged user.

An AI agent with broad, standing access is a privileged account that never sleeps — and it can spin up sub-agents that mint their own credentials with little oversight. Scope its permissions to the minimum it needs, time-box its tokens, and log what it does. "Least privilege" has to extend to the machines, not just the people.

Lock down MCP and OAuth trust.

If you're deploying agents, require authentication on every MCP server — never trust a default — and audit the OAuth grants connecting your SaaS estate. Every third-party integration is a trust relationship someone can inherit. Review them like you'd review a new hire's access.

🔑 The Bottom Line

Identity is still the battlefield — that hasn't changed. What's changed is who holds the credentials. The attacker's easiest path into your network in 2026 doesn't run through a person at all; it runs through the millions of silent, over-permissioned, never-rotated machine identities humming away beneath your security program. The perimeter you've hardened was built to stop people. The identities breaking in aren't people.

💡 Unlocked Tip of the Week

Ask your team one question this week: "How many non-human identities do we have, and who owns the ones with production access?" If the answer is a confident number with names attached, you're ahead of most of the industry. If it's a pause and a guess, you've just found your most urgent project — and almost certainly your largest blast radius.

🔥 Final Takeaway

The non-human identity isn't a niche edge case. It's the majority of your network, and it's the part you've been governing the least.

1.5 million keys on a network of bots. 4.2 million identities behind 50,000 humans. The root cause of 41% of last year's identity breaches. None of it required a clever exploit — just an identity that should never have had standing access, and no one to ask why it did.

The organizations that come through this in better shape won't be the ones with the most monitoring. They'll be the ones that decided identity — human and machine — should be bound to something that can't be copied, scoped to the minimum, and expired the moment it's no longer needed. Hardware-bound, phishing-resistant credentials close that door for your people; least-privilege, short-lived secrets close it for the machines. Same principle, two fronts.

The bots already have the keys. The only question is whether you know which doors they open.

Stay ready. Stay resilient.

Until next time,

The EveryKey Team

← Last Week: The Enemy Inside: What the Meta Breach Tells Us About the Threat No Firewall Can Stop