Last month, security researchers uncovered a sophisticated attack campaign in which threat actors had compromised hundreds of organisations not by phishing a human employee, but by exploiting an unrotated API key belonging to an automated pipeline — a machine identity that had been sitting dormant, overprivileged, and unmonitored for over two years. No human ever logged in. No password was stolen. The attackers simply used a key that should have been retired long ago.

This is the reality of machine identity risk in 2026. And for most UK businesses, it’s a blind spot that’s growing faster than any other part of the attack surface.

What Is a Machine Identity?

When we talk about identity security, most people think of usernames and passwords — human credentials. But in modern IT environments, machines vastly outnumber people. Every server, container, application, API, IoT device, and automated pipeline needs to prove its identity to communicate securely with other systems. It does this using machine identities.

Machine identities include:

• TLS/SSL certificates — used by websites, servers, and applications to authenticate themselves and encrypt communications
• API keys and tokens — used by applications to authenticate to third-party services, cloud platforms, and internal APIs
• SSH keys — used for server-to-server authentication and automated deployments
• Service accounts — privileged accounts in Active Directory or cloud IAM used by applications and scripts, not humans
• Workload identities — credentials assigned to containers, microservices, and serverless functions in cloud environments
• IoT device certificates — used by connected devices from CCTV cameras to industrial sensors to authenticate to management platforms

According to CyberArk’s 2024 Identity Security Threat Landscape report, machine identities now outnumber human identities by approximately 45 to 1 in the average enterprise. For SMEs running cloud infrastructure, SaaS applications, and modern DevOps pipelines, the ratio is often even higher.

Why Machine Identities Are Your Biggest Unmanaged Risk

Human identity security has matured considerably. Most organisations now enforce multi-factor authentication, have password policies, and audit privileged human accounts. Machine identities, by contrast, are frequently:

• Unknown — many organisations genuinely don’t know how many machine identities exist in their environment. They accumulate silently over years of growth and tool sprawl.
• Overprivileged — service accounts and API keys are often created with broad permissions for convenience and never scoped down. An API key for a low-risk integration might have read/write access to your entire cloud storage.
• Never rotated — unlike human passwords (which at least come with periodic reset nudges), machine credentials are often set once and forgotten. It’s not unusual to find API keys or SSH keys that haven’t been rotated in three or four years.
• Shared across systems — the same service account credentials are sometimes used across multiple applications, meaning a single compromise has cascading consequences.
• Not monitored — most SIEM and monitoring tools are tuned for human behaviour anomalies. Machine credential abuse — especially when the attacker uses legitimate credentials slowly and quietly — often goes undetected.

What Attackers Do With Compromised Machine Identities

The consequences of machine identity compromise are severe. Real-world attack patterns include:

• Supply chain attacks — attackers compromise a CI/CD pipeline’s credentials to inject malicious code into software builds, as seen in the SolarWinds and 3CX attacks
• Cloud resource abuse — stolen cloud service account tokens are used to spin up cryptocurrency mining infrastructure at the victim’s expense
• Lateral movement — overprivileged service accounts are used to pivot across an environment, accessing databases, backups, and sensitive systems without triggering human-account anomaly detection
• Certificate spoofing — expired or compromised TLS certificates enable man-in-the-middle attacks against internal services
• Long-term persistence — attackers plant SSH keys or create new service accounts that provide persistent backdoor access, surviving password resets and incident response efforts

The NCSC has highlighted machine identity risks in multiple advisories, particularly in the context of cloud security and supply chain attacks. Their guidance on cloud security principles specifically calls out the need for identity and access management that covers non-human accounts.

How to Get Machine Identity Under Control

1. Build an Inventory

You can’t manage what you can’t see. Start by cataloguing every machine identity in your environment: TLS certificates (check expiry dates — expired certs cause outages as well as security risks), API keys and their scopes, service accounts in Active Directory and cloud IAM, SSH keys across your server estate, and IoT device credentials.

Tools like Lima Charlie provide deep endpoint telemetry that can surface hidden machine identities across your environment — including service accounts, scheduled tasks running under service credentials, and certificates installed on endpoints — giving you the visibility you need to start managing what you didn’t know you had.

2. Apply Least Privilege

Every machine identity should have only the permissions it actually needs. Audit service account privileges and remove anything unnecessary. Replace broad API keys with scoped tokens. Use cloud IAM roles with minimal permissions rather than long-lived access keys where possible.

3. Enforce Rotation Policies

Machine credentials should be rotated regularly — API keys every 90 days, TLS certificates before expiry (automate this with Let’s Encrypt or ACME protocols), SSH keys annually at minimum, and service account passwords in line with your privileged access management policy.

4. Monitor for Anomalous Machine Activity

Machine identities behave predictably — they call specific APIs, from specific IP ranges, at specific times. Deviations from that baseline are red flags. Implement monitoring that covers non-human identity activity, not just human logins.

5. Treat Machine Identities Like Privileged Accounts

Service accounts with domain admin rights should be treated with the same seriousness as human privileged accounts — vaulted, monitored, and subject to just-in-time access policies where possible.

The Regulatory Angle

Under the UK GDPR, you’re obligated to implement appropriate technical and organisational measures to protect personal data. If a compromised machine identity leads to a data breach, the ICO will want to know what controls were in place. “We didn’t know the API key existed” is not an answer that plays well in a regulatory investigation.

The incoming Cyber Security and Resilience Bill is also expected to strengthen requirements around identity and access management for in-scope organisations — including managed service providers.

Don’t Let Machines Be Your Weakest Link

Human identity security has come a long way. Machine identity security is where human identity security was a decade ago — poorly understood, inconsistently managed, and frequently exploited. The organisations that get ahead of this now will be significantly better protected as attack techniques continue to evolve.

Want to find out how Just Cyber Security can protect your business? Get in touch for a free consultation — our pricing is designed to be accessible for businesses of all sizes.