Machine Identities Outnumber Human Identities 109-to-1

Palo Alto Networks released a new identity security platform called Idira, which the company announced as generally available on May 12, 2026, in coverage tied to the product launch. Reporting around the launch cites Palo Alto Networks' 2026 Identity Security Landscape report, which states organizations manage an average of 109 machine identities for every human identity, and that AI agents account for a growing share of those identities. The report, described in media coverage, is based on a survey of 2,930 cybersecurity decision-makers worldwide, and projects machine identities to increase 77% and human identities to increase 56% over the next 12 months, with AI-agent identities expected to grow 85% in the next 12 months. The report further states that about 90% of organizations globally experienced at least one identity-related breach in the prior year, and that 91% of Australian respondents reported a successful identity-related breach in the past 12 months. Coverage of the launch reproduces a direct quote from Peretz Regev, chief product and technology officer for Idira at Palo Alto Networks: "Identity has become the new battleground of the AI enterprise. With adversaries now logging in rather than breaking in, every identity has become a target."

The figures cited highlight a rapid expansion of nonhuman identities, including machine accounts, service principals, keys, certificates, secrets, and autonomous AI agents. Industry-pattern observations note that when machine identities outnumber humans by large multiples, traditional human-centric IAM controls become insufficient, because attack surfaces expand along service-to-service and agentic workflows rather than human login events. Tool fragmentation cited in the report, where respondents report fragmented tooling adds hours to incident response, is consistent with prior studies showing identity visibility gaps slow remediation and increase dwell time.

For security and platform engineering teams, a 109-to-1 ratio magnifies privilege sprawl and the operational burden of lifecycle management for credentials and agent permissions. Observed patterns in similar markets show that rapid growth of programmatic identities tends to increase reliance on automation for discovery, rotation, and just-in-time privilege, and to raise demand for centralized policy controls that span cloud, SaaS, and developer environments. The Idira product announcement, framed in coverage as extending privileged access management to include machine and agent identities and offering zero-standing-privilege controls, aligns with these broader market responses to identity sprawl as reported by multiple outlets.

Editorial analysis: Observers should track independent validation of the report's survey methodology and the degree to which the reported growth rates for machine and AI-agent identities materialize in telemetry from cloud providers and enterprise tooling. Industry observers will also watch whether organizations adopt centralized identity control planes or continue to operate fragmented identity tooling, since the latter is flagged in the report as adding response time and operational cost. Finally, practitioners will evaluate Idira and competing offerings on three practical axes: discovery coverage across certificate, key, secret, and agent types; the granularity and auditability of just-in-time privilege controls; and integration points for incident response playbooks.