MSSP, MSP, AI benefits/risks, API security, Identity, IAM Technologies, Network Security

Machine Identities, AI Adoption Challenge Identity Security Efforts

Non-Human Identiies

The waters around identity security are being roiled by a surge in non-human identities (NHIs), accelerating AI adoption, and continued vendor fragmentation, putting greater pressure on security teams and MSSPs to adapt their approach to identity and access management (IAM) as 2026 rolls out, according to enterprise IT management firm ManageEngine.

In a report this week, the Austin, Texas, company found that organizations are managing 100 times more machine than human identities, and that – even as organizations rapidly adopt AI – there is a sharp split among corporate leaders and their operational teams between what they expect from AI and what it delivers.

There is also a strain on security operations as companies consolidate platforms, a necessary effort to reduce the number of products and vendors they have to manage. At the same time, ManageEngine’s Identity Security Outlook 2026 found that most of the 515 senior identity and security pros in the United States and Canada surveyed said their companies plan to maintain or grow their identity security budgets this year.

While a challenge, consolidation and the simpler vendor management that it brings will help organizations better manage non-human identities at scale, deploy AI responsibly, and adapt to threats without increasing the management or financial onus, according to Ramanathan Kannabiran, director of product management at ManageEngine.

“The question is no longer ‘Are we compliant?’ but ‘Can our identity architecture support our pace of growth without amplifying risk or operational strain?’” Kannabiran wrote in the report. “The organizations answering ‘yes’ are those investing in architectural simplicity over expanding tool sets, building governance models that scale with non-human identity growth, and adopting AI-enabled identity orchestration to reduce friction and improve confidence in decisions.”

Challenges Abound

The hurdles are high. Most organizations face a ratio of machine identities to human users of 100:1, with some reaching 500:1, according to the report. About 12% have automated lifecycle management for machine identities, while the rest use manual or ad-hoc processes that don’t scale.

“The non-human identity expansion is driven by automation, cloud adoption, DevOps practices, and AI-driven orchestrations that have rapidly proliferated API keys, service accounts, OAuth tokens, TLS certificates, and secrets, such as passwords and encryption keys,” Kumaravel Ramakrishnan, ManageEngine’s director of technology, told MSSP Alert. “These identities are used across applications, scripts, bots, cloud workloads, virtual machines, containers, serverless functions, and IoT devices, creating volumes far beyond the capacity of traditional identity governance models.”

AI is accelerating the problem by creating new identities that need governance, Ramakrishnan said, noting that “every AI agent, bot, LLM (large language model), or automated system requires its own credentials.

The AI Paradox

There’s also a paradox, he said. AI is generating more identities to secure, but organizations are also turning to AI to manage this explosion of identities at scale. It's both the problem and the proposed solution. Al also puts enterprises in a bind, he said. They need AI to manage the identity complexity, but implementing AI effectively requires mature data foundations and unified visibility, which is difficult to reach with fragmented identity stacks.

Ramakrishnan noted that 66% of organizations are confident AI will deliver value, but only 44% are seeing positive outcomes now. Another gap: 68% of corporate leaders believe in AIs' near-term value, while only 27% of security pros say it's practical today.

“That 41-point gap tells you everything about the disconnect between executive expectations and operational reality,” he said.

The Need to Consolidate

Consolidating security platforms will be important, according to ManageEngine, a division of Zoho Corp. The report found that about a third of companies spend more time managing IAM vendors than they do privileged users, and that almost 75% of U.S. organizations have a fragmented IAM stack. In response, 36% are consolidating platforms, while another 46% are evaluating plans.

“Most organizations are already consolidating or actively evaluating consolidation, which signals a broad recognition that identity complexity has exceeded what current teams and tools can manage,” Ramakrishnan said. “What matters now is execution. How to sequence consolidation, allocate limited resources, and reduce disruption while systems remain in active use.”

An Evolving Role for MSSPs

The roles of MSSPs and MSPs in identity security are critical but evolving, he said. Both need to help organizations simplify identity architectures before trying to operate them, which requires them to be honest with clients about the risk created by fragmented stacks and to have the expertise to help with consolidation without vendor bias.

In addition, MSSPs need to lead on governing machine identities.

“The numbers represent a massive NHI capability gap that most in-house teams cannot close alone,” Ramakrishnan said. “MSSPs should build specialized expertise in machine identity discovery, automated lifecycle controls, and continuous monitoring across hybrid infrastructure, now more than ever. This is particularly valuable because machine identity management falls into organizational gaps, between infrastructure teams who create service accounts, development teams who generate API keys, security teams who should govern them, and operations teams who maintain them.”

Force Multipliers

MSSPs can deliver cross-functional expertise and a dedicated focus that organizations have difficulty maintaining internally. They can also provide the AI implementation expertise that clients need, manage the preparation of training data, and establish frameworks for AI-based decision-making. They also need to look at the 22-point optimism gap and understand that while AI’s promise is genuine, the path to production value is longer than vendor marketing suggests.

“Finally, MSSPs should position themselves as force multipliers for constrained teams, not substitutes,” he said. “The most valuable service providers recognize that talent scarcity is the defining constraint. They should help clients consolidate tool sprawl, automate routine processes, and build institutional knowledge rather than creating dependency.”

This comes after ManageEngine in June 2025 launched MSP Central, a unified platform MSPs can use to streamline such functions as service delivery, device management, threat protection, and infrastructure monitoring.

Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds