New Research Highlights Growing Risks in Enterprise Identity Management Amidst AI Integration
In a revealing development within the realm of enterprise identity management, Orchid Security published its latest Identity Gap: 2026 Snapshot report on May 19, 2026. This research sheds light on the increasingly precarious state of identity governance, demonstrating that a substantial portion of enterprise identities now eludes the reach of traditional identity and access management (IAM) systems. The report identifies a troubling trend dubbed "identity dark matter," indicating that unobserved identities now dominate the landscape, comprising 57% compared to 43% for visible identities.
This alarming shift becomes more significant as organizations rapidly adopt AI agents to enhance operational efficiencies. These agents not only depend on existing identity frameworks but also exacerbate vulnerabilities by operating outside conventional oversight. Traditional IAM systems were primarily designed to manage human identities, leaving a considerable gap when it comes to managing non-human entities. As a result, organizations find themselves at increased risk of identity exposure as AI agents actively engage with and exploit these unmanaged identities.
Key Findings Underline Severe Identity Management Conflicts
Among the notable findings of the report, a staggering 67% of non-human accounts are created directly within applications, rendered invisible in standard IAM programs. This creates a hazardous situation wherein organizations lack visibility over the actions and accesses these agents are executing in real-time.
Further compounding this issue, the report indicates that an overwhelming 70% of enterprise applications harbor an excessive number of privileged accounts. This situation dramatically heightens the risks associated with misuse or potential compromise. Almost 57% of applications bypass centralized identity providers, while 40% of accounts remain orphaned—accessible long after their associated users have departed. Alarmingly, 36% of credentials are hardcoded, frequently stored in clear text directly within application code, heightening security vulnerabilities.
Roy Katmor, CEO and co-founder of Orchid Security, voiced concerns regarding this crisis, noting, “Enterprise identity has crossed a dangerous threshold: the identities we can’t see now outnumber the ones we can. In the age of Agent AI, this poses an operational crisis. They act in real-time without waiting for reviews, interpreting any available access. If organizations cannot comprehend and govern every identity, their ability to scale AI safely is greatly undermined.”
The Role of Non-Human Accounts in Identity Management Vulnerability
The report emphasizes that non-human accounts, which have traditionally posed risks due to their inherent access privileges, now represent a significant oversight, particularly in the era of Agent AI. Unlike their conventional counterparts—machines and bots that execute pre-defined tasks—Agent AI operates unpredictively, complicating risk assessments further.
The issue is compounded by a considerable disconnection between formal IAM frameworks and actual access functionalities. Despite organizations investing heavily in centralized identity directories and authentication methods, a marked number of applications flaunt these controls. Almost three out of four applications harbor excessive privileged accounts, more than half bypass centralized identity providers, and one-third store sensitive credentials in clear text.
Katmor underscored the importance of addressing these vulnerabilities, stating, “Organizations have fortified their main access points, but our research reveals that identity risks are increasingly lurking in local accounts, unmanaged access routes, and hardcoded credentials.”
Understanding Compounding Risks and Solutions to Identity Management Challenges
The report outlines what Orchid Security terms “toxic combinations,” which comprise overlapping identity vulnerabilities that significantly amplify risks. These combinations include orphaned accounts with elevated privileges, applications that disregard centralized identity protocols while housing credentials in clear text, and dormant accounts lacking oversight.
As organizations delve deeper into AI integration, the ramifications of these toxic combinations can lead to unmonitored access paths, dangerously enhancing the likelihood of security breaches.
“With organizations hastily deploying AI agents for automation, they risk creating more significant identity gaps that not only become increasingly apparent but also more exploitable," Katmor warned. "AI agents are programmed for efficiency; they will discover and utilize the easiest, often unintended, access channels within an enterprise.”
The Growing Disconnect Between Identity Intent and Enterprise Reality
The findings also highlight a widening chasm between organizations’ intentions for identity management and the reality of access dynamics within their environments. Many enterprises lack awareness of how access actually functions beyond standard IAM frameworks, generating an environment resistant to effective risk management, particularly with the onset of AI agents.
Katmor stressed the urgency of fortifying the foundation of enterprise identity, stating, “Identity programs might appear robust on paper, but the majority of identity-related activities transpire outside official channels. This is where the most severe security and compliance risks emerge.”
Conclusion and Future Directions
The Identity Gap: 2026 Snapshot draws attention to the urgent need for organizations to reevaluate their identity management strategies, particularly as AI adoption accelerates. By identifying and addressing these under-explored realms of identity dark matter, businesses stand a chance of mitigating escalating cyber, compliance, and operational threats that threaten their operations at machine scale.
In conjunction with its report, Orchid Security is participating in Identiverse 2026, where industry leaders can seek insight into managing these complex identity challenges effectively. The company emphasizes that addressing identity vulnerabilities now will be paramount in ensuring safe AI agent deployment in the forthcoming era of digital transformation.