The Cloud Security Alliance (CSA) /OASIS State of Non-Human Identity and AI Security Survey Report.

As organizations rapidly adopt AI systems, autonomous agents, APIs, and AI-powered automation, identity security is becoming one of the most critical cybersecurity challenges of the AI era. According to The State of Non-Human Identity and AI Security report from the Cloud Security Alliance (CSA) and Oasis Security, AI is not creating entirely new identity problems — it is amplifying long-standing weaknesses in non-human identity (NHI) governance, visibility, lifecycle management, and access control.

The Cloud Security Alliance (CSA)/OASIS State of Non-Human Identity and AI Security examined how organizations adapted their identity and access management practices in response to the growing use of AI.

Some of the report’s most significant findings include:

only 22% of organizations have formally adopted policies for creating or removing AI identities
only 14% report fully automated AI identity lifecycle management
51% cite unclear ownership and accountability as a major challenge
only 8% are highly confident that their legacy IAM systems can effectively manage AI and NHI risks
nearly one-quarter take more than 24 hours to rotate or revoke exposed credentials

AI adoption is accelerating across industries, but identity and access management (IAM) practices have not evolved to keep pace with the scale, autonomy, and speed of AI-driven systems. Rather than introducing a new identity paradigm, AI amplifies long-standing non-human identity (NHI) challenges—exposing weaknesses in governance, automation, and legacy IAM infrastructure. As organizations expand their use of AI, identity security remains reactive, fragmented, and highly manual.

The survey results reveal that while organizations are eager to harness AI for speed, automation, and insight, most are still constrained by long-standing identity and access management (IAM) challenges. AI does not introduce an entirely new identity paradigm, it magnifies existing non-human identity (NHI) risks and exposes the limitations of legacy systems, governance frameworks, and operational processes.

The survey reveals four critical insights:

AI Identities Magnify Existing NHI Risks:

Organizations classify AI identities much like traditional NHIs—service accounts, API keys, chatbots—carrying forward the same weaknesses: credential sprawl, unclear ownership, and inconsistent lifecycle controls. AI increases the speed and volume of identity creation, widening the operational attack surface.

Organizations largely view AI identities through the same lens as traditional NHIs, inheriting the same weaknesses rather than representing a fundamentally new identity category.

AI identities, as just another subset of NHIs, are subject to the same issues that have long challenged identity security such as credential sprawl, unclear ownership, and inconsistent oversight.The difference is scale: AI’s ability to create, replicate, and act autonomously magnifies these risks. As AI adoption accelerates, these inherited weaknesses will be increasingly tested, exposing the limits of existing governance and lifecycle maturity.

Governance and Ownership Gaps Persist:

Most organizations lack fully documented and consistently enforced policies for AI-identity creation and removal. Limited automation and diffuse ownership slow incident response, hinder privilege oversight, and create fragmented, reactive governance models.

Governance remains one of the weakest links in organizations’ AI identity programs. While many enterprises have established structured oversight for human identities, the same rigor has not extended to AI identities.

Even organizations that recognize these challenges struggle to respond effectively. When asked what most often delays their response to identity-related incidents, respondents pointed first to unclear ownership, ranking it ahead of resource constraints, complexity, and lack of visibility. This suggests that the governance issue is not solely one of bandwidth or tooling—it is a structural gap in accountability that prevents timely and coordinated action when problems arise.

The governance model for AI identities remains immature. Policies are uneven, automation is inconsistent, and ownership is diffuse. As AI systems generate identities and credentials with increasing speed, these weaknesses scale proportionally, leaving organizations with an expanding surface of unmanaged, over-permissioned, and poorly monitored access points.

Legacy IAM Infrastructure Constrains AI Readiness:

Confidence in existing IAM tools is low. Legacy systems were not built to manage autonomous, continuously created identities, leading to manual oversight, exception-based governance, and limited visibility into AI-generated credentials.

AI introduces new opportunities for automation, analytics, and decision-making, but those benefits are often constrained by the limitations of legacy IAM systems. While AI-driven tools promise faster provisioning, anomaly detection, and risk response, most organizations remain anchored to infrastructure that was not built to manage the scale, autonomy, or velocity of AI and NHIs.

The promise of identity management for AI remains largely unrealized because most organizations are still operating within frameworks and technologies that were never designed to accommodate AI-driven identities.

Token Sprawl and Slow Remediation Expand Risk:

Tracking and managing AI-related credentials remains inconsistent. Many organizations do not monitor when AI identities are created, and rotation or revocation often takes more than 24 hours—extending exposure windows and increasing operational burden.

More than 16% of organizations said they do not track when new AI-related identities are created, leaving a growing subset of tokens and service accounts outside formal inventory. Without automated discovery or registration, new credentials can persist undetected, often linked to ephemeral projects or integrations that never receive ongoing review.

Addressing token sprawl will require organizations to close the gap between identity creation and control. Automated discovery, rotation, and decommissioning must become default processes, not reactive measures. Until then, every new AI identity adds to an expanding population of credentials that are poorly governed, slow to retire, and highly exploitable.

AI Governance is now an identity security challenge

Every AI system, AI agent, API integration, service account, automation workflow, and machine identity expands the organization’s attack surface. The faster organizations deploy AI, the faster identities, tokens, permissions, and credentials proliferate across environments.

At Reputiva, we believe organizations must modernize identity governance and cloud security together. That means:

improving visibility into non-human identities
implementing stronger IAM governance
reducing standing privilege
improving credential lifecycle management
automating discovery and decommissioning
strengthening privileged access management
implementing Zero Trust principles
improving security posture across AWS, Azure, and GCP

The report clearly shows that legacy IAM approaches were never designed for continuously created, autonomous AI identities operating at machine speed.

The organizations that succeed in the AI era will be those that treat AI identity governance as a core cybersecurity priority, not an afterthought.

Prepare your organization for AI-driven identity risks

As AI adoption accelerates, organizations need stronger visibility, governance, and control over non-human identities, AI agents, service accounts, APIs, and cloud access. Reputiva helps organizations strengthen: