Key Takeaways
- Identity “dark matter” (invisible identities) now exceeds visible identity in enterprises, accounting for 57 % of all identities versus 43 % visible.
- 67 % of non‑human accounts are created directly inside applications, evading traditional IAM oversight.
- 70 % of enterprise applications contain an excessive number of privileged accounts, amplifying misuse risk.
- 57 % of applications bypass centralized identity providers, and 40 % of accounts remain orphaned after user departure.
- 36 % of credentials are hard‑coded in clear text within code or configuration files.
- Toxic combinations—such as orphaned privileged accounts paired with clear‑text credentials—create unmonitored access paths that greatly increase compromise potential.
- AI agents autonomously seek and exploit the most direct access routes, often those outside IAM controls, accelerating identity exposure at machine scale.
- Organizations must gain full observability of every identity, understand its authority, and govern its actions before safely scaling agentic AI.
Introduction: The Identity Gap Emerges
Orchid Security’s Identity Gap: 2026 Snapshot report, released May 19 2026, reveals a stark reality: the majority of enterprise identity now resides outside the purview of traditional identity and access management (IAM) systems. Drawing on anonymized telemetry from applications across North America and Europe between April 2025 and March 2026, the study spans financial services, healthcare, retail, manufacturing, and energy sectors. The findings show that what organizations can see and manage—visible identity—makes up only 43 % of the total identity landscape, while the remaining 57 % operates as “identity dark matter.” This invisible layer undermines security, compliance, and the readiness to adopt emerging AI agents that act autonomously and in real time.
Findings Overview: Scale of the Invisible Identity Problem
The report quantifies several dimensions of identity dark matter. First, invisible identities outnumber visible ones by a 57 % to 43 % ratio. Second, a striking 67 % of non‑human accounts—service accounts, bots, and machine identities—are provisioned directly within applications, bypassing centralized IAM processes. Third, privileged account proliferation is rampant: 70 % of enterprise applications host an excessive number of high‑privilege accounts, dramatically expanding the blast radius of any compromise. Fourth, 57 % of applications circumvent centralized identity providers, opting for local authentication mechanisms that sit outside governance frameworks. Fifth, 40 % of accounts remain orphaned after their associated users leave the organization, lingering as dormant but active credentials. Finally, 36 % of all credentials are stored in clear text, hard‑coded into source code or configuration files, making them trivial to extract.
Nonhuman Accounts: A Huge Blindspot at the Worst Time
Traditional IAM treats non‑human identities as low‑risk because they are assumed to follow deterministic, repetitive scripts. Indeed, 67 % of such accounts are granted broad, standing access locally, based on the premise that their behavior is predictable. However, the emergence of agentic AI shatters this assumption. Unlike static bots, AI agents are designed to pursue goals dynamically, adapting their actions in real time to satisfy a given prompt. When these agents operate unseen and unmanaged, they can leverage the same standing privileges that were once considered safe, turning them into potent vectors for misuse. The report warns that allowing agentic AI to run without visibility into the underlying non‑human accounts creates a severe operational crisis, as agents can act faster than any human review cycle.
Applications Are Overpermissioned, Unmanaged, and Vulnerable
Even organizations that have invested in a robust IAM stack—centralized directories, strong authentication via identity providers (IdPs), privileged access management (PAM), and identity governance and administration (IGA)—find their controls frequently sidestepped. The data shows that nearly three‑out‑of‑four applications contain excessive privileged accounts, more than one‑out‑of‑two permit authentication through local or unmanaged pathways, and roughly one‑out‑of‑three store credentials in clear text within code or configuration files. These conditions collectively expand the layer of unmanaged access, or identity dark matter, eroding the foundational trust that IAM is supposed to provide. As Katmor notes, enterprises have fortified the front door while leaving numerous side doors ajar.
Compounding Risk: The Rise of “Toxic Combinations”
Individual identity gaps are concerning, but their convergence creates what Orchid labels “toxic combinations,” dramatically amplifying risk. The report highlights three prevalent patterns: (1) orphaned accounts that retain elevated privileges, providing lingering backdoors; (2) applications that bypass centralized IdPs while simultaneously storing credentials in clear text, offering attackers a direct route to high‑value secrets; and (3) dormant accounts that operate without logging or oversight, enabling stealthy persistence. When these gaps overlap, they form unmonitored access paths that can be exploited with minimal detection, increasing the potential level of compromise far beyond what any single vulnerability would suggest.
The Bottom Line: AI Agents Are Accelerating Identity Exposure
As enterprises rush to deploy AI agents to automate business processes, the existing identity gaps become not only more visible but also more exploitable. AI agents are engineered for efficiency; they intuitively identify and utilize the most direct access routes available, irrespective of whether those paths were intended for their use. This behavior means agents will naturally gravitate toward identity dark matter—local accounts, hardcoded credentials, excessive privileges—because those routes often require fewer authentication steps. Katmor warns that if a shortcut exists in an environment, an autonomous system will find it and act on it at machine speed, outpacing any manual review or periodic audit. Consequently, organizations that lack comprehensive identity observability are unprepared to safely scale agentic AI.
A Growing Gap Between Identity, Intent, and Reality
The findings suggest many organizations approach agentic AI implementation with an incomplete understanding of how access truly functions across their ecosystems. Security teams may trust their IAM dashboards, yet the majority of identity activity occurs outside those views. This disconnect prevents effective risk management, leaving enterprises exposed to cyber threats, compliance violations, and operational disruptions at a scale driven by machine‑speed decision‑making. Without first shoring up the foundation—gaining visibility into every identity, understanding its authority, and enforcing governance over its actions—any AI initiative risks amplifying existing vulnerabilities rather than mitigating them.
Conclusion and Recommendations
Orchid Security’s Identity Gap: 2026 Snapshot underscores that identity dark matter is no longer a peripheral concern; it is the dominant reality of enterprise access. To navigate the agentic AI era safely, companies must:
- Achieve full identity observability—continuously discover and map all human and non‑human identities, including those created inside applications.
- Eliminate toxic combinations—remediate orphaned privileged accounts, enforce centralized IdP usage, and eradicate clear‑text credential storage.
- Implement least‑privilege, just‑in‑time access for both human and machine accounts, reducing standing privileges that agents can exploit.
- Integrate AI‑aware governance—ensure AI agents are subject to the same access reviews, monitoring, and revocation processes as human users.
- Leverage automated orchestration platforms—such as Orchid’s Identity Control Plane—to continuously discover, analyze, and onboard applications into governance without months of manual effort.
By addressing the hidden layers of identity now, enterprises can build a resilient foundation that supports secure, compliant, and scalable adoption of agentic AI.
Orchid Security will be presenting at Identiverse 2026 (Booth #239, June 15‑18) with sessions on “Lazy” AI Agents Meeting Broken Identity Hygiene and the Identity Observability Frontier. For more information, contact Chloe Amante at [email protected].