{"id":8491,"date":"2026-06-15T10:00:00","date_gmt":"2026-06-15T10:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8491"},"modified":"2026-06-15T10:00:00","modified_gmt":"2026-06-15T10:00:00","slug":"governing-the-ghost-workforce","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8491","title":{"rendered":"Governing the ghost workforce"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Every enterprise security team is fighting a workforce problem they cannot see on any org chart.<\/p>\n

Bots, service accounts, API keys, OAuth tokens, machine certificates \u2014 non-human identities now outnumber human ones in most large organisations, often by a factor of ten to one. They authenticate constantly, operate across every environment, and when forgotten, they do not retire gracefully. They linger, accumulate privilege, and wait. Security practitioners have taken to calling them ghost identities \u2014 and the name fits.<\/p>\n

The security industry has had plenty of warnings. It just has not acted on it.<\/p>\n

Cast your mind back to SolarWinds story<\/a>. The attackers did not smash through anything. They slipped in, found machine identities with significant access, and used them the way they were designed to be used \u2014 quietly, legitimately, invisibly. Eighteen thousand organisations. Months undetected. The credentials were not stolen in the traditional sense. They were just there, unmonitored, doing what attackers needed them to do.<\/p>\n

Uber, 2022<\/a>. Simpler anatomy. A service account nobody owned. Credentials that had not been rotated in who knows how long. Found in a network share by an attacker who was already looking. That one ghost identity opened a direct path to the PAM system \u2014 and from there, everything else followed. Cloud environments. Source code. Internal tools. One forgotten credential. That was the price of admission.<\/p>\n

Okta, 2023<\/a>. Different problem, harder to solve. The credentials that mattered were not even on Okta\u2019s own infrastructure. They lived with a third-party support vendor. Technically, someone else\u2019s environment. But they carried access rights into Okta\u2019s systems, and when that vendor was compromised, the pathway was compromised too.<\/p>\n

Three incidents. Three different entry points. One thing in common \u2014 an identity that nobody was watching, carrying access nobody had recently justified, sitting exactly where an attacker needed it to be.<\/p>\n

Calling this a security problem is not wrong. It just does not cover what is coming next.<\/p>\n

<\/a>The scheduled crisis<\/h2>\n

In 2026, the consequences of unmanaged non-human identities take a new form. Not a breach. A calendar event.<\/p>\n

Machine identity certificates have finite lifespans. For much of the past decade, organisations issued them with validity windows of three to five years. Between 2020 and 2022, enterprises expanded their digital infrastructure at extraordinary speed \u2014 cloud migrations compressed into months, automation pipelines stood up under pressure, and new services connecting to other services with governance as an afterthought.<\/p>\n

Those certificates are expiring now. Not in ones and twos. In volume.<\/p>\n

The cascading failure scenario is not complicated. A certificate expires unnoticed. The service it supports drops. Dependent applications that are authenticated through that service start failing. Monitoring tools running on the same infrastructure miss the alert. The incident response team works on the problem without a complete picture of what connects to what. Hours pass. Sometimes a full day. What started as an overlooked credential with an expiry date becomes an outage with a revenue figure attached and a regulator taking notes.<\/p>\n

This has happened before on a smaller scale \u2014 a single expired certificate took Microsoft Teams offline<\/a> for millions of users in 2020. What 2026 presents is the same failure mode, replicated across organisations that grew fast and governed poorly, hitting simultaneously.<\/p>\n

Certificate expiration is habitually treated as an IT operations issue. That framing does not survive contact with an outage that takes customer-facing services down for eighteen hours.<\/p>\n

Figure 1: The cascading failure chain.\n

Ashish Mishra<\/p>\n<\/div>\n

The structural gap<\/h2>\n

The root cause is not negligence. It is architecture.<\/p>\n

The tools organisations rely on to manage identity \u2014 role-based access controls, privileged access management platforms, access certification campaigns \u2014 were built for people. They assume an identity has an owner, a manager, and a review cycle. Non-human identities do not fit that model. They get created to solve an immediate problem, granted broad access to make the thing work, and left running long after the project moves on.<\/p>\n

Over-provisioning compounds the risk. Every unreviewed service account is a potential pivot point. Every dormant API key with write access is an open door. For ghost identities carrying legacy admin rights \u2014 and there are more of them than most organisations want to admit \u2014 the blast radius of a compromise is often organisation-wide.<\/p>\n

<\/a>What good looks like<\/h2>\n

The answer is not a tool. Every vendor in this space will tell you otherwise. They are wrong about the order of operations.<\/p>\n

Governance comes first. Tooling supports it. And governance starts with a question most organisations cannot currently answer: what non-human identities are we running?<\/p>\n

That question sounds simple. It is not. NHIs do not get created centrally. They get created by developers solving problems, by platform teams standing up services, by vendors connecting their products to yours. Each decision made sense at the time. None of them got logged somewhere useful. The result, in most large enterprises, is an estate that nobody has a complete map of \u2014 and that no tool can govern until someone builds one.<\/p>\n

So, start there. Not with a platform evaluation. Not with a policy document. With a discovery sprint. Four to six weeks, focused on your highest-risk environments. Cloud first. CI\/CD pipelines. Third-party integrations. An imperfect inventory is still infinitely more useful than operating blind.<\/p>\n

While that work is running, pull your certificate expiration data. Today, not next quarter. Sort by expiry date. Filter for anything lapsing in the next eighteen months. Put a named owner against every entry \u2014 and where no owner can be identified, treat the certificate as a ghost identity. Escalate it accordingly. This one action directly addresses the 2026 expiration risk before it becomes an outage.<\/p>\n

Last, run a privilege audit on your highest-sensitivity service accounts. Any NHI with admin rights that has not been reviewed in the past twelve months should be treated as over-privileged until the evidence says otherwise. Assume excess. Prove necessity.<\/p>\n

None of this needs a new budget line. It needs someone to decide it is worth doing before the alternative decides for them.<\/p>\n

<\/a>The broader problem<\/h2>\n

One organisation fixing its NHI estate does not fix the problem. It just means one organisation is less exposed than the rest.<\/p>\n

The market around machine identity is still finding its feet. Ask three vendors to define the scope of NHI governance, and you will get three different answers. Lifecycle standards that should exist do not. The frameworks security teams rely on \u2014 NIST, ISO 27001 \u2014 address least privilege as a concept but stop well short of telling anyone what to do with fifty thousand unmanaged service accounts spread across a hybrid cloud environment.<\/p>\n

What is missing is not ambition. It is specificity. Agreed taxonomy. Shared lifecycle standards. Regulatory guidance that puts NHI governance on the same level as every other identity obligation \u2014 not buried in a footnote, not implied by a principle, but stated plainly and enforced accordingly.<\/p>\n

That conversation is happening. Standards bodies are moving. Regulators are paying closer attention. But the pace is measured in years, and the certificate expiration wave is measured in months.<\/p>\n

The expiry dates do not wait for the industry to catch up.<\/p>\n

<\/a>The deadline is built in<\/h2>\n

The ghost workforce does not announce itself. It does not resign or ask for a performance review. It runs until something stops it \u2014 a breach, an expiration, or a security team that finally decided to take inventory.<\/p>\n

In 2026, for organisations that have not mapped and governed their NHI estate, something is going to stop it. The only variable is whether that something is a deliberate programme or an unplanned outage.<\/p>\n

The runway is very thin.<\/p>\n

This article is published as part of the Foundry Expert Contributor Network.<\/strong>
Want to join?<\/a><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Every enterprise security team is fighting a workforce problem they cannot see on any org chart. Bots, service accounts, API keys, OAuth tokens, machine certificates \u2014 non-human identities now outnumber human ones in most large organisations, often by a factor of ten to one. They authenticate constantly, operate across every environment, and when forgotten, they […]<\/p>\n","protected":false},"author":0,"featured_media":8492,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8491","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8491"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8491"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8491\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8492"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}