From Chaos to Control: Managing The Three Vs of Machine Identity

Singapore, September 25, 2025 — Machine identities, driven primarily by cloud and artificial intelligence (AI), now vastly outnumber human identities 82 to 1. This growth is set to continue, with 91% of security leaders in Singapore anticipating a continued rise in machine identities over the next year.

With AI and AI-driven agents becoming more pervasive, 87% of Singapore’s security leaders believe that securing machine identities will be crucial to protecting AI systems moving forward. As organisations integrate AI into their operations, ensuring the security of machine identities is seen as a key measure to preventing cyber threats. What’s more, with challenges like safeguarding cloud-native workloads and unique machine identities, authentication and authorisation are more essential than ever before.

This is especially crucial as Agentic AI becomes more pervasive. AI agents create, learn, adapt, and act independently. They have the ability to spin up new workloads and call APIs. They can even manage other identities and escalate privileges. In other words, agentic AI is the ultimate digital worker with full admin rights.

This level of access comes with increased risk, and an exponential complexity shift for identity security. If something goes wrong, there needs to be a way to quickly and securely isolate irregular behaviour, revoke access and roll back to the latest, safest version of the software. This is only possible if every AI agent has a unique, verifiable identity. Without it, security teams will be left wondering if the error was from an agent, a spoofed token or a compromised credential.

Challenges in Securing Machine Identities

Organisations are contending with numerous obstacles when it comes to safeguarding their machine identities. Among the most significant are:

• Under-management: Leaders believe every undiscovered machine identity is a potential vulnerability and poor visibility exacerbates this situation.
• Siloed ownership: Fragmented management of machine identities leads to inefficiencies and gaps in protection, especially for organisations with security, development and platform teams.
• Changing lifecycles: As the lifecycle of credentials shorten, organisations find it difficult to keep up with their accelerated renewal and rotation requirements.
• Cloud-native complexity: The dynamic nature of cloud environments adds additional challenges such as securing ephemeral workloads and their identities, Security leaders are concerned.

 The Three Vs of Machine Identity

Despite the rapid growth of machine identities, many enterprises still reach for manual tools, leaving them in greater technical debt. Security teams already overwhelmed with day-to-day operations, handling urgent tickets, and keeping up to date on latest developments in Cybersecurity, are struggling to priortise on securing machine identities.

It only takes one missed security ticket for the error to escalate into a full-blown breach. And the consequences are grave; 50% of organisations have experienced a breach tied to machine identities, and outages cost approximately US$4 million annually.

It’s important to understand what these machine identity challenges are, and what approaches work best to eliminate these challenges.

The First V: Volume – When Scale Becomes Swarm

The unchecked proliferation of machine identities has evolved into a critical operational hazard. Historically a mere administrative nuisance, it now threatens system integrity and security. These credentials proliferate fast, driven by the rise of microservices, AI agents, and containerised deployments. Without robust strategies for discovery, lifecycle management, and decommissioning, organisations accumulate vast quantities of untracked machine identities, with each being an open opportunity for attackers to waltz into the organisation unannounced.

The Second V: Variety – Managing a Mix of Identity Types

Machine identity security does not conform to a universal, one-size-fits-all model. Monolith apps vs modern CICD pipelines, long lived systems vs emphameral systems, using API Keys vs secrets vs certificates, to provide a few examples. Organisations must manage a diverse and evolving spectrum of identity types, each with unique behaviours, expiration cycles, and privilege boundaries. This diversity demands tailored handling, context-aware governance, and specific rules of engagement.

The Third V: Velocity – The Shrinking of TLS Certificate Lifespans

TLS certificate renewals used to be completed once a year. Soon, it will evolve into an eightfold increase in frequency (CA/Browser Forum’s 47 days phased timeline), transforming a yearly checklist into an ongoing operational cycle throughout the year. TLS certificate lifespans will shorten to 200 days starting in March 2026. In 2029, lifespans will be cut to 47 days. Keeping up with these certificates will soon become overwhelming for any team to handle, not to mention the growth in usage of certificates within organisations. Yet, many organisations remain reliant on slow, manual workflows that cannot keep pace.

Machine Identity Security Cannot Be an Afterthought

Unlike human identities, machine identities cannot utilise authentication capabilities such as multi-factor authentication (MFA) using biometrics, a memorised password or an identity card or mobile phone. Given the distinct security challenges they present, machine identities must be secured through consistent identity management and robust access management.

Machine identity security cannot be an afterthought. By leveraging automation, enhancing visibility, and preparing for emerging challenges like quantum computing, organisations can help safeguard their critical systems and scale with confidence. Machine identity security is not just a technical requirement, but a business imperative for resilience and growth.

Attributed to: Ssu Han Koh, Solutions Engineering Director, CyberArk