What is identity sprawl?
By Identra · Updated
Identity sprawl is the uncontrolled multiplication of accounts, credentials, and machine identities across SaaS apps, cloud platforms, and on-prem systems, outpacing an organization's ability to inventory and govern them. Each unmanaged identity widens the attack surface, and non-human identities such as service accounts and AI agents now drive most of the growth.
Key numbers
- Machine identities outnumber human identities 82 to 1 in the average organization (CyberArk Identity Security Landscape, 2025)
- The average company now deploys 101 SaaS applications (Okta Businesses at Work 2025)
- 23.8 million secrets were leaked in public GitHub repositories in 2024, up 25% year over year (GitGuardian State of Secrets Sprawl, 2025)
- 68% of organizations lack identity security controls for AI (CyberArk Identity Security Landscape, 2025)
Why does identity sprawl happen?
Identity sprawl is a byproduct of how modern software gets built and bought. Every new SaaS subscription mints its own user directory, its own admin accounts, and usually its own API keys. Okta's Businesses at Work 2025 report puts the average company at 101 deployed apps, and each one is a separate island of identity unless it is deliberately federated. Multiply that across departments buying tools on a credit card and the directory of record stops being the directory of reality.
Cloud and automation compound the problem on the non-human side. Every microservice, CI/CD pipeline, container, serverless function, and now every AI agent needs credentials to do its job. These identities are created programmatically, often in seconds, and rarely deleted with the same enthusiasm. CyberArk's 2025 Identity Security Landscape found machine identities outnumbering humans 82 to 1, and reported that AI is expected to drive the largest share of new privileged identities going forward.
- Decentralized SaaS purchasing creates directories no central team knows about
- Infrastructure as code and CI/CD mint service accounts and keys automatically
- Mergers and acquisitions import entire foreign identity estates overnight
- Contractors, vendors, and partners accumulate accounts that outlive the engagement
- AI agents and MCP-connected tools spawn credentials at machine speed
Why is identity sprawl a security problem?
Every identity is a door, and sprawl means nobody holds the full key ring. Orphaned accounts left behind by departed employees remain valid login paths. Duplicate accounts encourage password reuse across systems. Service accounts with stale, over-privileged access sit unrotated for years because no one is sure what will break if they change.
Sprawl also feeds secret sprawl. When identities multiply faster than governance, their credentials end up hardcoded in repositories, wikis, and chat. GitGuardian counted 23.8 million secrets leaked in public GitHub repositories in 2024 alone, a 25% increase over the prior year, and found that 70% of secrets leaked in 2022 were still active. Attackers do not need to break in when a forgotten identity with a valid credential is waiting for them.
How do you measure identity sprawl?
You cannot fix what you have not counted, so measurement starts with an inventory that spans every identity provider, cloud account, SaaS admin console, and secrets store. From there, a handful of ratios and counts turn a vague sense of mess into a trackable number.
| Metric | What it tells you |
|---|---|
| Identities per employee | How many accounts the average person accumulates across systems |
| NHI-to-human ratio | How fast machine identities are outrunning your governance model |
| Orphaned account count | Identities with no living owner, a direct measure of cleanup debt |
| Dormant identity percentage | Accounts and keys with no activity in 90 or more days |
| Federation coverage | Share of apps behind SSO versus local logins |
| Credential age distribution | How many secrets have gone unrotated past policy limits |
How do you consolidate sprawled identities?
Consolidation is less a project than an operating discipline. The first move is unifying visibility: one continuously refreshed inventory covering human accounts, service accounts, workload identities, and AI agents, along with the API keys each one holds. The second is shrinking the estate, which means deprovisioning orphans, merging duplicate accounts, and pulling local logins behind a central identity provider. Many teams frame the end state as an identity fabric: the identity systems they already run, woven into one consistent layer instead of yet another silo.
The third move is preventing regrowth. Every new identity should be born with an owner, an expiry, and least-privilege scope, whether it belongs to a person or a pipeline. Short-lived credentials beat standing secrets, automated joiner-mover-leaver flows beat quarterly access reviews, and policy that fires at creation time beats audits that discover sprawl a year later.
- Build one inventory across IdPs, clouds, SaaS, and secrets managers
- Assign a human owner to every non-human identity
- Replace long-lived keys with short-lived, automatically issued credentials
- Enforce SSO and lifecycle automation for every new app before rollout
- Track sprawl metrics quarterly and treat regressions like incidents
Human sprawl vs non-human sprawl
Human identity sprawl is bounded by headcount, and mature tools exist to govern it: SSO, MFA, and lifecycle automation tied to the HR system. Non-human sprawl has no such ceiling. Service accounts, workload identities, and AI agents are created by code, scale with infrastructure rather than payroll, and cannot pass an MFA prompt. CyberArk's 2025 study found that 68% of organizations lack identity security controls for AI, which suggests the fastest-growing slice of the identity estate is also the least governed. Any serious anti-sprawl program has to treat the non-human majority as the main event, not an appendix.
How Identra thinks about it
Identity sprawl is not an inventory problem you solve once; it is a runtime condition you have to observe continuously. Static catalogs go stale the moment a pipeline mints its next token or an AI agent spins up a new session. The durable fix is watching identities as they act: verifying human, non-human, and AI-agent identity at the moment of use, flagging credentials that behave outside their owner's intent, and retiring the ones that never act at all. Sprawl stops being dangerous when every identity that does something is known, scoped, and accountable in real time.
Go deeper: The Non-Human Majority
Frequently asked questions
What causes identity sprawl?
Every new SaaS app creates its own directory and admin accounts, departments buy tools without central IT, and cloud automation mints service accounts and keys programmatically. Mergers import entire foreign identity estates, contractors accumulate accounts that outlive engagements, and AI agents now spawn credentials at machine speed. Creation is easy and fast; deletion requires someone to notice and act.
Why is identity sprawl dangerous?
Each unmanaged identity is a valid login path nobody is watching. Orphaned accounts from departed employees keep working, duplicate accounts encourage password reuse, and stale service accounts hold unrotated, over-broad access for years. Attackers increasingly log in with forgotten credentials rather than break in, so the size of the unknown identity estate is effectively the size of the unguarded attack surface.
What is the difference between identity sprawl and secret sprawl?
Identity sprawl is the multiplication of accounts and identities themselves, human and machine, across systems that nobody fully inventories. Secret sprawl is the spread of those identities' credentials, keys, tokens, and passwords, into code, logs, and chat. They compound each other: more ungoverned identities mean more credentials minted, and every stray credential is a working login for some identity.
How do you fix identity sprawl?
Start with one continuously refreshed inventory across identity providers, clouds, SaaS, and secrets stores. Then shrink the estate: deprovision orphans, merge duplicates, and pull local logins behind SSO. Finally prevent regrowth by requiring an owner, an expiry, and least-privilege scope for every new identity, and by preferring short-lived credentials over standing secrets.
