Identity 'Dark Matter' Exposes Critical Flaw in Enterprise AI Readiness

NEW YORK, NY – May 19, 2026 – By Amanda Clark

A startling new report suggests that for most corporations, the majority of digital identities are now unseen, unmanaged, and unsecured, creating a vast hidden risk landscape that experts warn is a ticking time bomb in the age of artificial intelligence. The research, published today by identity security firm Orchid Security, found that this invisible “identity dark matter” now outweighs visible, managed identities by a margin of 57% to 43% across enterprise networks.

The “Identity Gap: 2026 Snapshot” report paints a grim picture of modern corporate security, where decades of investment in identity and access management (IAM) are being systematically undermined from within. According to the findings, a staggering 67% of non-human accounts—such as those used by applications, services, and bots—are created directly inside applications, effectively bypassing and operating outside the purview of centralized security programs. This growing blind spot comes at a perilous moment, as companies rush to deploy autonomous AI agents that are uniquely equipped to discover and exploit these very gaps at machine speed.

“Enterprise identity has crossed a dangerous threshold: the identities we can’t see now outnumber the ones we can,” said Roy Katmor, CEO and co-founder of Orchid Security, in the press release. “That was already a major security and compliance problem. In the agentic AI era, it becomes an operational crisis.”

The Unseen and Over-Privileged Majority

The concept of unmanaged identities is not new, but the scale of the problem detailed in the report is alarming and resonates with broader industry trends. Cybersecurity analysts at firms like Gartner and Forrester have increasingly warned about the explosion of non-human identities, with some estimates suggesting they already outnumber human employee identities by more than 45 to one in many organizations. Orchid’s report provides stark numbers to quantify the resulting risk.

Key findings reveal a foundation riddled with vulnerabilities:

• Excessive Privilege: 70% of enterprise applications contain an excessive number of privileged accounts, dramatically increasing the potential damage from a single compromise.
• Orphaned Access: 40% of accounts are “orphaned,” meaning they remain active and accessible long after the employee, system, or process they were tied to has departed.
• Clear-Text Credentials: Perhaps most shockingly, 36% of all credentials are found hardcoded in plain text within application code or configuration files, offering a straightforward path for attackers.

These individual issues are compounded by what the report calls “toxic combinations”—overlapping security gaps that create high-speed lanes for attackers. An orphaned account that retains high-level privileges, or an application that bypasses centralized identity controls while storing passwords in clear text, represents a critical failure of basic security hygiene. The report suggests these combinations are not edge cases but are increasingly common across industries from finance to healthcare.

AI Agents: Accelerants in the Dark

While traditional non-human accounts like service bots posed a contained risk, the advent of agentic AI changes the calculus entirely. Unlike a simple script running a predictable task, AI agents are designed to be autonomous, goal-oriented, and relentless. They are built to find the most efficient path to achieve a prompted objective, and according to security experts, that path often runs through the unmanaged “dark matter” of enterprise identity.

“If there’s a shortcut in your environment, an autonomous system will find it,” Katmor warned. This sentiment is echoed by cybersecurity leaders across the industry, who increasingly view AI agents as a new class of highly privileged user that requires a completely different security model. One chief information security officer for a major financial services firm, speaking on background, referred to the problem as “governing a thinking entity.”

These agents don’t distinguish between sanctioned and unsanctioned access paths; they only see an available credential or an open API. When an organization has a significant portion of its identities operating outside of formal controls—as Orchid's report suggests is the norm—it is effectively leaving a trail of unlocked doors for these powerful new autonomous systems to find and use, whether for legitimate or malicious purposes if compromised.

Beyond the Traditional Security Playbook

The report's findings serve as a powerful critique of traditional security postures. For years, organizations have invested heavily in securing the perimeter and managing human user access through centralized identity providers (IdPs) and privileged access management (PAM) systems. However, the data shows these controls are frequently bypassed, with 57% of applications allowing authentication through local or unmanaged pathways.

“Organizations have invested heavily in securing the front door, but the research shows identity risk is increasingly concentrated in the side doors: local accounts, unmanaged access paths, hardcoded credentials, and excessive privileges that sit outside formal controls,” Katmor stated.

This reality is forcing a difficult conversation in boardrooms and security operations centers. The established playbook, built for a world of human employees logging into a defined set of corporate applications, is proving dangerously inadequate for the sprawling, interconnected, and increasingly autonomous digital ecosystem of today. The challenge is no longer just about managing who has access, but understanding what has access, how it gained it, and what it is doing in real-time.

As enterprises continue their rapid adoption of AI, the urgency to illuminate this identity dark matter is growing. The race is on to develop new tools and strategies that can provide deep, application-level visibility and enforce a policy of least privilege for every identity, human and non-human alike. Without this foundational shift, companies risk deploying transformative AI technology onto a security foundation that is fundamentally broken.