Identity

The non-human identity explosion in Microsoft 365.

Sabiki Security·June 2026·5 min read
Who is watching the identities AI creates?

Every time you switch on an AI feature in Microsoft 365, you don't just add capability, you create identities. And almost none of them are being watched.

45:1
Machine identities outnumber humans ~45 to 1 on Gartner’s estimate, and some vendor telemetry runs as high as 144 to 1, up from 92:1 a year earlier1
+44%
Growth in non-human identities in a single year1
~half
Of machine identities hold sensitive or privileged access2
$27B
Forecast non-human identity security market by 2033, roughly double 2025 (11.9% CAGR)3

1 Gartner: analyst estimate that machine identities outnumber humans ~45:1 and rising. Vendor telemetry: Entro Labs, NHI & Secrets Risk Report (H1 2025), up to 144:1 (from 92:1 in H1 2024), +44% year-on-year. 2 CyberArk, 2025 State of Machine Identity Security / Identity Security Landscape 2025 (Vanson Bourne survey of 2,600 security leaders; corroborates the trend at >80:1, with ~half of machine identities privileged). 3 Grand View Research, Non-Human Identity Access Management Market (2025-2033). Third-party industry research, cited for context; Sabiki is not affiliated with these firms.

The quiet identities multiplying in every tenant

Most security thinking still pictures an identity as a person with a username. But a modern Microsoft 365 tenant is full of non-human identities: Copilot and custom agents, service principals, app registrations, and OAuth-connected third-party apps. Each one can authenticate, hold permissions, and reach data, without a human driving it in the moment.

AI accelerates this sharply. The whole point of an agent is to act on your behalf, which means it needs access. Turn on more AI, and you mint more identities with standing reach into mailboxes, SharePoint, Teams and Graph.

Why they're risky

You can't govern, or safely adopt, what you can't see.

The questions nobody can answer

Ask an admin mid-AI-rollout the four questions that matter and watch the room go quiet: What AI and non-human identities exist in this tenant? What can each of them actually reach? Who owns it? Is it still needed? Without answers, every new AI project carries an invisible tail of risk, and that uncertainty is precisely why so much AI stalls at the pilot stage.

Governance is the unlock for adoption

It's tempting to treat this as a security chore. It's the opposite: it's what lets AI go live. When you can see every AI identity, understand its blast radius, and show the controls are in place, "yes" to AI stops being a leap of faith. Governance isn't the brake on adoption, it's the accelerator.

How AIRM handles it

Sabiki AIRM connects to a Microsoft 365 tenant agentless and read-only via the Graph API, nothing installed, nothing changed without a human approving it. It discovers every AI and non-human identity, scores the risk of each, and maps the evidence to 11 governance frameworks so the controls auditors and insurers ask about are backed by something real. For an MSP, that inventory is both the safety layer and the basis of a recurring managed service.

See what's hiding in a client tenant.

Register free and run one full NHI Risk report on any Microsoft 365 tenant, the agentless, read-only way to find every AI identity and what it can reach.

Free NHI Risk Score →
← Back to the blog