For years, insider threat strategies have been built on a simple premise: that risk comes from people. Whether it is a malicious employee, a careless contractor, or a compromised user account, the focus has always been on human behaviour.
That premise no longer holds. In modern cloud and AI-driven environments, the fastest-growing insider threat is not human. It is machine identities that already sit inside the organization, operating with persistent access and very little scrutiny.
The rise of the machine insider
Machine identities, such as service accounts, APIs, AI agents, and automated workloads, now outnumber human users in most enterprise environments. They are essential to how organizations scale digital services, automate workflows, and deploy AI. But they are also being granted levels of access that would be heavily scrutinized if assigned to a person. Recent findings from the Tenable Cloud and AI Risk report show that 52 percent of organizations have non-human identities with excessive privileges, compared to 37 percent for human users. For the first time, we are seeing that the possibility of insider threats shifts from employees to the “environment” itself.
The core issue with this change is that machine identities do not behave like humans. And that is why existing traditional security controls are failing to stop them. Machine identities do not log unusual hours, trigger behavioural anomalies, or raise suspicion through intent.
Instead, they operate exactly as designed, executing tasks continuously with whatever permissions they have been given. The problem is that these permissions are often excessive and rarely reviewed.
We found that nearly half of the identities with critical privileges are inactive, which means they are not even being used, and yet still retain full access.
To put this into context, this would be the equivalent of leaving former employees with active administrator accounts. Yet in today’s machine environments, we treat this as being normal.
AI is accelerating identity sprawl
The rapid adoption of AI is making this problem significantly worse. Tenable research shows that 70% of organizations have already integrated AI or related third-party packages into their cloud environments. Each integration introduces new identities that need access to data, compute resources, and other services.
To avoid slowing down development, these identities are often provisioned with broad permissions by default. Nearly one in five organizations allows AI services to assume overprivileged roles with administrative or near-administrative access. This creates a growing layer of machine-driven access that is difficult to track, harder to govern, and almost invisible in traditional security models.
What makes machine identities particularly dangerous is how they intersect with other weaknesses in modern cloud environments. Organizations are increasingly reliant on third-party code, external integrations, and distributed infrastructure. This interconnectedness has expanded the attack surface in ways that are not always obvious or visible. For example, 86 percent of organizations have critical vulnerabilities in third-party code packages, while more than half allow external accounts to assume critical permissions. At the same time, 82 percent are running workloads with known exploited vulnerabilities. On their own, each of these issues is already concerning.
Together, they create a clear and repeatable attack path. An attacker can enter through a compromised dependency or partner account, pivot using an overprivileged machine identity, and reach critical systems through unpatched workloads. This is no longer about breaching a perimeter. It is about navigating access that already exists.
Rethinking insider risk in cloud-first environments
To respond effectively, organizations need to move beyond traditional insider threat models and treat access itself as a dynamic source of risk. The challenge is no longer identifying who has access, but understanding how that access evolves across systems, often without deliberate oversight.
This begins with visibility, but not as a static inventory exercise. Organizations need to continuously understand where access exists, how it is being used, and whether it still serves a legitimate purpose. In many cases, this reveals a disconnect between what systems are allowed to do and what they actually need to do, and that gap is where exposure builds.
The next step is to operationalize least privilege as a continuous process. Access is typically granted to enable speed, but rarely recalibrated once systems are in place. Over time, permissions accumulate and outlive their original intent. Bringing access back in line with real usage is not about restriction, but about removing unnecessary pathways that no longer serve the business.
Just as critical is the removal of dormant access. Unused credentials and inactive accounts with high privileges are not benign. They provide standing access that can be exploited undetected. Addressing them does not require new technology, but a shift in priority. What is no longer needed should not remain available.
Most importantly, organizations need to recognize that risk rarely exists in isolation. A vulnerability, an over-permissioned account, or an external dependency may each appear manageable on its own. It is when they converge that they become exploitable. This is why identity, system exposure, and vulnerabilities must be understood together, not managed in silos.
This shift also requires clearer ownership. Decisions about access and integration are often made quickly at the operational level, but their cumulative impact is organizational. Without defined accountability, risk becomes diffuse and harder to manage.
Managing insider risk in modern environments is less about adding controls and more about reducing unnecessary access. In cloud-first systems, exposure is constantly shaped by how environments are built and maintained. Organizations that recognize this will be better positioned to contain insider risk before it becomes an incident.
As Senior Vice President for Asia Pacific at Tenable, Nigel Ng defines and leads Tenable’s go-to-market strategy and oversees the evolution of the business in this region. Nigel has over 30 years of IT industry experience and joined Tenable from RSA Security, where he was vice president for worldwide sales. Prior to that, Nigel was RSA Security’s president of international sales, overseeing Asia Pacific and Japan (APJ) and Europe, the Middle East, and Africa (EMEA) regions.
Nigel has a Master’s Degree in Business Administration from the Australia Institute of Management and a Bachelor’s Degree of Informatics, Software Engineering from Griffith University.
TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Featured image: Gabriel Vasiliu on Unsplash