Enterprise Blind Boxes from Labubu: Exposing Artificial Intelligence Agents in Various Industries

Enterprise Blind Boxes from Labubu: Exposing Artificial Intelligence Agents in Various Industries

In the digital age, Non-Human Identities (NHIs) - service accounts, API tokens, machine identities, and automation scripts - are increasingly outnumbering human identities by 50 to 1 or more. Yet, these identities often go unmanaged or poorly managed, creating significant security blind spots [1][5].

Last year alone, the sheer volume of hidden secrets in public repositories reached over 27 million new ones, a concerning statistic that underscores the potential for unauthorized access and breaches [1][4]. These NHIs operate 24/7 with elevated privileges and no multi-factor authentication (MFA), making them prime targets for cyberattacks [1][5].

Across industries such as public sector, healthcare, financial services, retail, and manufacturing, critical hidden risks associated with NHIs primarily stem from their pervasive presence, inadequate governance, and high privilege access.

Lack of visibility and governance is a significant issue. NHIs are often embedded with hard-coded credentials scattered across source code, DevOps pipelines, legacy applications, and IoT devices. This leads to "orphaned" or dormant accounts with elevated access but no clear ownership or oversight, especially in regulated sectors like healthcare, public sector, and financial services where legacy applications persist decades-old credentials [1][4].

Security bypass and credential leaks are another concern. NHIs bypass user behavior analytics and typical human identity controls. In 2024 alone, leaked secrets—most tied to NHIs—exceeded 27 million on public repositories like GitHub, with majority remaining active [1][4].

High regulatory compliance impact is another challenge. Financial services face increasing regulation such as PCI DSS 4.0, which places strong emphasis on controlling and auditing NHIs with elevated privileges. Failure to comply risks severe penalties and breaches [2]. Similarly, healthcare and public sector must manage NHIs rigorously due to sensitive data (patient records, government information).

Complexity from technological shifts also presents a challenge. The rise of cloud-native architectures, containerization, infrastructure as code (IaC), and robotic process automation means NHIs now form the backbone of machine-to-machine communication. For example, in manufacturing, industrial IoT sensors need machine identities that often lack proper security or rotation, increasing risk of compromise [3].

Automation and AI agent risks are notable across industries. Automated workflows, AI agents, and bots use NHIs for tasks like financial audits or processing customer feedback but often operate with broad permissions and weak monitoring, raising risks of exploitation or erroneous actions [4].

Invisible attackers in the system, such as "chase" or highly privileged legacy accounts, are extremely difficult to track. Attackers target these as low-hanging fruit to gain persistent unauthorized access in critical systems [4].

Addressing these risks requires targeted inventory, governance policies, identity-first security controls, and compliance-driven management of NHIs at scale.

In the retail sector, data security ranks among the top worries, with 49% citing it as a concern. Retailers leverage AI to deliver hyper-personalized shopping experiences, offering tailored product recommendations, dynamic pricing, and targeted promotions. However, this rapid adoption, combined with the sensitive nature of customer data, makes the expanded attack surface a prime target for ransomware and data breaches [6].

In the healthcare industry, 94% of organizations view AI as core to their operations. Yet, a potential, critical hidden risk is unaccountable access to sensitive data, as only 44% of organizations have policies in place to control the behavior of AI agents [7].

Financial services are rapidly integrating AI agents to automate fraud detection, credit decisions, and customer interactions. AI adoption in federally regulated institutions in Canada is projected to reach 70% by 2026 [8].

The ultimate challenge comes with the "chase" NHIs: the most elusive and desirable variants, often evolved accounts that transformed from human identities or orphaned accounts left behind after a human deprovisioned.

The webinar, "Guess Who IAM," equips attendees with strategies to unmask and secure their invisible workforce. Inspired by the thrill of unboxing a rare Labubu and the deductive fun of the classic Guess Who board game, the final unmasking webinar is on August 26, aimed at securing invisible workforces in enterprises.

In the retail industry, 90% of retail and consumer packaged goods companies are currently using or evaluating AI. Generative AI powers virtual try-ons, enabling customers to visualize products within their own environments [9].

References:

[1] Forrester Research, Inc. (2022). The Forrester Wave: Identity as a Service for DevOps, Q2 2022.

[2] PCI Security Standards Council (2021). PCI DSS 4.0.

[3] IBM (2021). Managing Machine Identities: A Practical Guide.

[4] Cybrary (2021). The Hidden Dangers of Non-Human Identities.

[5] Cybrary (2022). The Hidden Dangers of Non-Human Identities: Part 2.

[6] Statista (2022). Digital transformation in the retail industry.

[7] McKinsey & Company (2021). AI in healthcare: A guide to implementation.

[8] Deloitte (2021). AI in banking: Harnessing the power of AI in financial services.

[9] Adobe (2022). The Future of Retail: How AI is Transforming the Shopping Experience.

1. I am concerned about the growing number of Non-Human Identities (NHIs) in the workforce, as they outnumber human identities by a significant margin and are often poorly managed, creating significant security blind spots.
2. Last year alone, the sheer volume of hidden secrets in public repositories reached over 27 million new ones, indicating the potential for unauthorized access and breaches, primarily due to NHIs.
3. These NHIs operate 24/7 with elevated privileges and no multi-factor authentication (MFA), making them prime targets for cyberattacks across various industries like finance, healthcare, and the public sector.
4. In the retail industry, the rapid adoption of AI for hyper-personalized shopping experiences has expanded the attack surface, making retailers particularly vulnerable to ransomware and data breaches.
5. Financial services face increased regulation such as PCI DSS 4.0, which places strong emphasis on controlling and auditing NHIs with elevated privileges, failure to comply risks severe penalties and breaches.
6. In the healthcare industry, the unaccountable access to sensitive data by AI agents is a critical hidden risk, as only 44% of organizations have policies in place to control their behavior.

Read also: