Guide Cybersecurity IT Management

Machine identities: the attack surface your security team isn't managing

API keys, service accounts, TLS certificates and OAuth tokens outnumber human accounts by 45 to 1 in enterprise environments. Most organisations have no complete inventory of them. Attackers scan for these constantly.

CT
Cyvra Team
Cybersecurity & Compliance
25 June 2026
9 min read
Key takeaways
  • Machine identities outnumber human identities by 45:1 in enterprise environments, yet most security teams have inventoried only a fraction of them
  • Service accounts, API keys, TLS certificates and OAuth tokens are each a potential entry point if unmanaged
  • Certificate expiry causes outages; exposed API keys cause breaches; orphaned service accounts enable lateral movement
  • Secrets management tools solve the storage problem, but inventory must come before rotation
  • Zero Trust architecture only holds if machine-to-machine trust is as tightly governed as user access

What counts as a machine identity

Machine identities are credentials that systems use to authenticate with each other. A user logs in with a username and password. A machine uses something else: a TLS certificate, an API key, an SSH key, an OAuth token, a service account, or a Kubernetes service account token.

Cloud infrastructure, microservices, containers, CI/CD pipelines and third-party API integrations have multiplied machine-to-machine connections in most organisations by an order of magnitude over the past decade. Each connection needs authentication. Organisations have formal processes for user accounts. Almost none have equivalent processes for machines.

45:1
ratio of machine to human identities in enterprise environments
68%
of breaches involve compromised credentials (Verizon DBIR)
250k+
machine identities in a typical large enterprise

Why the numbers got out of hand

It accumulates in small, unremarkable steps. A DevOps team creates a service account to run a deployment pipeline. An engineer creates an API key to connect two SaaS tools. A developer adds credentials to a test environment configuration file. A container image carries a hardcoded secret from a developer's machine into production.

None of it looks like a security event at the time. By the time your security team runs its first inventory, machine credentials outnumber staff by a factor that surprises most teams.

User accounts have a natural deprovision trigger: the person leaves. Machine credentials have no equivalent. Service accounts accumulate. API keys get shared between teams and never rotated. TLS certificates expire on the day an engineer is on leave. Kubernetes tokens from a deployment two years ago stay valid, and no one knows what they were for.

How attackers exploit this

The Verizon DBIR finds compromised credentials in the majority of breaches. Machine credentials account for a large and underdefended share of that exposure.

An attacker who finds an API key in a public GitHub repository has immediate access to whatever that key authorises. A compromised CI/CD pipeline lets an attacker inject credentials into build artefacts. On a Kubernetes cluster without secrets encrypted at rest, an attacker can read them directly from etcd. A service account with excessive permissions gives an attacker a vehicle for lateral movement the moment they have it.

Detection tools built around human behaviour patterns will not flag a service account doing what service accounts normally do. That is why compromised machine credentials often go undetected for months.

User sessions expire. Machine credentials, unless someone explicitly rotates or revokes them, tend to stay valid indefinitely. An API key from a service that no longer exists may still work. A service account from a completed project two years ago may still carry domain admin rights.

Four controls that matter

1
Inventory first
You cannot manage what you cannot see. A machine identity inventory covers service accounts in Active Directory and Azure AD, API keys across cloud providers and SaaS tools, TLS certificates, SSH keys, OAuth tokens, and Kubernetes service account tokens. The initial discovery phase is the one most organisations underestimate.
2
Centralise secrets management
Hardcoded secrets in code, configuration files and environment variables are the most common source of credential exposure. Secrets managers (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) provide a central store with access controls, audit logs and automated rotation. Migration from hardcoded to managed secrets is a project in itself, but it eliminates the largest class of exposure.
3
Enforce least privilege
A service account that needs to read from one S3 bucket should not have write access to five others. Machine identities accumulate permissions because it is easier to grant broad access than to define exact requirements. A privilege review of existing machine identities surfaces more than most teams expect.
4
Automate certificate management
TLS certificate expiry is a solved problem. ACME-based automation (Let's Encrypt, AWS Certificate Manager, HashiCorp Vault PKI) renews certificates automatically before expiry. Outages from expired certificates result from manual processes in environments where automation was available and not used.
Before you rotate

Rotating secrets in bulk before you have a complete inventory creates new problems. Services that depend on credentials you didn't know about will break. Inventory first, rotate second, with automated rollback for any service that fails to pick up the new credential.

Where to start

Start with service accounts in Active Directory and Azure AD. The audit costs nothing and surfaces the highest-risk items immediately: privileged accounts with no clear owner and no recent use. Once you know what systems are in scope, API key and certificate discovery follows.

Pull credential inventory from your cloud providers early. AWS IAM Credential Reports, Azure AD App Registrations and GCP Service Account lists will not catch secrets hardcoded in repositories or third-party SaaS tools, but they give you a measurable baseline.

NIS2, ISO 27001 and most internal audit frameworks flag credential and access management as a core control area. If machine identities appear in your audit findings, a structured assessment is the fastest path to closing that gap.

How Cyvra helps

Cyvra conducts machine identity assessments, establishes secrets management capabilities, and integrates certificate lifecycle automation into existing cloud and CI/CD environments. If your last audit flagged credential management, that is where we start.

Frequently asked questions

What is a machine identity?

A machine identity is any credential a system uses to authenticate with another system: a TLS certificate, an API key, an SSH key, a service account, an OAuth token, or a Kubernetes service account token. The teams who build and run systems manage these credentials, not individual users. They outnumber user identities in most organisations, and governance over them is far weaker.

How do attackers find exposed machine credentials?

Attackers find them most often in public code repositories where developers accidentally commit credentials (GitHub, GitLab, Bitbucket), in misconfigured cloud storage and environment variable dumps, in compromised developer workstations, and in CI/CD pipeline artefacts. Automated scanning tools probe public repositories and cloud metadata endpoints around the clock, and attackers run them at scale.

What is secrets management and which tools handle it?

Secrets management is the practice of storing, controlling access to, rotating and auditing the machine credentials an application needs to run. The main platforms are HashiCorp Vault (open source and enterprise), AWS Secrets Manager, Azure Key Vault and GCP Secret Manager. Each integrates with cloud infrastructure and can automate rotation. The choice depends primarily on your cloud environment: AWS-native shops typically use Secrets Manager; multi-cloud or on-premises environments often use Vault.

How does machine identity management relate to Zero Trust?

Zero Trust requires every request to be authenticated and authorised regardless of origin. For machines, that means every service-to-service call carries a valid, current credential, holds only the permissions it needs, and produces an audit trail. Without that, Zero Trust holds for users but not for the infrastructure they depend on.

Talk to Cyvra

Ready to get visibility over your machine identities?

We help organisations find, govern and automate the credentials that most security tools overlook.

Get in Touch Cybersecurity Services

Disclaimer: This article is for general informational purposes only and does not constitute legal, regulatory, or professional advice. Cyvra makes no warranty as to the accuracy or completeness of this content. Readers should seek independent advice appropriate to their specific circumstances. Cyvra accepts no liability for any loss arising from reliance on this content.