Automated accounts already outnumber people 10 to 1, and up to 92 to 1 in some firms. Your identity rules were built for humans who quit, sleep, and get offboarded.
I was in a packed RSAC 2025 session called Non-Human Identity Management when the presenter pulled up a live dashboard. Hundreds of users were logged into a company's systems. Then came the number that froze half the room: about 60% of those users weren't people. They were AI agents, each with its own credentials, each making decisions, each touching sensitive data. This wasn't a tech giant. It was a regular business with 400 employees, just trying to stay competitive.
How badly are you actually outnumbered?
More than most leaders realize, and the gap is widening fast. Gartner has reported automated accounts outnumbering humans by roughly 10 to 1 in many organizations. Entro Security Labs pegs the ratio as high as 92 to 1. Not all of those are full agents. Plenty are scripts and service accounts. The point stands: the accounts moving through your systems are mostly not human anymore.
The presenter clicked into one of those agents. In the previous 24 hours it had processed 900 customer service tickets, made 56 pricing decisions, accessed customer data more than 1,200 times, started 13 vendor payments, and updated inventory across 15 product lines. Every bit of it ran without human review. That's not a tool waiting for input. That's a digital worker with more reach than most of your staff, and it never logs off.
Why do your current identity rules break at this scale?
Because they were designed for humans, and humans behave nothing like agents. A person gets a badge, a manager, a defined job, and an offboarding day. We're handing agents the keys to real systems with almost none of that structure. The login proves who showed up at 9 AM. It says nothing about the customer records the agent pulls at 2 AM, or whether anyone still owns turning that access off.
KPMG named machine identity one of its top risks for 2026 for exactly this reason: identity rules built for people don't survive a 10-to-1 ratio, let alone 92 to 1. Most companies still run several agents under one shared service account, which means when something goes wrong, you can't even tell which agent did it. Give each agent its own credentials and the problem gets visible. Microsoft started doing this by default in May 2025, assigning every AI agent a unique identity in Entra, the way every car gets a VIN.
Is this really coming, or is it hype?
It's already here, and the forecasts only steepen the curve. Gartner predicts at least 15% of day-to-day work decisions will be made autonomously by agents in 2028, up from 0% in 2024. It also expects 33% of enterprise software applications to include agentic AI by 2028, up from less than 1%. The World Economic Forum's 2025 Future of Jobs Report found 41% of companies plan to hire fewer people because of AI.
One cybersecurity leader told me something that stuck: by 2030, human users might be the minority in most enterprise environments. My first reaction was no way. But at every security event I attended this year, the CISOs and architects in the room had stopped debating if this happens. They're planning for when. The debate is over. The math already moved.
What should you do before the agent count runs away from you?
Get ahead of the count while it's still countable. You don't need a new platform. You need one honest inventory and a rule.
Pull a list of every AI agent and automated account that can reach your systems. Most teams find agents nobody remembered turning on.
Give each agent its own identity. Kill the shared service accounts so you can see and cut access one agent at a time.
Scope every agent to its job. A support agent doesn't need your deploy tools or your payment rails.
Add an offboarding step for agents, the same way you offboard people. When the job ends, the access ends.
The edge in 2030 won't come from having the most agents. It'll come from building on solid ground today, treating each agent as a digital employee with a real job and a last day. Start now, while you still have 40 agents and not 4,000.
Frequently asked questions
What counts as a machine identity?
Any account that isn't a person: an AI agent, a service account, a bot, an automated integration between two systems. These accounts hold credentials and access just like employees do, but they don't get the management, review, or offboarding that human accounts get. That gap is why they've become a top security concern.
Is a 92-to-1 ratio realistic for a normal company?
It's the high end. Entro Security Labs reported ratios that steep in some environments, while Gartner's figure of roughly 10 to 1 is more typical. Not every one of those accounts is a decision-making agent. The safe takeaway is that automated accounts already outnumber your people, often by a wide margin.
Does giving each agent its own identity actually help?
Yes, and it's the highest-value first move. Unique credentials let you see what each agent does, cut one agent's access without locking out a person, and hold a specific agent accountable when something breaks. Microsoft building this into Entra by default in 2025 signals that per-agent identity is now the baseline, not the aspiration.
We only have a few agents. Do we still need to worry?
Yes, because the same gap scales down cleanly. A handful of agents with shared credentials and no offboarding is the small version of the 92-to-1 problem. Fixing it now, while the list is short, is far cheaper than untangling it once you have hundreds.
The bottom line on being outnumbered
The revolution isn't coming. It's logged into your systems right now, and most of the accounts moving through them aren't human. That's not a reason to panic. It's a reason to count. Winning the next five years comes down to giving every agent its own identity and its own limit before the ratio hits 92 to 1.
You can start with your own environment. The free self-assessment at verifiedagents.ai walks you through where your agents stand in about ten minutes and shows you the gaps worth closing first.
