Orchid Security released research suggesting that most corporate identities are outside of formal identity and access management systems, highlighting the growing disparity in how organizations track human and non-human access.
The report is The identity gap: A snapshot of 2026found that so-called invisible identities account for 57% of corporate identities, while 43% remain visible to identity and access management tools. We also found that 67% of non-human accounts were created directly within the application rather than through a central identity program.
This is important because non-human identities include not only service accounts, bots, and machines, but also AI agents that can operate across systems with little direct human oversight. Orchid argues that much of existing identity management is designed around employee access and does not reflect how application-level identities are currently created and used.
The study is based on anonymized telemetry from enterprise applications deployed in North America and Europe, covering sectors such as financial services, healthcare, retail, manufacturing, and energy.
Main findings
Among other findings, 70% of enterprise applications contained what the report described as an excessive number of privileged accounts. We also found that 57% of applications bypass central identity providers, 40% of accounts become orphaned after user abandonment, and 36% of credentials are hardcoded in clear text within applications.
Taken together, these numbers suggest a disconnect between the controls that many organizations have in place at the enterprise level and how access actually occurs within individual systems. Central directories, identity providers, privileged access management tools, and governance software may cover the front end of identity management, but many local accounts and embedded credentials are outside of these controls.
Orchid describes this as “identity dark matter,” or an unmanaged layer of access spread throughout the enterprise environment. This trend is associated with increasing operational and security risks as enterprises expand their use of AI-driven software agents.
“Enterprise identities have crossed a dangerous threshold. Invisible identities now outnumber visible ones,” said Roy Cutmore, CEO and co-founder of Orchid Security.
“This was already a huge security and compliance issue. In the age of agent AI, it becomes an operational crisis. AI agents don’t wait for quarterly reviews. They operate in real time across systems, with all the access available to the enterprise. If organizations can’t see every identity, understand their permissions, and control their behavior, they’re not ready to scale AI securely.”
Application blind spots
According to the report, the biggest blind spot lies in accounts created within the application. Because these accounts were originally intended for fixed, repetitive tasks such as scheduled jobs or cross-system processes, they are often granted broad and persistent access.
Orchid argues that the assumption becomes difficult to defend when the same structure is used in new forms of software agents. Unlike traditional service accounts, AI agents can dynamically respond to prompts and pursue tasks across multiple systems, exposing weaknesses in identity controls that already exist in the environment.
The report also highlighted what it called a “toxic combination” of overlapping weaknesses in individual identities. These include orphaned accounts that retain elevated privileges, applications that bypass central identity providers while storing credentials in clear text, and dormant accounts that continue to operate without logging or monitoring.
In these cases, risk does not arise from a single misconfiguration, but from the interaction of multiple weaknesses that combine to form access paths that are difficult to detect and difficult to manage.
“Organizations have invested heavily in securing their front doors, but research shows that risks to personal information are increasingly concentrated at the side doors, including local accounts, unmanaged access passes, hard-coded credentials, and undue privileges outside of formal control,” Katmor said.
AI pressure
This report presents AI agents not as the cause of the problem, but as a factor that increases the urgency of the problem. In Orchid’s view, the fundamental problem is that many companies do not fully understand how identity works across their applications, and these gaps are likely to be exposed as AI systems seek the fastest route available to complete tasks.
This means agents can use unmanaged local accounts, inherited credentials, or embedded passwords when there is an option that is easier to access than the official path through a managed identity platform. The result, Orchid argues, is not only increased cyber risk, but also increased pressure on compliance and internal control processes.
“AI agents discover and exploit gaps and exposures in identity management in ways and speeds never seen before,” said Katmor.
“If there is a shortcut in the environment, the autonomous system will find it.”
For companies investing in AI-driven automation, research suggests that identity hygiene within applications may be just as important as the controls applied at the perimeter of corporate systems. Orchid’s data shows that many companies still rely on the identity model. Although this model appears robust in policy terms, it leaves significant gaps in everyday practice.
“While identity programs look strong on paper, most identity activities occur outside of them,” Katmor says.
“That’s where security, compliance and AI risks really start to rise.”
