Estimated reading time: 5 minutes
People often talk about human mistakes causing data breaches and cyber insurance claims. But there’s another problem: non-human identities. These include bots, service accounts, apps, automations, and AI agents that act on our behalf. We give them access easily and then forget about them. Some reports say there are now up to 45 non-human identities for every person.
That imbalance creates a simple, ugly reality: every new integration and automation can quietly expand your attack surface. Permissions sprawl. Ownership gets fuzzy. Monitoring falls behind. And what starts as “productivity” can become a liability event, a third-party exposure, or a full-blown data breach.
On the latest Cyber Insurance News and Information Podcast, executive editor Martin Hinton talks with Marshall Sorensen, a solutions architect at Myriad360. They discuss what non-human identities are, why they’re important, and how both insurers and clients should manage them.
Non-Human Identities: The Hidden Majority
Sorensen begins by explaining that a non-human identity is simply a digital credential for machines, applications, automated processes, or services within IT systems.
He makes it relatable: if you’ve used a smart camera or a calendar tool, you’ve already encountered a non-human identity. He also notes that research shows over half of internet traffic is now automated, non-human.
Ready to Get It Now?
Non-Human Identity: Why The 45:1 Ratio Changes Cyber Risk
Early in the episode, they share a striking statistic: there can be up to 45 non-human identities for every person, and this number is still growing.
Sorensen points out that scale is the main challenge. If a company struggles to manage 100 employee accounts, it won’t be able to handle 4,500 machine and app identities without the right tools, rules, and discipline.
Where Myriad360 Fits In
Sorensen explains that Myriad360 is a global systems integrator with a cybersecurity team. They help organizations understand the bigger impact of modern IT decisions, especially when teams move quickly and set permissions afterward.
Permissions: The Moment Automation Becomes an Identity
Sorensen wants listeners to remember that permissions create identities. As soon as an automation interacts with a privileged system, like an account, data store, or calendar, it becomes a non-human identity.
And yes, we’ve been trained to click “Allow.” Sorensen calls out the danger hiding in those “bullet point” permission lists where “access my calendar” can sit above “read all of your emails” or “make changes in your environment.”
Turnstiles, Keys, and Delegated Trust
To make it stick, Sorensen uses an analogy of a train ticket or subway fare. At scale, you replace human ticket checking with an automated gate, and you delegate trust to the system.
This kind of delegation is convenient, but it also requires strong governance. You have to know who controls the gate, what it can access, and how to quickly remove access if needed.
AI Agents: New Tools, Old-School Access
AI feels new. The access patterns often aren’t. Sorensen warns that many AI tools still rely on classic mechanisms such as credentials and tokens, and they can accumulate long-lived, broad privileges as organizations chase speed and efficiency.
He also takes a balanced view. We’re in an AI arms race, and defenders should feel confident using AI to spot important information faster than people alone can.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
What Breaches Teach Underwriters and Insureds
Sorensen says that most real-world incidents come down to two main issues: too many permissions and not enough monitoring. He points to the 2025 Salesloft and Gainsight breaches as examples and urges underwriters to take note.
In the Salesloft case, an AI agent was given wide access to key business systems. Attackers later used those permissions, with issued tokens acting like a “VIP wristband” that let them skip repeated checks.
From a cyber insurance perspective, Sorensen says the industry is moving past just passwords and MFA. Now, the key question is whether you can clearly track non-human identities, their permissions, and how they’re managed. If not, that risk will show up in pricing and underwriting.
He ends with practical advice for incident response: collect audit logs, create a single source of truth, and use digital tools to track who accessed what and spot problems before they turn into claims.
If you work in cyber insurance—whether in brokerage, underwriting, claims, or risk engineering—this episode is a helpful introduction to the growing identity layer behind every SaaS login, integration, and AI rollout. For those on the insured side, it offers a clear guide to turning identity sprawl into real controls: least privilege, clear ownership, offboarding, and regular monitoring.
WATCH IT ON YOUTUBE – Other Links below
The Transcript has been checked for accuracy, but confirm elements against the record to be sure.
Related Cyber Liability Insurance Posts
- Markel Adds Upfort Shield Tools For Cyber Insurance Policy Holders
- The Hidden Costs of Cyberattacks on Small Businesses
- “We’re Still One Big Systemic Event Away”: A Conversation with Willis’ Peter Foster
- 7 Essential Cyber Insurance Requirements You Can’t Ignore
- Artificial Intelligence Report: Only 44% Ready to Support Secure AI, Delinea Finds
