The Labubu blind box for your enterprise: Unmasking AI agents across industries

Imagine you're a security or IT leader, and your organization's digital landscape is like a collection of Labubu blind boxes. Each box represents a new AI agent or automated workflow. You know there's a non-human identity (NHI) or machine learning model in there, and it's intended to do something beneficial, like accelerate the US Department of Defense’s financial audits or analyze retail customer feedback. But, like with Labubu, its identity and full characteristics aren't immediately apparent until you look within.

From collectible to critical: The proliferation and hidden risks of the invisible workforce

Just as Labubu figures range from common to highly sought-after "secret," "hidden," or "chase" editions, NHIs come with varying levels of risk and visibility.

Many are "common" NHIs, easily deployed but often with overly broad permissions and minimal monitoring, making them simple targets for exploitation. This is a common pitfall observed in rapidly deployed Internet-of-Things devices in manufacturing or customer service chatbots in retail and public administration.

The ultimate challenge, however, comes with the "chase" NHIs: the most elusive and desirable variants. These are the truly dangerous unknowns, often evolved accounts that transformed from human identities or orphaned accounts left behind after a human deprovisioned, remaining active with elevated access and no owner. Much like a rare Labubu with distinct features not on the packaging's checklist, these high-privilege NHIs can evade standard detection. For example, for regulated industries like the public sector, financial services, and healthcare, managing decades-old legacy applications, such dormant credentials can be hijacked by attackers to gain unauthorized access to sensitive environments. The sheer volume of hidden secrets in public repositories — over 27 million new ones last year alone — underscores this pervasive risk.

From automation to attack surface: Industry-specific AI risks

NHIs are now the digital backbone of organizations, enabling unparalleled automation and efficiency. Their rapid proliferation across all sectors is driven by the imperative to do more with less.

Yet this growth introduces significant hidden risks due to their complex lifecycles, unique authentication methods, and often decentralized management. Let’s explore how these challenges manifest through industry-specific examples below.

Public sector

AI use in federal agencies has more than doubled in the last year, with approximately 50% of use cases developed in-house. This increased reliance highlights an acute need for secure access across government systems where AI agents enhance productivity and streamline processes like federally funded state benefit programs.

A potential, critical hidden risk: lack of clear ownership and accountability. Pinpointing who — or which agency office — is responsible when an AI agent acts improperly is crucial for public trust and legal adherence, especially given the rapid turnover of agents that can expand the attack surface if not properly managed.

Healthcare

Healthcare organizations are extensively using AI both for their workforce and in efforts to bolster their patient experience, with 94% viewing it as core to their operations. However, this rapid adoption, combined with the sensitive nature of patient data, makes the expanded attack surface a prime target for ransomware and data breaches.

A potential, critical hidden risk: unaccountable access to sensitive data. A staggering 96% of IT professionals see AI agents as a security risk, yet only 44% of organizations have policies in place to control their behavior. This oversight has contributed to over 500 million individuals having their healthcare records stolen or compromised since 2020.

Financial services

Financial services are rapidly integrating AI agents to automate fraud detection, credit decisions, and customer interactions. AI adoption in federally regulated institutions in Canada is projected to reach 70% by 2026. Public confidence is growing as well, with many viewing AI as a valuable tool for improving financial experiences. 65% of Americans believe AI can expand access to financial tools for underserved individuals. 

A potential, critical hidden risk: insufficient governance. Only 32% of financial firms report having a formal AI governance group, leaving bots, APIs, and automation scripts operating without consistent oversight or defined lifecycle management. These agents can initiate transactions, access customer data, and make decisions, often without the same safeguards applied to human users. 

Embedding identity-first controls and formal AI governance is essential to preventing these agents from becoming persistent blind spots that threaten industry security and trust.

Retail and manufacturing

A striking 90% of retail and consumer packaged goods companies are using or evaluating AI today, and an overwhelming 97% plan to increase their AI investments next year. The reason? AI enhances efficiency, reduces operational costs, and, crucially, creates personalized customer experiences at scale.

Today’s retailers and direct-to-consumer manufacturers leverage AI to deliver hyper-personalized shopping experiences. They leverage customer data to offer tailored product recommendations, dynamic pricing, and targeted promotions that drive loyalty and sales. Generative AI powers virtual try-ons, enabling customers to visualize products like clothing or furniture within their own environments, reducing returns and boosting confidence.

A potential, critical hidden risk: data privacy and security. For AI to truly take off in this industry, customers and businesses alike must trust that it can do its job securely. Currently, many of them don’t. Data privacy and data security rank among the top worries regarding AI in the retail industry, with 60% and 49% of retailers citing them as concerns, respectively.

If retailers can't assure their customers' data security, adopting AI could quickly become a liability.

The final unmasking: Your next step

The challenges posed by hidden NHIs are clear across every industry. Don't let the mystery of your enterprise's invisible workforce become your next security incident. Learn how to identify, secure, and manage these critical assets.

Join our interactive webinar, “Guess Who IAM,” on August 26. Inspired by the thrill of unboxing a rare Labubu and the deductive fun of the classic Guess Who board game, this webinar will equip you with strategies to unmask and secure your invisible workforce. Register today.