The Machine Identity Blind Spot Is Now a Primary Attack Surface
Commvault Blog, Thursday, May 14th, 2026
Non-human identities vastly outnumber human users and represent a critical, under-governed attack surface exploited through social engineering and credential theft.
Non-human identities (NHIs) such as service accounts, API keys, and OAuth tokens now outnumber human users by 144 to 1 and grow 4-10 times faster, yet fewer than 25% of organizations have formal governance policies for them.
Sophisticated attackers use voice phishing and social engineering to gain initial human account access, then pivot to the machine layer where they steal tokens and create persistent access that traditional security tools cannot detect.
Because NHIs operate with excessive permissions, lack proper monitoring, and are rarely rotated, compromised credentials can persist undetected for extended periods. Organizations must shift from prevention-first strategies to recovery-first approaches that treat NHIs as critical assets, implement strict governance, use short-lived tokens, and correlate cross-domain signals to rapidly detect and roll back malicious identity changes.