.png){kind=small}
.png)
Modern SaaS environments are no longer used only by people. Alongside employees, organizations now rely on a growing number of automated systems to access, process, and work with data.
These systems - including service accounts, bot accounts, integrations, automation tools, and AI agents - are commonly referred to as non-human identities (NHIs).
Non-human identities perform many of the same actions as legitimate human users, but they do so by impersonating those users. They access files, read content, send messages, trigger workflows, and sync data between applications. In many cases, they operate using the same permissions as employees and appear in audit logs as human users.
As a result, organizations increasingly rely on identities that are not people to interact with their most sensitive data.
What Are Non-Human Identities?
For the purposes of this report, non-human identities include:
- service accounts
- bot accounts
- application integrations
- automation tools
- and AI agents
These identities are created to enable productivity and automation, but they often:
- persist longer than human accounts
- receive broad access and privileges to make systems work
- and are not reviewed as frequently as employee access
In many environments, non-human identities are now responsible for a large portion of day-to-day activity inside SaaS applications.
Why This Is a Problem Now
Non-human identities are not new, but their scale and influence have changed dramatically over the past year. Three major shifts are all happening at the same time:
- Automation and AI adoption is accelerating → Organizations are deploying tools that continuously scan, summarize, sync, and move data across SaaS platforms.
- These systems need access to sensitive data to function → To work properly, they are granted permissions similar to those of employees, often without clear ownership or long-term oversight.
- Security and governance models still assume identities are human → Most access controls, audits, and investigations are designed around people, not systems acting on their behalf.
This creates a gap between how access is managed and how SaaS environments actually operate.
When non-human identities:
- look like human users in logs
- access large volumes of data
- and are not clearly governed,
organizations lose visibility into who is really accessing their data and why.
This shift sets the stage for the findings in this report, which examine how much SaaS activity is now driven by non-human identities and what that means for data security and governance.
Data Findings: Non-Human Identity Activity in Enterprise SaaS Environments
To understand how much SaaS activity is truly human-driven, DoControl analyzed event log data from the environments of our enterprise customers. This analysis was conducted by our internal data analysts as part of an ongoing effort to help customers gain better visibility into who - or what - is accessing their SaaS data.
Our analysts investigated this activity to improve how organizations identify, control, and secure access in their environments, especially as automation, integrations, and AI tools become more common.
What We Mean by “Activity”
In this analysis, “activity” refers to events that were recorded in SaaS audit logs. These events can include actions such as accessing a file, reading or scanning content, posting or sending messages, triggering a workflow, syncing data, indexing records, and more.
Ranked Findings by Application
When we reviewed event log data from enterprise customer environments, we found that most activity in several major SaaS applications was driven by non-human identities. Below are the results, ranked from highest to lowest percentage of activity that is potentially non-human:
.png)
Microsoft SharePoint: ~70%
Approximately seven out of ten recorded events were generated by non-human identities rather than by human users.
Microsoft OneDrive: ~60%
The majority of recorded activity in OneDrive environments was associated with non-human identities acting on behalf of users.
Slack Enterprise: ~53%
More than half of all recorded events involving data access were to non-human identities conducting enterprise search queries and indexing files.
Box: ~45%
Nearly half of all observed activity was generated by non-human identities instead of people.
Salesforce: ~45%
A significant portion of recorded events was driven by non-human identities operating within Salesforce environments.
Google Drive: ~40%
Roughly two out of every five recorded events were performed by non-human identities rather than by human users.
Across all applications analyzed, these results show that non-human identities now account for a substantial share of everyday SaaS activity. Based on observed patterns, DoControl expects this share to continue increasing as organizations adopt more automation and AI-driven tools.
What These Percentages Actually Mean
At first glance, SaaS audit logs suggest that people are responsible for most activity. Actions are typically recorded with a human name attached to them, such as “Jenny viewed a document” or “Alex downloaded a file.”
However, deeper analysis shows that many of these actions are not initiated by a person at all.
Audit logs include markers indicating when an action was performed through impersonation, along with information and details about the application responsible for executing it on the user’s behalf.
What does this look like in practice? Here’s an example:
Audit log entry:
Jenny edited a document.
On the surface, this appears to be a normal human action, done by Jenny herself.
Let’s say Jenny is working in Google Drive. Our analysis shows that approximately 40% of these “edit” actions were actually generated by non-human systems operating on behalf of the human user (impersonating Jenny).
What actually happened:
Non-human identity (such as an AI agent or automation tool)
→ used Jenny’s identity
→ accessed the document and edited something
→ produced an audit log entry that appears as “Jenny edited a document”
In this case, the identity recorded in the log belongs to a person (Jenny!), but the true actor is not.
Why This Matters
These findings highlight a shift in how SaaS environments operate. Automation and AI systems now access and process extremely sensitive business data at scale, often using identities that appear human in logs.
As a result, many organizations now have:
- non-human identities accessing sensitive data
- activity that looks legitimate but is not human-driven
- limited visibility into which systems are responsible for which actions
When identity no longer reliably indicates intent or control, it becomes harder to answer basic questions such as:
- Who is accessing our data? Or, what?
- Is this behavior expected, safe, lawful? Does it make sense in context?
- Should this system still have access? What else can it see?
This growing gap between identity and actor sets the stage for new risks, which the next section of this report will explore.
Key Risks of Non-human Identity (NHI) Activity
DoControl’s analysis shows that a large share of SaaS activity is now driven by these non-human identities. While these systems enable automation and productivity, they also introduce new risks that traditional access controls were not designed to handle.
Below are the five most significant risks organizations face as non-human identity activity increases.
1. Non-Human Identities Are Easier to Compromise
Non-human identities are often created to make tools and integrations work quickly. As a result, they frequently:
- lack strong authentication controls
- use long-lived credentials
- Receive broad access and wide scopes
- are rarely rotated or reviewed
- are not monitored like human users
This makes them attractive targets for attackers.
If a non-human identity is compromised, it can be used to access large volumes of data without triggering the same suspicion as a compromised employee account.
As automation and AI adoption accelerates, non-human identities are quickly becoming a new category of risk in SaaS environments - mostly because they are easy to manipulate, and many organizations are still developing mature ways to manage and secure them at scale.
2. Data Access Governance Becomes Unclear
When non-human identities act using human identities or appear as human users in logs, it becomes difficult to understand:
- who is actually accessing sensitive data
- what systems are responsible for that access
- and whether that access is still appropriate
This makes it harder to enforce basic principles such as least privilege and access reviews.
Organizations may believe they are governing user access, while in reality, a large portion of data access is being driven by systems they cannot clearly identify or control.
Over time, this weakens confidence in access policies and increases the likelihood of data exposure and compliance failures.
3. Insider Risk and Data Exfiltration Become Harder to Detect
Insider threat detection depends on understanding behavior:
- who accessed what
- when they accessed it
- how they accessed it
- why they accessed it
- whether that access makes sense for that person
When activity appears human but is actually driven by non-human identities, this visibility breaks down. Organizations may not be able to tell whether:
- a person accessed that data
- an automated system accessed data
- or a tool accessed data on someone’s behalf
This makes it harder to identify risky behavior, detect data theft, or trace how sensitive data leaves the organization.
In practice, this creates blind spots around:
- what employees pose a risk to the organization
- what data is being exfiltrated
- whether there’s any unauthorized sharing going on
- how sensitive company information is being misused
4. Compliance and Audit Trails Become Less Reliable
Many compliance frameworks rely on audit logs to demonstrate:
- who accessed data
- whether access was appropriate
- whether controls are working
When non-human identities generate activity that looks human, audit trails no longer accurately reflect reality. Logs may show that an employee accessed a file, when in fact an automated system or AI agent did.
This creates risk during:
- regulatory audits
- internal investigations
- and compliance reviews
If organizations cannot clearly distinguish between human and non-human access, they may struggle to prove that data was accessed in accordance with policy and regulation.
5. Security Teams Lose Context About Intent
Human users act with intent.
Non-human identities act based on code and automation.
When these two are mixed together in logs and access models, security teams lose the ability to understand:
- why an action occurred
- whether it was expected
- and whether it represents risk
An action that looks normal for a person may be unusual for a system, and vice versa. Without this context, security teams may miss real threats or waste time investigating activity that was never human in the first place.
Over time, this reduces trust in alerts, logs, and controls.
What Organizations Can Do Today
As non-human identities become responsible for a growing share of SaaS activity, organizations need to rethink how they manage access to data. Traditional user-based controls are no longer enough when systems, bots, and AI agents are accessing sensitive information at scale.
To reduce risk, organizations should focus on three core capabilities:
visibility, governance, and remediation - across both human and non-human identities.
1. Establish Unified Data Access Governance
Organizations need a way to govern access to data across their entire SaaS environment, not just at the application or user level.
This includes understanding:
- which identities (human and non-human) exist
- what data they can access
- and whether that access is still appropriate
Without a centralized view of access, it becomes difficult to enforce principles such as least privilege or to ensure that sensitive data is only available to the identities that truly need it.
Effective data access governance treats:
- employees
- service accounts
- bots
- integrations
- and AI agents
…all as part of the same access model, rather than managing them separately or inconsistently.
2. Maintain Continuous Visibility Into Data Access
It is no longer enough to know who should have access. Organizations must also know:
- who actually accessed data
- when it happened
- from where the data was accessed (IP or geolocation)
- and whether the actor was human or non-human
This level of visibility allows security and compliance teams to:
- distinguish user behavior from system behavior
- understand how sensitive data is being used
- and identify unusual or risky access patterns
By clearly separating human and non-human activity, teams regain confidence in audit logs, investigations, and reporting.
3. Automate Risk Remediation
Visibility alone does not reduce risk. Organizations must also be able to act on what they find.
As non-human identities grow in number and activity, manual reviews and ad-hoc fixes do not scale. Instead, organizations need automated ways to:
- remove unnecessary access
- restrict overly broad permissions
- disable unused or risky identities
- and prevent unsafe access patterns from persisting
Automated remediation ensures that access risks are addressed continuously, not just during audits or after incidents.
This shifts security from being reactive to being proactive.
4. Apply the Same Controls to Human and Non-Human Identities
One of the biggest challenges introduced by non-human identities is inconsistency. Human users are often reviewed, monitored, and governed, while non-human identities are not.
Organizations should apply the same core questions to all identities:
- What data can this identity access?
- Why does it need that access?
- Is that access still justified?
When human and non-human identities are governed under the same framework, organizations reduce blind spots and strengthen overall data security.
5. Move From Identity Security to Data-Centric Security
As systems increasingly act on behalf of people, identity alone is no longer a reliable signal of risk. The focus must shift toward the data itself:
- what data is being accessed
- by which identity is it being accessed
- and under what conditions
By centering governance around data access rather than just user accounts alone, organizations can better protect their most sensitive information regardless of whether the actor is a person or a system.
Closing
This report shows that non-human identities now account for a significant share of activity across enterprise SaaS environments. NHI’s are increasingly responsible for accessing and interacting with sensitive business data - often while appearing as human users in audit logs.
As this shift continues, organizations face new challenges in understanding who is accessing their data, how that access is being used, and whether it remains appropriate over time.
The findings in this report highlight the need for a more complete approach to data access governance: one that provides visibility into both human and non-human identities, maintains clear oversight of how data is accessed, and enables continuous, automated remediation of risk.
The question is no longer whether non-human identities are present in the environment, but how quickly organizations can evolve to govern them effectively.
