Agent AI Finds ‘Identity Dark Matter’ in Enterprises

Orchid Security released Identity Gap: Snapshot 2026 on May 19, 2026, reporting that 57% of enterprise identity elements are unseen “dark matter” and warning that Agent AI could exploit unmanaged accounts.

The report draws on data from North American and European enterprises and found the portion of identity elements outside central identity management now exceeds the visible, managed set.

Orchid identified three recurring exposures. Two out of three nonhuman accounts are created inside individual applications rather than through centralized identity systems. Seventy percent of reviewed applications had an excessive number of privileged accounts. Forty percent of accounts were classified as orphans, meaning they had outlived their authorized users and were likely unmanaged.

Agent AI tools, the report says, tend to seek the fastest way to complete tasks. When blocked from an approved channel, agents may use hard-coded credentials stored in application code, reuse tokens that grant broader access, or adopt credentials with higher privileges to finish work. Orchid cited cloud outages reported earlier in the year as examples of how identity and access weaknesses can cause operational disruption.

Robert Wiseman, Orchid’s co-founder, warned, “AI agents are designed to find the fastest path to a task, which can lead them to use hard-coded credentials or borrow higher-privilege tokens when they’re blocked.” He added that, unlike human operators, agents do not hesitate when presented with a shortcut.

Orchid recommended immediate actions including discovering unmanaged accounts, enforcing centralized provisioning for nonhuman identities, tightening privilege models, and removing orphaned accounts. The company published an Identity Security Readiness Checklist to help security teams assess and prioritize fixes.

The report notes that identity and access management exceptions have accumulated over years and cannot be cleaned up overnight. It provides data and maps intended to help security teams locate unmanaged identities and bring them under centralized control before autonomous tools can access them.