The Shadow Workforce: Why Your Next Breach May Not Be Human

Welcome to this week’s edition of Cyber Motion, tailored for cybersecurity business leaders. In this newsletter, you’ll find practical strategies, cutting-edge insights, and fresh thinking designed to help your security-focused brand break through a crowded market. My goal is to equip you with the tools and ideas needed to thrive amid shifting threats, buyer skepticism, and evolving industry standards.

– Tobias

Not yet a subscriber? Sign up here.

This newsletter you couldn’t wait to open? It runs on beehiiv — the absolute best platform for email newsletters.

Our editor makes your content look like Picasso in the inbox. Your website? Beautiful and ready to capture subscribers on day one.

And when it’s time to monetize, you don’t need to duct-tape a dozen tools together. Paid subscriptions, referrals, and a (super easy-to-use) global ad network — it’s all built in.

beehiiv isn’t just the best choice. It’s the only choice that makes sense.

Start free today. No credit card required

While the industry panics about AI deepfakes stealing faces, we’re quietly ignoring the fact that we’ve hired millions of invisible employees—and given them the keys to the kingdom without a background check.

The most dangerous threat in 2025 isn’t a hyper-realistic video of your CEO asking finance to wire money, though that is a danger, it’s the collision of "Agentic AI" with a massive, unmanaged "shadow workforce" of machine identities.

Data from Delinea reveals a staggering reality: non-human identities (NHIs)—service accounts, APIs, bots—now outnumber human employees 46 to 1. Even worse, 70% of these credentials haven't been rotated in nearly two years (averaging 627 days). We treat human access like Fort Knox, enforcing MFA and zero trust, while leaving the back door wide open for machines with a sticky note under the keyboard.

This vulnerability is about to explode. McKinsey reports that 62% of organizations are already experimenting with Agentic AI. Agentic AI are autonomous systems that plan and execute complex workflows. These aren't just chatty LLMs; they are digital workers that do things. To function, they need privileged access as NHIs.

The result? We are exponentially expanding an already insecure attack surface. An AI agent doesn’t sit through phishing training. If its long-lived, unrotated credential is compromised, it becomes the perfect insider threat; a high-speed, automated attacker operating inside your perimeter.

Zscaler and Deloitte predict a rise in "low-volume, high-impact" attacks and deepfake-enabled social engineering. But the real sleeper threat is the "Rogue Agent" breach: where an attacker doesn't hack a user, but hijacks an autonomous workflow to exfiltrate data or deploy ransomware at machine speed.

We’ve already seen the beginnings of this with prompt injection attacks (IBM has a good overview of that if you aren’t familiar) targeting Outlook and Gmail.

In a recent KuppingerCole webinar on fraud and AI agents, Transmit Security shared that account takeover attempts are reported by 99% of organizations, with two-thirds being successful.

Stop obsessing over the "who" (humans) and start auditing the "what" (machines). You need to treat your digital workforce with the same suspicion you apply to your human one.

How many "ghost employees" are currently running with admin privileges in your environment? Hit reply and let me know. I’m curious if anyone has a ratio better than 46:1.

Stay sharp,
Tobias