Innovation at Speed: Why Machine Identity Security Is Now a Boardroom Priority

CEOs across the manufacturing sector remain optimistic about the potential of digital transformation to boost productivity, efficiency, and competitiveness. Yes - manufacturers face a double bind - innovate fast (and potentially feel pain) or risk falling behind; but every step forward expands the attack surface. This sits alongside a stark reality: the manufacturing sector now suffers 26% of all cyberattacks, making it one of the most targeted industries globally. However, the most significant emerging threat is not always the one that leaders expect. It is not only ransomware or phishing targeting these organisations, but threats related to the rapid proliferation of unsecured machine identities. According to findings from a roundtable event hosted by Xalient and Saviynt, machine identities now outnumber human identities by 45 to 1 and are linked to half of all breaches, with 74% of Tech and InfoSec leaders saying they are harder to secure than human identities.

The challenge for manufacturers is to accelerate digital transformation without simultaneously increasing uncontrolled exposure to unacceptable cyber risk.

The recent shutdown at Jaguar Land Rover (JLR) is a stark reminder of what is at stake. A single cyber incident can halt production, disrupt global supply chains and inflict lasting financial and reputational damage.

As factories become more connected and automation deepens, the attack surface expands. Many of the new vulnerabilities stem from the explosive growth of machine identities, for example, API keys, service accounts, bots, workloads and now AI agents, that underpin modern digital factory operations. In 2024, manufacturing and construction were the two most targeted sectors, reflecting both their strategic importance and their growing digital complexity.

These incidents don't just impact businesses – the knock-on impact and ripple effect across supply chains has an all-too-real impact on employees and their families. These are not victimless attacks.

Balancing Innovation and Risk

Manufacturing firms face a unique combination of cyber risks. Legacy IT systems remain widespread, often running alongside modern cloudbased platforms. Supply chains are vast and interconnected, with each vendor connection representing another potential entry point for attackers. Over-privileged machine identities, for example, those granted more access than they require, further amplify exposure.

Leaders are under pressure to innovate rapidly, but they cannot afford to compromise resilience. Nor can they allow security concerns to stall essential transformation programmes. The answer, as our roundtable stressed, is a pragmatic, sector-specific approach underpinned by Zero Trust – verifying every interaction and eliminating implicit trust for devices and identities. Zero trust assumes that no user, device, or system should be trusted by default, even if it sits inside the corporate network. Instead, every access request must be continuously assessed, authenticated, authorised, and validated based on context. By verifying every interaction and eliminating implicit trust, organisations can continue to innovate while maintaining strong cyber defences.

Who Owns the Machine?

But herein lies another challenge. Human identities are relatively straightforward to manage. HR and IT teams track employees from onboarding to departure, (ideally) adjusting access rights as roles change. Machine identities, however, are a different story. They are not owned or managed by IT and/or HR - organisations may have thousands - many obsolete, duplicated, unknown and spread across engineering, operations, development, and security teams. In fact, machine identities are now growing at a rate that outpaces human identities by 45 to 1.

This creates a fundamental governance problem: Who is responsible for both their lifecycle, and activity?

As AI agents begin to operate autonomously, executing tasks, making decisions and even negotiating with suppliers, the question of accountability becomes even more urgent. Without clear ownership and oversight, organisations risk losing visibility and control over the very systems that power their digital operations.

Managing machine identities should mirror the structured oversight applied to employees. Just as HR policies define acceptable behaviour, access rights and accountability for people, organisations need equivalent frameworks for machine entities, governing their use, lifecycle, privileges and oversight.

Ownership Ambiguity

One of the biggest obstacles is the ambiguity surrounding ownership. Multiple stakeholders may claim an interest in a particular machine identity, but shared ownership rarely translates into shared responsibility. When no individual or team is accountable, vulnerabilities remain unaddressed, innovation slows and governance gaps widen.

In a sector already heavily targeted by cybercriminals, delays in identifying and closing vulnerabilities can be dangerous.

In parallel, the rapid rise of Gen AI has accelerated innovation across manufacturing, from predictive maintenance to automated procurement. It has also introduced new risks - in the rush to deploy AI tools, organisations often bypass vendor due diligence and dataprotection standards, creating governance gaps that attackers exploit. Governance standards must apply equally to AI agents, with no exceptions simply because they are new or transformative.

Control and Visibility: From Inventory to Action

Machine identities operate at extraordinary speed and scale. They automate processes, communicate across systems, and authorise transactions far faster than any human could. Yet this very scale also makes manual oversight impossible. With that in mind, there are a few steps organisations should take to manage and govern these identities effectively?

1. Identity Discovery Must Come First

Effective governance begins with visibility. Organisations must know exactly which machine and AI identities exist within their systems. Discovery is a foundational step. Automated tools can scan for credentials, log identities, issue or revoke access, and detect vulnerabilities. But the essential requirement is a definitive, authoritative inventory. Without it, governance cannot function.

2. Least Privilege and Ongoing Management

As mentioned above, human access rights are routinely monitored and adjusted. Machine privileges, however, often persist long after they are needed, creating unnecessary exposure. Automated scanning and credential updates, or more advanced justintime access, can significantly reduce risk by ensuring machine identities have only the permissions they require, and only when they require them.

3. Testing and Guardrails Before Scaling

Before deploying AI agents or machine identities at scale, organisations must test systems thoroughly and implement guardrails to limit behaviour. Controlled testing environments allow risks to be identified and mitigated under human oversight. Without these safeguards, systems can produce flawed or harmful outputs, reinforcing the need for rigorous validation before wider rollout.

Innovation and Resilience Can Coexist

Manufacturing organisations face intense cybercriminal targeting, creating a tension between the need to innovate and the risks introduced by increased digital transformation. Legacy systems, complex supply chains, and the rapid growth of machine identities all contribute to heightened vulnerability.

Strong governance is essential. While tooling can provide the visibility needed to enforce leastprivilege access and manage identity lifecycles effectively, there needs to be clear policy and governance in place for said tooling to enforce compliance. With controlled testing and appropriate guardrails, organisations can scale new technologies safely.

Innovation and resilience should not be opposing forces. With the right foundations, manufacturers can embrace digital transformation confidently, unlocking growth while keeping cyber risk firmly in check.

Above all, security teams should consider themselves enablers rather than blockers. Consider an approach that leads with secure enablement rather than knee-jerk blocking.