Let's Chat: Beyond Human Access: Securing Machine Identities — The Next Frontier of Public Sector Cybersecurity

As governments embrace cloud, automation, and AI, a new challenge has emerged: securing the fast-growing world of machine identities. Non-human accounts—like service accounts, APIs, and bots—now vastly outnumber human users, creating hidden risks that attackers are eager to exploit.

At our recent Government Innovation Week Ontario, we sat down with Jehan Zeb, Cyber Director at RSM Canada, to discuss why machine identities are the next frontier of cybersecurity and what governments can do today to strengthen resilience.

Q1: How can governments start to identify and gain visibility into the “shadow” identities across their systems?

The first step is acknowledging that these shadow identities exist, and they are more common than we think.

Shadow identities often come from legacy systems, quick fixes, or automation that has grown over time without proper oversight. 

Governments can start by using discovery tools that scan across environments to surface these hidden identities while building a culture of identity visibility and accountability.

Q2: What best practices can public sector organizations adopt to secure service accounts, APIs, and automated processes without slowing down service delivery?

Securing public sector service accounts, APIs, and automated processes is critical and it must prioritize identity security without creating friction for service delivery. The key is to shift the security paradigm from network-based perimeters to an identity centric approach. This requires a focus on strong identity and access management (IAM) practices. Effective best practices revolve around these core principles: 

• Zero Trust Identity: Never implicitly trust service account, API, or automated process. Every request for access must be authenticated and authorized, regardless of where it originates. This mindset assumes compromise and forces a continuous verification of identities.

• Principle of Least Privilege (PoLP): This is the foundational security practice. Public sector organizations must ensure that non-human identities, such as service accounts and API keys, are granted only the bare minimum permissions needed to perform their specific function. This greatly reduces the "blast radius" of a potential compromise.
• Automated Identity Lifecycle Management: Manual processes for creating, managing, and decommissioning identities are prone to human error and can create long standing vulnerabilities. The public sector should automate the entire identity lifecycle for service accounts and APIs, including: 
  • Automated Provisioning: Quickly and securely create new identities with the correct, least privilege permissions.
  • Automated Credential Rotation: Regularly and automatically change credentials (passwords, API keys, tokens) to minimize the risk of a stolen credential being used over a long period or start using ephemeral secrets and identities.
  • Automated De-provisioning: Immediately revoke access and retire identities when a project is completed or a service is deprecated. This prevents "shadow identities" from accumulating.
• Continuous Monitoring and Auditing: Visibility is crucial. We must implement systems to continuously monitor the behavior of service accounts and APIs. By analyzing activity logs and behavior analytics, we can detect and flag anomalous behavior that may indicate a compromised identity, such as a service account suddenly attempting to access a new database. Regular audits and reviews are also necessary to ensure that assigned privileges still align with business needs.

By embedding these identity-focused practices, the public sector can build a more resilient security posture that enables efficient service delivery by making security an integrated part of the process, not a barrier to it.

Q3: How can government balance innovation and automation with the security demands of machine identity governance? 

Balancing government innovation with security is a matter of integrating security into the automation itself, rather than treating it as a separate checklist item.

The key is to create a dynamic, self governing identity ecosystem for machines. This is achieved by:

• Shift from static, long-lived credentials to ephemeral, short-lived identities for bots and automated processes. These "just-in-time" credentials are far more secure and don't slow down development.
• Build automated security scanning and least privilege policies directly into CI/CD pipelines. This ensures every new service is secure from the start, making security an accelerator, not a barrier.
• Implement a single platform that provides a complete, real-time inventory of human and machine identity. This gives security teams a unified view to enforce policies and identify threats, allowing innovators to move at full speed.
• By making identity governance a core, automated function of innovation, government can deliver faster, more secure digital services.

Q4: Looking ahead, why do you see machine identities as the “next frontier” of public sector cybersecurity? 

Machine identities are the next frontier of public sector cybersecurity because they represent the single biggest and fastest growing attack surface.

1. The number of non-human identities, such as bots, APIs, and automated processes, now outnumbers human identities by a staggering ratio, often exceeding 80 to 1. This growth is driven by the rapid adoption of cloud computing, microservices, and AI, all of which rely on machine to machine (M2M) communication. Each new application and service creates a new machine identity that requires a unique credential and a specific set of permissions. Without proper governance, this proliferation creates vast security blind spots.
2. Attackers are increasingly targeting machine identities because they are often less monitored than human users and can hold highly privileged access. A compromised service account can allow an attacker to bypass traditional human centric security controls and move laterally across a network, exfiltrating vast amounts of sensitive data or disrupting critical infrastructure. Cybercriminals are specifically targeting these credentials because they offer a direct path to admin level control.
3. For decades, public sector cybersecurity has focused on protecting human users with tools like passwords, multifactor authentication, and user access management. However, these solutions are often not designed for the scale, velocity, and unique characteristics of machine identities. This gap in governance leaves organizations vulnerable to "shadow identities" and unmanaged credentials, which can be easily exploited by a sophisticated adversary. By securing this "next frontier," the public sector can close a critical security gap and build a more resilient digital infrastructure.