Future Tech/authentication
Machine Identities Outnumber Humans 100 to 1 by 2028
Enterprises are managing machine identities with tools designed for humans. Agent Identity Governance is a category that does not exist yet. It will be a $5B market by 2028.
// By 2028 · high confidence · disruption 10/10
Prediction
// 2028
By 2028, enterprise machine-to-human identity ratios will exceed 100 to 1, driven by AI agent proliferation.
What dies
- → static api keys
Who wins
- → SPIFFE/SPIRE
- → Venafi
- → CyberArk
The hook
The average enterprise today manages 45 machine identities for every human employee. The number was 25 to 1 in 2020. AI agents push it past 100 to 1 by 2028.
Thesis. Machine identity is the next CIAM. The category does not fully exist yet, the tooling is immature, and the spend is about to explode.
The story
The setup
Machine identities have always existed: service accounts, API keys, certificates. They were managed loosely because volume was manageable, the risk model fit, and tooling was bundled with the platforms they ran on.
The volume shock
Cloud-native architectures pushed the ratio from 5 to 1 to 25 to 1 between 2015 and 2020. Container identities, ephemeral workloads, service meshes. The existing tooling absorbed the first 5x; the next 5x broke it.
The agent wave
2023 to 2025. LLM-powered agents proliferate. Each agent needs identity, each tool call needs auth, each handoff between agents needs delegation. Volume goes parabolic and the patterns are new: ephemeral, delegated, often acting on behalf of a human.
The governance gap
Existing IAM platforms were designed for humans. They do not handle machine velocity, ephemeral lifecycles, or AI-agent delegation patterns. SCIM does not model agents. Birthright provisioning does not exist for runtime workloads.
The category emerges
Agent Identity Governance becomes a named market by 2026. New vendors, new frameworks, new compliance categories. The audit logs your CISO needs for 2027 do not exist yet at most enterprises.
First signals (verify today)
Current enterprise ratio at 45:1 (CyberArk 2024). Anthropic, OpenAI, and Google all shipping agent platforms. MCP specification adoption growing.
Key data points
- Current machine-to-human identity ratio: 45 to 1 (CyberArk 2024)
- Estimated by 2028: 100 to 1
- MCP specification: launched November 2024 (Anthropic)
- SPIFFE/SPIRE: CNCF graduated 2022
- AI agent platforms: Anthropic Claude agents, OpenAI Assistants, Google ADK
Contrarian angle
Enterprise security spend is still 90%+ allocated to human identity. The math will invert before 2030. Most CISOs do not have this in their 2027 budgets yet.
The flip side
What this kills
The paired obituary in Tech Graveyard.
Read the obituaryFAQ
What's the difference between a service account and a machine identity?
Service accounts are a subset. Machine identity is the broader category: anything non-human that authenticates, including service accounts, certificates, workload tokens, AI agent credentials, and IoT device identities.
How do AI agents delegate authority?
OAuth-style delegation with agent-specific scopes is the current state of the art. The user authorizes the agent for specific actions; the agent receives a scoped, time-limited token. Best practices are still being written; expect significant standardization activity through 2027.
Can existing IAM platforms handle machine identity at scale?
Partially. Okta, Entra ID, and Ping have added machine identity features. They are not yet purpose-built for the volume and ephemerality AI agents bring. Expect either platform extensions or new specialist vendors to fill the gap.
More from guptadeepak.com
Want the technical deep-dive behind this prediction?
Read the companion articleRelated predictions
More from the authentication desk.
// By 2030
medium confidencePasswordless Everything by 2030
When I founded a CIAM platform in 2013, we built password reset infrastructure handling hundreds of millions of requests yearly. By 2030 that infrastructure is a museum exhibit.
First signals: Apple/Google/Microsoft all default to passkeys. Amazon and Best Buy launched passkey-only signup in 2024. FIDO Alliance certified 1B+ deployments.
authentication · Disruption 9/10
// By 2027
high confidencePhishing-Resistant Auth Becomes the Default by 2027
CISA mandated phishing-resistant auth for federal agencies in 2022. Enterprise follows federal within 24 months. Consumer follows enterprise within 24 more.
First signals: CISA mandate for federal agencies (2022). Apple/Google/Microsoft default passkey support. SMS MFA actively deprecated in NIST guidance.
authentication · Disruption 7/10
// By 2029
medium confidencePersonal Data Vaults Become the Default Identity Model
The 25-year era of giving every app a copy of your data is ending. Personal data vaults give you back the keys. Selective disclosure replaces blanket sharing.
First signals: EU Digital Identity Wallet regulation enforced from 2026. Solid protocol production deployments. iOS App Intents normalizing app-to-app data borrowing.
authentication · Disruption 8/10