Machine identities represent a massive and growing cybersecurity blind spot in today's rapidly evolving digital landscape. According to a CyberArk report, 78% of APAC organisations have already been breached through compromised machine identities in the past year. Over the next year, projections show a 150% surge of machine identities in the region due to AI and cloud adoption. As the attack surface expands, the threat is no longer merely operational but national.
To make matters more challenging, even though the majority (94%) of organisations have some form of machine identity security program, most remain immature, with poor coordination among security, development, and platform teams. This results in fragmented control and increased vulnerability.
As cyber threats continue to evolve in complexity and scale, safeguarding digital infrastructure has become more critical than ever. This is especially true for governments and public-sector organisations that manage vast volumes of highly sensitive personal, national security, and public safety data.
Machine identity security
Rahul Dubey, vice president of Global Regulated Markets Solutions at CyberArk, explains how machine identities actually function in today's environments. He likens machine identities to human users having user IDs.
"Machines like service accounts, or the non-human accounts, need to get authenticated into the system. They need authenticators and identifiers to access the systems. Machine identity security is to make sure we have the proper access to get authenticated into the systems, whether it's development systems, production systems, getting rid of the whole CI/CD approach," he explained.
However, visibility remains a significant obstacle for most organisations.
Dubey believes that some organisations are only scratching the surface of machine identity. For over a decade, discussions have revolved around human identity security, including identity access management, privilege access management, and endpoint privileges.
He said that companies often do not know how many certificates or keys they have and who manages them. Dubey also observed a lack of a centralised team to manage it, as well as insufficient awareness and education about the needs of machine identity.
"I'm not going to put every company in one box. Some companies are pretty mature in this. The majority of companies are beginning to develop a strategy for machine-level security. This is where they require participation and collaboration, along with identity security providers like us," he said.
Automation and machine identity security
The rapid shift toward automation has further complicated the landscape, enabling more machine identities. As development moved to CI/CD and automation, machines perform tasks previously done by humans. However, concerns include ensuring machines have correct privilege levels, preventing "god mode" access, and monitoring and auditing machine actions.
"We are not giving them godly access. There needs to be some guidance over there to ensure we are reviewing and putting checks and balances in place for those agents. Because if there's a malicious attack and someone gains control of those agents, they will have given them unauthorised access. So, we need to look at protecting the agentic AI agents also over there," Dubey reiterated.
For Dubey, identity security now extends beyond just humans and machines. According to him, the third pillar of identity security is AI identity.
"It's a combination of human and machine and AI. Are the companies there yet? This is where we have to build that culture, build that awareness, build that knowledge with them. If they're open, we don't like to force it from our side; we're actually contributing to their journey if they are open to it," he said.
Machine identity security, a national security issue
It all starts from data, because data is key for everyone. Rahul Dubey
As machine identities expand across critical sectors, the risk moves from organisational to national scale. Critical infrastructure depends on connected machines (utilities, banking, government services). Compromise of machine identities can impact citizens, expose confidential government data, and cause operational and economic disruptions. This makes machine identities a foundation of digital trust.
Dubey posits that securing data is fundamental, saying, "It all starts from data, because data is key for everyone. We talk about customer data, metadata, and telemetry. We can also see patterns in that data when securing critical infrastructure. But we need to make sure what the end goal is over here? Our end goal is to secure the data."
Yet achieving this requires more than technology; it requires people. To safeguard machine identities, Dubey argues that a cultural shift is needed. He said that organisations must embed security across teams, not just one department. It is also vital to build a security culture through education, awareness, and the development of security champions across teams.
At the end of the day, the goal is to make security an everyday practice.
Maximising limited resources and budgets
But with stretched budgets and resources, CISOs often ask where to begin. A CyberArk study reports that around 77% of the leaders with undiscovered machine entities have significant vulnerabilities.
"First of all, start looking into what exactly you can scan," Dubey said.
He adds that CISOs can focus on building the inventory and identifying unused or redundant certificates. This first step helps prioritise spending, reduce vulnerabilities and remove unnecessary certificates. Prioritisation, remediation and lifecycle management follow.
Risks of quantum computing
Looking ahead, quantum computing presents a looming threat.
Dubey admits that post-quantum threats are already beginning. Malicious actors may be harvesting encrypted data now to decrypt it later. The time to start preparing is now.
"This is where the journey already began, over here at this point. Now this is basically making sure we are effective on that," he said.
According to Dubey, the National Institute of Standards and Technology (NIST) is already working on post-quantum cryptography standards and authenticator standards for machine identities.
"The work has already begun, but it's not there yet. At this point, we're just scratching the surface here," he said.
Machine identity security by 2026
Security is for all, not for one or two companies and teams. Rahul Dubey
Dubey anticipates that by 2026, organisations will move beyond technology into a mindset shift.
In 2026 and beyond, Dubey hopes that organisations can focus on fostering a security culture and mindset for everyone.
"Security is for all, not for one or two companies and teams," he said.
Currently, organisations secure human identities and machine identities. But for him, the next layer is coming: AI identity. As autonomous agents operate on behalf of humans, machines, and AI systems, machines and AI systems will soon authenticate and collaborate directly with each other. He posits that the future of zero trust will be about securing not just people and machines, but the synchronisation between machine identities and AI agents.
"I'm going to be keeping an eye on what Agentic AI security means for the world, in the zero-trust environment," he said.
