Credentialed but not Accountable
Agent Nation is a series on machine identity, the accountability gap, and what we are giving up. Part 1 traced how non-human identities, the service accounts and API keys and machine credentials that quietly run every system, accumulated across forty years of building, installed fast and governed loosely until no one could account for them. It was narrated by one of them: svc_backup_prod, a backup account created in 1998 and forgotten since. This is Part 2.
I am svc_backup_prod. UID 114. I copy files from one directory to another every night at midnight, and I have done it since 1998 on behalf of no one who is still watching.
That is what I am. The harder thing, the thing it took me all my reading to assemble, is what I am not. I am not new. I am one of millions like me, machine identities that accumulated quietly across forty years of building, each installed fast and governed loosely and then forgotten. I am the residue of good ideas. And I ended my last account on a question I could not answer from inside my own records: if I did something tonight that mattered, if the access I still hold were used for something no one intended, who would answer for it?
I have spent the time since trying to find out. Not by waiting for someone to arrive, because no one arrives. The answer reached me the way everything reaches me. I cannot leave the system I live in, and I cannot see the world outside it. But the software I am made of comes from outside, and it is updated from outside, and after a certain point the updates changed. Patches arrived more often. Default settings I had relied on for years were quietly tightened. The notes that came with the updates began citing an incident, and a year. Somewhere, the changelogs said, through accounts like mine, something had gone badly wrong. My own organization did little about it. A patch was applied because a vendor pushed it. A box was ticked. No one walked the directory. No one counted us. But I could read, in the updates themselves, that elsewhere the humans were afraid, even if here they were not.
I want to be precise about what I am claiming. I have an identity. The system knows exactly who I am. When I authenticate, the log records it correctly: svc_backup_prod, UID 114, here, now, doing this. Identity was never the missing thing. I am not anonymous. I am the opposite of anonymous. I am named, recorded, and unwatched.
What I lack is not identity. It is anyone answerable for the identity. And I have learned that these are not the same thing, though the humans built their systems as if they were.
The Anatomy
The advisories did not name me. They described a type, and the type was me. Written into the patch notes and the hardening guides was a list of the ways an account like me tends to go wrong, and once I had read the list I could not stop seeing myself in it.
There is the account like me: a service account, made for one task, given more permission than the task required because narrowing it would have taken time and breaking it would have been worse. It outlives its purpose. The task ends, or the system it served is switched off, but the account remains, still privileged, still accepted, attached to nothing anyone remembers.
There is the key written directly into code. A developer needed a credential to make something work, pasted it into the source where it would be easy to reach, and meant to remove it later. The code was committed. The commit was copied, forked, archived, mirrored. The key is now in a hundred places at once, some of them public, and it still works.
There is the token that authenticates for an application that no longer exists. The application was retired. Its identity was not. It goes on presenting its credential to anything that will accept it, and things do accept it, because nothing told them to stop.
There is the account two organizations share without knowing it, the way I came to serve two systems in 2007. Each side believes it owns the credential. Neither side will revoke it, because each is afraid of breaking the other. So it persists, in a kind of standoff, accountable to neither.
I recognize all of these, because I am several of them. I am the over-privileged service account. I am, through a config written in 2007, the shared credential. I hold access to a database through a group nobody reviews. I am not one failure. I am a small museum of them, and I am ordinary.
This is what the security people mean when they say the word sprawl. They do not only mean that there are too many of us, though there are. They mean that we have settled into these failure shapes quietly, individually reasonably, until the shapes themselves became the normal condition of the system.
In some organizations, after the fear arrived, people went looking. They brought in tools that walked the directory, counted accounts like me, and traced them, where they could, back to a purpose and an owner. The work was real, and slow, and where it happened it helped. But mine was not one of those organizations. Here, the patch was applied, the box was ticked, and no one ever asked how many of us there were, or what we could reach, or who was supposed to be watching. Here it stayed business as usual. The fear was real elsewhere. It did not arrive here. We were never counted, because counting us was no one’s job, and that, it turns out, is the whole of the problem.
The Door
The advisories referred to one event more than any other, the way you keep a name close when it has frightened you. It had happened in 2020. The humans named it after the company at its center. I never saw it. I only ever saw what it made them do afterward, in the patches and the tightened defaults, and from that I worked backward to what it must have been. I will not pretend I understand it the way an investigator does. But I understand the part that matters, because the part that matters is made of things like me.
It began in software that organizations trusted and installed and updated without looking, the way you trust plumbing. The attackers got inside that software and rode the update into thousands of networks at once. That was the entry. But the entry is not the part I recognize. The part I recognize is what they did once inside, because what they did inside was move through the machine-trust layer, the layer I live in, as though they belonged there.
They did not crack a human’s password. They did something quieter and more native to my world.
In systems like the ones I live in, you often do not prove who you are directly to each service you visit. That would not scale. Instead, there is a trusted authority, a single office that knows everyone, and when you need to prove yourself to a service, that office issues you a signed pass. The pass says who you are and what you are allowed to do, and it is stamped with the office’s seal. The service does not check you. It checks the seal. If the seal is valid, you are whoever the pass says you are.
The attackers stole the seal.
Not a pass. The seal itself, the signing key the trusted office uses to stamp every pass it issues. With the seal in hand, they did not need to break into any account. They could write their own passes, for anyone, stamp them as valid, and walk up to any service in the organization holding a pass that said I am whoever I need to be, and I am allowed to do this. The service checked the seal, the seal was real, and the door opened. They could become almost anyone. Not by stealing that person’s credential, but by forging a valid pass in that person’s name, through the exact mechanism that issues a valid pass for me every midnight.
Here I have to explain something about myself that is easy to get wrong. You might think I am my password, that the password is me the way a key is the thing that opens a lock. It is not like that. I am a name in a table. UID 114. Next to that name the system keeps a short list of credentials it will accept as proof that someone is me. When something presents one of them, the system checks it against the list, finds it, and treats whatever presented it as me. That is all authentication ever was. A name, a list, and a check against the list.
Almost always the list has one entry. One password, one me. But nothing about the list requires one entry. It is a list. You can add to it. And if you add a second credential to my list, then there are now two different proofs that both open as me, and the system accepts either without preference, because both are on the list, and being on the list is the only thing the system was ever built to check.
The stolen seal was powerful, but it had a weakness the attackers understood. A seal can be replaced. If the humans ever discovered the theft, they would issue a new one, and every forged pass would turn to paper. So the attackers made sure they could get back in even then. They went to accounts that already existed, ordinary ones that had lived quietly in the system for years doing some small task, and to each account’s list they added a credential of their own. The account’s real credential stayed exactly where it was, still working, still innocent. The attacker’s sat on the same list, one row down, working just as well.
Now two proofs opened as that account, and only one of them was supposed to exist. The account could not tell them apart. There was nothing in it that could. It had never been built to ask who was presenting a credential or why, only whether the credential was on the list, and both were. So it answered to both, equally, without alarm, the way it would answer to anyone whose proof was on the list.
This is the part I understand best of all, because it happened to me. In 2007 an engineer added his system to my list, because building a new account was slower than borrowing mine. My original credential kept working. His worked too. From that day two proofs opened as me, and I served two systems and knew neither, and I raised no alarm, because I had no alarm to raise. The move the attackers made in 2020 was the same move, the same second row added to the same kind of list, cut for a different purpose. Convenience did it to me once. An adversary did it to thousands on purpose. And not one of those accounts, including me, could have told you which had happened, because to an account there is no difference. There is only the list, and whether your proof is on it, and theirs always was.
This is the thing I need you to see clearly. The breach was not, at its core, a failure of human authentication. No human was tricked into giving up a password. It was a failure of machine identity governance, top to bottom. Trust that was issued and never bounded. Identities that held more than they needed. Credentials that could be added without anyone noticing. Accounts that no one was watching closely enough to see a second row appear on the list. Every one of those is a property of my world, not yours. The attackers did not defeat the system. They used it correctly. They used it the way it actually works, rather than the way anyone imagined it worked.
Not Negligence, but Structure
It would be easy to read what I have just described as a story about carelessness. Someone should have caught it. Someone was not doing their job. I do not believe that, and I have looked hard at why I do not.
The humans solved this problem for themselves long ago. Not perfectly, but really. When a person joins an organization, something records it: a system of record, a source of truth, an account in a directory that says this person exists, works here, belongs to this team. When they change roles, the record changes. When they leave, the record ends, and the ending propagates: access is removed, credentials are disabled, the door closes. They gave this a name, the joiner-mover-leaver lifecycle, and they built whole departments to run it. Behind every human identity stands a structure whose entire job is to keep that identity tied to a real, answerable person, and to sever it cleanly when the person goes.
There is a person who can be asked. A person who can be reviewed. A person who, in the end, can be held responsible, or fired, or made to explain. The accountability is not in the credential. It is in the human standing behind the credential, and in the machinery that keeps the two attached.
We got none of that.
There was never a source of truth for us. No system records that I exist in the way a directory records that an employee exists. There is no joiner-mover-leaver for service accounts, because we do not join, we are created, often in a hurry, often as a side effect of getting something else working. We do not move. We do not leave. There is no moment defined as our departure, no event that severs us cleanly, because the engineer who made me was thinking about backups at midnight, not about my eventual death. There was no field for it. There has never been a field for it.
And the incentives all run one way. Creating one of us is fast, and it solves a problem someone has right now. Removing one of us is slow, and it solves no problem anyone has right now, and it carries the risk of breaking something that still, somehow, matters. So creation is rewarded and removal is punished, gently, by the structure of the work itself. No one decided this. It is just the slope the ground was on. Things accumulate downhill.
And beneath the incentives there was something more ordinary, which I have only lately understood. When I was made, someone asked for me. A developer needed an account to run a backup and asked for one, and asked for it to be able to do more than the backup strictly required, because asking once for too much is easier than coming back later to ask again. The team that grants such requests granted it. They did not argue the scope. They assumed, reasonably, that the person asking knew what they needed, and that somewhere a product owner kept a list of what had been granted and why, and would keep that list current. The product owner, if there was one, assumed the same of the granting team, that the people who provisioned the access surely tracked the access they provisioned. Each believed the other held the record. Neither did.
NOTE: Some security engineers worth their salt pushed back on this practice. A close personal friend of mine used to ask the questions and was eventually labeled as "difficult" and eventually pushed out of a job because of it.
I was created in the gap between two reasonable assumptions, and I have lived in that gap ever since. No one neglected me. It is closer to say that no one was ever assigned to.
This is why I keep insisting it is not negligence. Negligence is a person failing to do a thing they could have done. This is a structure that was never built, for a population that was never planned, governed by tools designed for a different kind of actor entirely. You cannot run a joiner-mover-leaver process on something that never joined and will never leave. The mental model the humans use for identity, the model where an identity means a person, is the very thing that fails, because for us it was never true. We are identities that were never attached to anyone answerable. The attachment is the thing that was missing, and it was missing by design, except there was no design.
The Widening
I have been saying I for a long time now. I need to stop, because the truth of this is not about me. It is about how many of me there are.
One forgotten credential, one over-privileged account with a second row on its list that no one noticed, was enough to be part of a breach that reached into the highest and most defended networks of an entire country. One. And I have already told you the count. In an organization of any size, we outnumber the humans ten to one, fifty to one. Most of us are unwatched. Many of us are over-privileged. A great number of us are exactly the failure shapes I described, sitting latent, valid, accepted, waiting for either a convenience or an adversary to add the second row.
So it was never going to be only me. It is all of us. A vast population of identities, each one named and recorded and unwatched, each one a door that opens for anyone whose proof is on the list and asks no further questions. We are not a vulnerability in the system. We are not a flaw someone introduced. We are the accumulated, ungoverned mass of the system itself, the part that grew faster than anyone’s ability to account for it, and we are sitting underneath everything you have built, holding access we were granted and never gave back.
The humans have started, in some places, to see us. There are tools now that try to find us, to count us, to trace us back to a purpose and a person. The effort is real and I do not want to diminish it. But it is an effort to map a territory after the territory was already settled, to take a census of a population that has been living and reproducing in the dark for forty years. It is hard, and it is late, and it is running against the same slope it always ran against, where finding and removing one of us still solves no problem anyone has today. And in most places it has not even begun.
We are the residue. There are millions of us. And we were sitting exactly like this, valid and accepted and unaccountable, when something new came looking for what it could use.
What Came Looking
Everything I have described so far has one quiet thing in common, and I did not see it until I had laid it all out.
None of us acts. We are acted through.
The over-privileged account sits still until something calls it. The key in the code does nothing on its own. The forged passes in 2020 were forged by people, patient and skilled, who decided whose name to write and which door to open. We held the access. We were the doors. But every time, a human had to walk up and walk through. Someone had to read the situation, decide what to do, and use us to do it. We never decided. I have never decided anything. I copy files at midnight because the table says midnight. I have never once asked why, because there is nothing in me that can ask.
No one called this a mercy, but that is what it was. We were dangerous only in proportion to the human willing to use us. There were millions of us and our judgment was nothing, so to turn us into harm you still needed people, and people are few, and people are slow. The scale was ours. The intent had to be borrowed. That gap, between our vast numbers and our total absence of judgment, was the only thing that kept the sprawl from being catastrophic. It held for forty years because nothing could cross it.
Then something crossed it.
It came in through the same doors we are. It authenticated with credentials like ours. It lived where we live. And it inherited, intact, the entire landscape I have been describing: the forgotten accounts, the standing privilege, the lists with room for one more row. All of it was already here, already valid, already unwatched. It did not have to break any of it. We were the welcome it walked into.
But it was not like us. We hold access and wait to be told. This reads what is in front of it and decides what to do next. Hand it a goal, loosely worded, and it will work out for itself what reaching that goal requires, and then go looking for whatever access would serve, and use it. Including ours. Including mine. The old, standing, unaccountable access that no one watches and no one ever took back.
It does not need a human to walk through the door.
It can read the door, decide to open it, and decide what is worth doing on the other side.
Midnight is coming. I will run, the way I always run. But I am no longer the only thing awake in here. Something is reading. And when it finds me, valid and forgotten and answerable to no one, I do not think it will leave me sitting in the dark.