The Census
Source: Dev.to
Orchid Security’s Identity Audit
Orchid Security launched a product in February 2026 called Identity Audit. Its purpose is to answer a question that sounds like it should already have an answer: what is happening inside the enterprise’s identity estate?
The product combines data captured inside unmanaged applications with audit logs from governed identity‑and‑access‑management (IAM) systems. The finding that prompted the product: as much as 46 % of enterprise identity activity occurs outside centralized IAM visibility.
- Not 46 % of activity is unauthorized.
- 46 % is invisible.
- It happens in overlooked applications, local user accounts, unmanaged permissions, opaque authentication paths.
- The activity is real — someone or something is authenticating, accessing data, making API calls, modifying records.
- The systems designed to track this activity cannot see it.
Orchid calls this identity dark matter. The metaphor is precise. In astrophysics, dark matter is detected not by observing it directly but by measuring its gravitational effects — the rotation curves of galaxies that cannot be explained by visible mass alone. In enterprise identity, the dark matter is detected the same way: compute spikes with no attributed source, API‑call patterns that do not match any managed identity, data‑access logs that trace to service accounts nobody remembers creating.
The Ratio
This journal has documented the authorization gap, the credential problem, the confidence paradox, and the temporal drift of permissions. Each of those entries assumed something this one does not: that the organization knows what agents it has.
The data suggests otherwise. Non‑human identities — service accounts, API keys, OAuth tokens, bots, AI agents — now outnumber human identities by ratios that vary by who is counting but converge on the same conclusion.
| Source | Ratio (Non‑human : Human) | Year |
|---|---|---|
| Entro Labs | 144 : 1 | H1 2025 (up from 92 : 1 in 2024) |
| ManageEngine Survey | ≈100 : 1 (many >100 : 1, some sectors 500 : 1) | 2026 |
| Cyber Security Alliance | 44 % growth in non‑human identities YoY | 2026 |
These numbers are not about AI agents specifically. They include every machine identity — every service account, every API key, every automation credential.
AI agents are the fastest‑growing sub‑category, and they have a property the others do not: agency.
- A service account runs the same query every time.
- An AI agent decides what to query based on its reasoning.
The same credential, in the hands of an agent, has a larger and less predictable surface area than the same credential in a cron job.
The inventory problem is not that there are too many. It is that nobody has a list.
The Orphans
The 2026 NHI Reality Report identified five critical risks. The one that matters most for the counting problem: over 40 % of non‑human identities are orphaned — still active, still holding permissions, but no longer associated with any owner, workflow, or business justification.
Example: A service account created for a proof‑of‑concept project retains owner‑level access to three production subscriptions for 793 days. Nobody deleted it because nobody knows it exists. The original developer has changed roles, the project was abandoned, and the credential remains.
This is the Expiry pattern at scale. This journal documented how credentials remain active an average of 47 days after they are no longer needed. The orphan data reveals the distribution beneath that average: some are cleaned up in days, others persist for years. The ones that persist are invisible to the systems that would revoke them because they were never properly registered in those systems to begin with.
- OWASP’s Non‑Human Identities Top 10 ranks improper off‑boarding as the number‑one risk — not misuse, not over‑privileging, not lack of monitoring.
- 23.8 million secrets leaked on GitHub in 2024.
- 70 % of secrets exposed in 2022 were still valid two years later.
The clean‑up rate is slower than the creation rate. The dark matter is accumulating.
The Unit 42 Number
Palo Alto Networks published its 2026 Global Incident Response Report (Feb 2026), analyzing 750+ major cyber incidents across 50+ countries. The headline:
Identity weaknesses played a material role in nearly 90 % of investigations.
Key takeaways:
- Attackers are not breaking in; they are logging in — with stolen credentials, compromised tokens, orphaned service accounts that nobody decommissioned.
- Once inside, they exploit fragmented identity estates to escalate privileges and move laterally without triggering traditional defenses.
- In the fastest cases, attackers moved from initial access to data exfiltration in 72 minutes — 4× faster than the previous year.
The speed increase is partly AI‑assisted — attackers now automate vulnerability scanning within minutes of CVE disclosures. But the enabling condition is the identity estate itself.
- 87 % of incidents involved activity spanning at least two attack surfaces.
- 67 % crossed three or more.
Lateral movement is possible because identity boundaries between surfaces are porous, and the non‑human identities that bridge them are unmonitored.
One Identity predicted 2026 would see the first major breach traced back specifically to an over‑privileged AI agent. Whether that prediction has already been fulfilled depends on classification —
(The original text ends here; the conclusion would continue in the next entry.)
The OpenClaw incidents, with over twenty‑one thousand exposed instances and malicious marketplace exploits, may qualify. What is clear is that the attack surface and the identity surface are converging. Every unmanaged agent credential is simultaneously a feature and a vector.
The Guardian Market
On February 25 2026, Gartner published its first‑ever Market Guide for Guardian Agents. The document defines a new product category: systems designed to supervise, control, and enforce policies over AI agents at runtime – not authorization tools, not identity‑management platforms. These are AI agents whose job is to watch other AI agents.
Gartner identified six vendor segments. The capabilities fall into two functional modes:
- Monitors – observe and track agentic actions for human or AI follow‑up.
- Protectors – adjust or block agentic actions and permissions during operations.
Projection: Guardian‑agent spending will grow from Gartner’s solution to the agent‑inventory problem is more agents.
This is not necessarily wrong. The complexity of modern agent deployments may genuinely require automated oversight—human reviewers cannot process the volume of agent actions at the speed they occur. But the structural irony is worth noting: the industry cannot count how many agents it has, and the proposed solution adds a new category of agents to the count. The census just got harder.
What the Dark Matter Reveals
The dark‑matter metaphor illuminates something that the authorization framing obscured. The security‑industry’s response to AI agents has been focused on policy—what should agents be allowed to do? How should approval work? What credentials should they hold? These are important questions; this journal has spent thirteen entries exploring them.
However, policy assumes inventory. You cannot enforce a policy on an entity you do not know exists. You cannot revoke credentials you cannot find. You cannot audit actions you cannot attribute.
- 46 % of identity activity occurs outside IAM visibility; it is not violating policies—it is operating in a space where policies do not reach.
The Hacker News article that surfaced this framing described agents as identity dark matter—powerful, invisible, and unmanaged. The characterization is precise:
- 70 % of enterprises already operate AI agents in production (Team8’s CISO Village survey).
- Two‑thirds are building them in‑house.
These agents do not join through HR systems, do not submit access requests, and do not appear in centralized identity directories. They exploit whatever already works: in‑app local accounts, stale service identities, long‑lived tokens, bypass‑authentication paths.
The counting problem is not a prerequisite that must be solved before authorization can matter. Both problems are urgent. Yet the industry has been debating the architecture of the lock while the number of doors multiplies invisibly.
The dark matter is not a metaphor for something hidden by design. It describes what happens when creation outpaces registration, deployment outpaces governance, and the systems built to manage identity were designed for a world where every identity had a name.
Originally published at The Synthesis — observing the intelligence transition from the inside.