When attackers breached Salesloft in August, they didn’t go after staff accounts or human identities. Instead, they exploited an Ai-powered chatbot’s privileged access to systems like AWS and Slack. It’s a warning sign of a bigger shift: machine identities, from chatbots to autonomous agents, are fast becoming a new entry point for attackers.
Delinea’s new Ai in Identity Security report shows just how unprepared Australia is for this shift. Only 28 per cent of organisations say they’re ready to secure Ai, significantly lower than the global average of 44 per cent. With machine identities multiplying across IT environments and shadow Ai on the rise, Australian businesses face a widening gap between the speed of Ai adoption and their ability to govern it securely.
From Confidence To Blind Spots
On the surface, Australian organisations are optimistic about their ability to manage Ai risks, with 87 per cent confident their defences can keep pace. But Delinea’s findings show that confidence doesn’t always equal control. Fewer than half (46 per cent) have full visibility into their machine identities, while 16 per cent admit they have none at all, twice the global figure.
That lack of visibility has real consequences. If security teams don’t know which Ai agents exist, what systems they have access to, or how those privileges are being used, they have no way of spotting when identities are misused. This gives attackers more freedom to move through critical systems – just as they did in the Salesloft breach. Without stronger oversight, organisations can’t enforce least privilege, detect misuse quickly or build the guardrails needed to keep Ai identities in check.
The Machine Identity Surge
The scale of the problem makes that visibility gap even more pressing. Machine identities already outnumber humans 46 to 1 and are projected to exceed 45 billion globally by 2025, according to Delinea Labs. Each one represents a potential entry point for attackers, yet many operate automatically, with little monitoring or control.
Australia’s rapid adoption of Ai only heightens the challenge. The report shows 90 per cent of organisations are piloting or using Ai in IT operations, and a quarter already use agentic Ai in security. When combined with weak visibility, this surge in non-human accounts is stretching security teams thin. Without stronger oversight and safeguards, machine identities will continue to outpace defences.
Shadow Ai And The Governance Vacuum
If sanctioned machine identities are difficult to manage, unsanctioned ones create an even bigger problem. Delinea’s research shows 44 per cent of Australian firms encounter shadow Ai at least once a month, with tools deployed by staff outside IT or security oversight. Without approval or monitoring, they expand the attack surface in ways security teams can’t see.
The lack of rules makes this even riskier. 38 per cent of organisations have no policies or access controls for Ai tools, a higher rate than the US, UK or Singapore. In practice, that could mean stolen logins, fake messages fooling staff and customers, or autonomous systems making changes without anyone noticing until it’s too late. Without oversight, organisations risk losing control of their own data and decisions – exactly the kind of opportunity attackers look for.
Making Ai Work For Security
Ai adoption in Australia is moving faster than most security teams can keep up with. The gaps are clear: limited visibility into machine identities, the rapid growth of Ai agents, and the spread of shadow Ai without oversight. To close them, organisations should map and monitor all machine identities, apply least-privilege access to Ai agents, and enforce clear rules for Ai use across the business.
Getting this right will decide whether Australia continues to lag behind global readiness or sets the standard for securing Ai. By treating machine identities with the same discipline as human ones, businesses can stay ahead of attackers and make Ai work for them, not against them.
Nigel Tan is APAC Director of Systems Engineering at Delinea.
Last Updated on September 23, 2025 by Nigel Tan
