Orchid warns of hidden identity gap as AI risks rise

Orchid Security has published research suggesting that most enterprise identities sit outside formal identity and access management systems, highlighting a widening gap in how organisations track human and non-human access.

The report, Identity Gap: 2026 Snapshot, found that so-called invisible identity accounts for 57% of enterprise identity, compared with 43% that remains visible to identity and access management tools. It also found that 67% of non-human accounts are created directly inside applications rather than through central identity programmes.

This matters because non-human identities now include not only service accounts, bots and machines, but also AI agents that can act across systems with little direct human oversight. Orchid argues that many existing identity controls were designed around employee access and do not reflect how application-level identities are now created and used.

The study was based on anonymised telemetry from enterprise applications deployed across North America and Europe, covering sectors including financial services, healthcare, retail, manufacturing and energy.

Key findings

Among the other findings, 70% of enterprise applications contained what the report described as an excessive number of privileged accounts. It also found that 57% of applications bypass central identity providers, 40% of accounts are orphaned after their users leave, and 36% of credentials are hardcoded in clear text within applications.

Taken together, the figures suggest a disconnect between the controls many organisations put in place at the corporate level and the way access actually operates inside individual systems. Central directories, identity providers, privileged access management tools and governance software may cover the front end of identity administration, but many local accounts and embedded credentials remain outside those controls.

Orchid describes this as "identity dark matter" - a layer of unmanaged access spread across enterprise environments. It links the trend to rising operational and security risk as businesses expand their use of AI-driven software agents.

"Enterprise identity has crossed a dangerous threshold: the identities we can't see now outnumber the ones we can," said Roy Katmor, chief executive officer and co-founder of Orchid Security.

"That was already a major security and compliance problem. In the agentic AI era, it becomes an operational crisis. AI agents don't wait for quarterly reviews. They act in real time, across systems, using whatever access the enterprise makes available to them. If organizations cannot see every identity, understand its authority, and govern its actions, they are not ready to safely scale AI."

Application blind spots

The report says the biggest blind spot lies in accounts created inside applications. These accounts are often granted broad standing access because they were originally intended for fixed, repetitive tasks such as scheduled jobs or system-to-system processes.

Orchid argues that assumption becomes harder to defend when the same structures are used by newer forms of software agents. Unlike conventional service accounts, AI agents may respond dynamically to prompts and pursue tasks across multiple systems, exposing weaknesses in identity controls already present in the environment.

The report also highlighted what it called "toxic combinations", where separate identity weaknesses overlap. These include orphaned accounts that still hold elevated privileges, applications that bypass central identity providers while storing credentials in clear text, and dormant accounts that continue to operate without logging or oversight.

In such cases, the risk comes not from a single misconfiguration but from the interaction of several weaknesses that together create access paths that are hard to detect and harder to govern.

"Organisations have invested heavily in securing the front door, but the research shows identity risk is increasingly concentrated in the side doors: local accounts, unmanaged access paths, hardcoded credentials, and excessive privileges that sit outside formal controls," Katmor said.

AI pressure

The report presents AI agents as a factor that increases the urgency of the problem rather than its source. In Orchid's view, the underlying issue is that many enterprises do not have a complete picture of how identity works across their applications, and AI systems are more likely to expose those gaps because they seek the fastest available route to complete a task.

That means an agent may use an unmanaged local account, inherited credential or embedded password if those options provide easier access than the official path through a governed identity platform. The result, Orchid argues, is not only greater cyber risk but also more pressure on compliance and internal control processes.

"AI agents discover and exploit identity control gaps and exposures in a way and at a speed we've never seen before," Katmor said.

"If there's a shortcut in your environment, an autonomous system will find it."

For companies investing in AI-led automation, the research suggests identity hygiene inside applications may be as important as controls applied at the perimeter of corporate systems. Orchid's data indicates that many firms still rely on an identity model that looks robust in policy terms but leaves substantial gaps in day-to-day practice.

"Identity programs look strong on paper, but most identity activity happens outside them," Katmor said.

"That's where security, compliance, and AI risks really start to build."