-THE WIRE THIS WEEK IN IDENTITY
N°01 · CREDENTIAL SPRAWL
The Cloud Security Alliance's 2026 analysis found AI-related secrets accounted for more than 1.27 million exposures, an 81 percent year-over-year jump, the fastest-growing category of leaked credential there is. The kicker: more than 16 percent of orgs don't track AI-identity creation at all. You can't rotate what you never knew you minted. CLOUD SECURITY ALLIANCE →
N°02 · SCALE
Non-human identities outnumber humans 45 to 1, and 144 to 1 in the cloud
Rubrik Zero Labs puts the enterprise-wide ratio of non-human to human identities at 45 to 1. Entro Labs puts it at 144 to 1 in cloud-native and DevOps environments. You are not going to govern that with a quarterly review cycle and good intentions. You need a plan that starts before the budget does. THE HACKER NEWS →
Hey {{first_name|there}},
Most identity programs treat non-human identity the way they treated cloud in 2014. Everybody agrees it matters. Nobody owns it. And the people who could fix it are waiting for a budget line that isn't coming this fiscal year.
Here's the thing. The work that actually moves a program forward almost never starts with a purchase order. It starts with someone deciding to look at what's already there. You have more leverage than you think, and most of it costs nothing but attention and a little political nerve.
So this is a 30-day plan. No new platform. No executive sign-off. No "let me build a business case" detour that dies in committee. Just the moves a practitioner can make starting Monday, with the access and tools already on your desk, that meaningfully shrink your agentic and non-human identity blast radius before the quarter ends.
The free version of this gives you the first week. The rest, the part where it actually becomes a program instead of a cleanup, is for members. Let me show you where to start.
Why 30 days, and why now
The numbers have stopped being abstract. The 2026 State of Identity Security survey from Sophos put hard figures on what most of us already felt: 71 percent of organizations suffered at least one identity-related breach in the past year, the average remediation ran 1.64 million dollars, and 41 percent of those incidents traced back to weak non-human identity management. API keys in code. Static credentials nobody rotates. Service accounts whose owner left two reorgs ago.
And the scale keeps tilting. Non-human identities outnumber human ones by something like 45 to 1 in a typical enterprise, and 144 to 1 once you're in cloud-native and DevOps territory. Meanwhile the Cloud Security Alliance found AI-related secret exposures jumped 81 percent year over year, the single fastest-growing category of leaked credential there is, and more than 16 percent of organizations don't track AI-identity creation at all. You cannot govern what you never recorded creating.
You are not going to fix that with a roadmap. You're going to fix the first slice of it with a calendar. Thirty days, four weeks, four moves.
Week 1 (free): see what you already have
You cannot govern what you cannot see, and the good news is that the seeing part is mostly free. Before you ask for a single dollar, spend week one building the inventory nobody has bothered to build.
Start with the three places NHIs hide in plain sight. Your secrets manager or vault, if you have one, is the easy list. Pull every credential, note the last-rotation date, and flag anything older than 90 days. Your cloud IAM console is the second: in AWS that's your access keys and roles, in Azure your service principals and managed identities, in GCP your service accounts. Export them. The third place is the one everyone skips, which is the application layer itself, the OAuth tokens and integration credentials that get minted when someone connects a SaaS tool to another SaaS tool. A surprising amount of it is discoverable just by reading the integrations and connected-apps pages of the platforms you already own, and it's exactly the layer the CSA data says 16 percent of orgs aren't tracking at all.
By Friday of week one you want one spreadsheet. Every non-human identity you can find, where it lives, what it can touch, when its credential was last rotated, and a guess at who owns it. It will be incomplete. That's fine. An incomplete inventory you actually have beats the perfect one you're still scoping. The act of building it will surface three or four things that make you genuinely uncomfortable, and those become your week-two targets.
That's the free half. If you do nothing else, do that, because the rest of this plan only works once you can see the field.
Everything above is the free preview; everything below is member-gated.
The rest of this one is for members
Members get the full teardown and the playbook. Join from 15 dollars a month.
Become a memberA subscription gets you:
- Deep Dive Blogs
- Identity Jedi Show Insider Access
- Expanded Commentary
- Two Months Free
- Access to Identity Jedi AI