gettyFor years, identity and access management strategies have largely centered on securing human users. But as organizations adopt more AI agents, APIs, bots, workloads and connected devices, machine identities are multiplying quickly, creating a growing security risk that many traditional IAM programs weren’t built to manage.These nonhuman identities often need access to systems, data and applications to perform automated tasks, which can introduce risks when permissions, credentials or ownership aren’t closely governed. Below, members of Forbes Technology Council share emerging IAM priorities companies should focus on as machine identities become a bigger part of the enterprise security landscape.Automated Lifecycle GovernanceLifecycle governance for service accounts and AI agents should be a priority. Most companies still treat machine identities like it’s 2018: Provision once, forget forever. With AI agents now spawning sub-agents, you need automatic expiration, scoped permissions and behavioral baselines per identity. Treat every machine identity like a contractor: time-boxed, scoped, monitored and revoked the moment the job is done. - Agung Dwi Sandi, Rankpillar GroupContinuous Behavioral ValidationIdentity is no longer static; it’s a dynamic signal of risk. What matters now is continuous behavioral validation of nonhuman identities. What is this identity supposed to do? What is it actually doing? Has its behavior changed? Machine identities are exploding without ownership, rotation policies or behavioral monitoring, which creates massive gaps. - Aviv Nahum, Above SecurityForbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?Access Revocation For Deprecated IdentitiesNowadays, everyone is good (or should be) at provisioning machine identities. But unlike the natural cleanup mechanism when humans depart, HR is not triggering a workflow where access is revoked when microservices get deprecated, the pilot project ends, or a vendor integration is replaced. With AI agents, this will just grow by an order of magnitude. - Rafael Pimentel Pinto, Texas State Board of PharmacyHuman-Level Discipline For Machine Identity SecurityOne emerging identity and access management priority is securing machine identities with the same discipline applied to human users. APIs, bots, service accounts and AI agents now outnumber employees in many environments, creating major blind spots. Companies should prioritize automated credential rotation, least-privilege access and continuous monitoring of nonhuman identities. - Thai VongClearly Defined AI Agent AuthorityFocus on authority, not just identity. As AI agents, APIs and bots take more actions, companies must define exactly what each machine is allowed to do, on whose behalf and for how long. Every machine identity should have limited permissions, expiry, audit trails and a named human owner. Otherwise, access quietly becomes unchecked power. - Anna Drobakha, Groupe SEBOpen, Verifiable Machine Identity StandardsThe priority is machine sovereignty. Automated bots and AI agents can’t be managed like humans; they don’t take breaks or change passwords. The fix is moving toward open, verifiable standards. Every machine identity must be short-lived and auditable. If you don’t own the keys to how your machines talk, you have handed over the literal keys to your kingdom. - Mahendran ChinnaiahReal-Time, Context-Aware Identity SecurityAs machine identities multiply, organizations must move beyond static IAM policies to real-time, context-aware identity security. The priority is understanding the relationships between users, applications, entitlements, agents and machine identities continuously, so teams can detect risk earlier, automate remediation and prevent excessive access before it becomes a breach. - Shekhar Iyer, ArangoDynamic, Intent-Based Access ControlCompanies should not rely on traditional human-centric identity and access management tools and static user access reviews to manage machine and AI agent identities. Because AI agents act at machine speed through service accounts, roles and tokens, dynamic access control based upon agent intent is needed to enforce purpose-aligned, least-privilege access and continuously mitigate security risk. - Itamar Apelblat, Token SecurityInventory And Ownership Of Machine IdentitiesTreat machine identities like first-class citizens: Inventory them, assign real owners and crush excessive privilege. Service accounts, app registrations and automation identities tend to accumulate API access “because it’s convenient,” and that’s exactly how risk compounds. - Robert Bobel, CayosoftVisibility Into Machine Identities And PermissionsGet visibility into your machine identities and permissions. Start with the obvious stuff: What service principals are registered in Entra ID? What OAuth consents are registered? Is there a process for approving or reviewing them? Not all your machine identities will be in Entra, so broader discovery matters eventually. But if you don’t know the ones in your directory yet, it’s a good place to start. - Grady Summers, NetwrixIdentity ProvenanceFocus on identity provenance. Every API key, bot, workload and agent should trace back to a signed build, approved pipeline, human owner, purpose and expiry. If a machine identity cannot prove where it came from and why it exists, it should not get access. Provenance turns credential sprawl into governable trust. - Pawan Anand, Persistent SystemsExecution LineageOne of the biggest identity and access priorities emerging right now is execution lineage for machine identities. Companies know who logged in, yet many still cannot explain what an AI agent did, why it did it, what data it touched or what actions it triggered. The future of IAM is not just identity verification; it’s continuous behavioral governance. - Doug ShannonReal-Time Validation Of Machine-Led TransactionsAs AI agents gain purchasing power on behalf of consumers, online marketplaces and payment providers will need to distinguish between transactions that are valid or potentially unauthorized in real time. This will necessitate continuous risk-based assessment to establish that machine identities are legitimate, behaving as expected and still approved to act at every interaction. - Rochelle Blease, G2 Risk SolutionsHuman Ownership Of Machine IdentitiesMost breaches now ride in on a machine identity nobody remembers creating: a service account from a dead project, an API key that never expired, an AI agent over-permissioned for a demo and forgotten. The emerging priority is unglamorous. Every machine identity needs a named human owner, tight least privilege and a date it dies. Orphaned, immortal credentials are the real attacker. - Sarah Choudhary, Ice InnovationsPermissions IntelligencePrioritize permissions intelligence, proactively identifying excessive, outdated or inappropriate access rights. Automated processes often hold broad, unreviewed permissions that become hidden vulnerabilities. The emerging focus must shift from simply knowing what data exists to continuously governing who and what can access it. - Carl D’Halluin, DatadobiCryptographic Verification Of AI Agent IdentitiesAs machine identities grow, companies should prioritize cryptographically verifiable identities for AI agents. Permissions and access control are tied to identity, and confidential computing can help prove agents are trusted. Pairing identity with intent verification and human oversight can prevent agents from operating outside policy. - Anand Kashyap, FortanixRuntime Identity EnforcementIn the agentic AI era, access grants permission, but it does not enforce control. Security leaders must adopt a runtime identity posture to shift the security boundary to the exact moment of action. Organizations must continuously verify who or what is acting, enforcing dynamic least privilege through explicit delegation rather than machine impersonation. - Peter Barker, Ping IdentityAutomatic Expiration For Ghost AccountsThe most basic priority is cleaning up ghost accounts. Just like people, apps and bots log into websites using passwords. However, unlike users, bots and apps never retire from their duties. In time, you’ll find yourself surrounded by keys that have no monitoring attached to them. The most important goal is to concentrate on automatic expiration. An idle key needs to be removed from your system. - Adithyan RK, Hyring.comCross-Domain Identity ContextCross-domain context is the key priority. With the surge in identities, security teams must link data across silos, identifying which accounts hold privileged access or touch sensitive resources. This context allows teams to break through noise and prioritize remediation effectively. By focusing on these high-risk overlaps, leaders ensure both human and machine identity risks are managed properly. - Sivan Tehila, Onyxia CyberContextual Assessment Of Machine-Generated IdentitiesThe bigger machine identity risk isn’t machine-to-machine authentication. It’s machines generating identities that pass human verification. AI can produce a convincing passport, utility bill and liveness selfie at low cost. Assess digital history, device behavior and network signals before asking for a document. Synthetic identities pass document checks but rarely survive contextual assessment. - Tamas Kadar, SEON