The Pyramid of Agents Is Also a Pyramid of Identities
Key Takeaways
- A pyramid of agents is a pyramid of non-human identities. The efficiency multiplier and the identity multiplier are the same number.
- Machine identities outnumber humans by roughly 82 to 1 in large enterprises (CyberArk 2025), and around 42% carry privileged or sensitive access, while 88% of organizations still define “privileged user” as human-only.
- The human-identity security model assumes owners, working hours, and reviewable access. Agents break all three, and 68% of organizations have no identity controls for AI at all.
- Attackers reach lateral movement in about 29 minutes on average and as fast as 27 seconds (CrowdStrike 2026), and an agent estate is pre-wired for the lateral movement they want.
- The bottleneck shifts from provisioning to visibility. You can’t govern at setup what only misbehaves at runtime.
When Anthropic published its piece on recursive self-improvement, the line that traveled was the efficiency one. A 100-person company doing the work of a much larger one, because each person sits atop a pyramid of agents. It’s a striking image, and it’s probably right. But there’s a second diagram hiding inside the first one, and it’s concerning. Every agent in that pyramid is an identity. It authenticates, it carries credentials, it holds permissions, and it acts on systems that matter. Draw an org chart of agents and you’ve also drawn an org chart of non-human identities, each one a door into your environment.

Anthropic was honest about the stakes in its own terms. They wrote that if systems can build their own successors, “the ways we secure them, monitor them, and shape their behavior all grow much more important.” They borrowed Amdahl’s law to make a point about organizations: speed up one part of a process and the bottleneck just moves somewhere else. They even named where it moved for them, human code review became the new constraint once Claude was writing more than 80% of the merged code. I want to take that same logic and point it at security, because the bottleneck moves there too, and almost nobody is pricing it in.
The pyramid is an identity diagram
Start with what an agent actually is, mechanically, once it’s running in your cloud. Plain and simple, it’s a workload. It needs to authenticate to do anything useful, so it holds a credential, a token, an API key, a service-account binding, and a certificate. It also needs permissions, so it’s been granted access to data, to other services, to the ability to spin up more work. The more capable the agent, the broader those permissions tend to be, because a narrowly scoped agent is a less useful one. What’s unique is the same autonomy that makes an agent valuable is the autonomy that makes its identity dangerous.
Now stack them the way the pyramid implies. One human directs a layer of agents, each of those delegates to more agents, and the work fans out. Anthropic described agents that “run code themselves and delegate hours of work to other agents.” Every node in that delegation tree is a separate identity with its own credential and its own grant of access. The efficiency multiplier and the identity multiplier are the same number. You don’t get one without the other. So when the story says a 100-person company can do the work of 10,000, the security reading is that a 100-person company now runs an identity estate sized for something far larger than itself, and it’s mostly machines.
We don’t have to guess at the scale, because the sprawl was already underway before agents showed up to accelerate it. CyberArk’s 2025 Identity Security Landscape, a survey of 2,600 security decision-makers at organizations of 500 employees and up, put it at 82 machine identities for every human.

That ratio is contested across the industry. Other vendors, measuring different populations with different definitions, land anywhere from 45 to 1 up past 140 to 1. The spread itself is what’s important. Nobody agrees on the count because nobody has a clean inventory, and you can’t agree on a number you can’t see. Pick the most conservative figure in that range and the conclusion holds, machines already vastly outnumber people, and agents are about to add to that.
The number that actually matters
The raw ratio is the attention-grabber, but it’s not the load-bearing figure. This one is: in that same CyberArk research, 42% of machine identities have privileged or sensitive access, while 88% of organizations say their definition of a “privileged user” applies only to humans. Those two numbers together is the whole problem in one sentence. The fastest-growing population of privileged accounts in the enterprise is the population that most security programs don’t classify as privileged at all.
The access is privileged; the classification isn’t. That difference, between real privilege and recognized privilege, is the one the human-identity model was never built to cover, and it’s worth being precise about why. Everything we built to govern human access leans on assumptions that machines break. We assume an identity has an owner you can find, so we can ask them why they still need access. We assume a working pattern, a person logs in from roughly the same places at roughly the same hours, so an anomaly stands out. We assume access requests are occasional and reviewable, so a quarterly access review is a meaningful control. We assume a credential gets rotated when someone leaves. Agents satisfy none of these. An agent has no working hours, it authenticates continuously, its “normal” is whatever it was told to do this morning, and when the engineer who spun it up moves on, the agent and its credentials usually just keep running. CyberArk found that 68% of organizations have no identity security controls for AI at all. The control model and the thing it’s supposed to control have come apart.
And here’s where the architecture bites back. We spent a decade learning that identity is the perimeter, that in the cloud the credential is the way in, not the network. We rebuilt programs around that and then we started minting non-human identities by the hundreds of thousands and exempted almost all of them from the controls that insight produced. We learned the lesson and then scaled the exception faster than the rule.
Machine identities move at machine speed
A larger attack surface would be manageable if it were a slow one, but it isn’t. CrowdStrike’s 2026 Global Threat Report clocked the average eCrime breakout time, the gap between an attacker’s first foothold and their first lateral move to another system, at 29 minutes in 2025. The fastest they observed was 27 seconds. The same report found AI-enabled adversary operations up 89% year over year. So the attacker is already operating at machine speed, and we’re handing them an environment where most of the identities also operate at machine speed and most of them aren’t being watched.
Think about what lateral movement means in a pyramid of agents specifically. In a human estate, an attacker who steals one set of credentials has stolen one person’s access and has to work to escalate from there. In an agent estate, the identities are pre-wired to talk to each other. Delegation is the whole design. Agent A is built to invoke Agent B, which is built to call Agent C, each authenticating to the next with standing permissions. An attacker who compromises one node isn’t facing a wall, they’re facing a map, and the map was drawn for them by the same architecture that makes the pyramid efficient. The connective tissue that makes the pyramid productive is the same tissue that makes lateral movement fast. You optimized for agents trusting agents and so did attackers.
This is Amdahl’s law landing exactly where Anthropic said it would, just in a domain they weren’t writing about. Speed up how fast you can stand up agents and the bottleneck doesn’t disappear, it moves. It moves to the question of whether you can see what those agents are doing once they’re live. Provisioning a thousand agents is now cheap. Knowing, at three in the morning, which of those thousand just authenticated to a data store it has never touched before and started reading at volume, that’s the expensive part. That’s the part nobody’s pyramid diagram includes.
You can’t govern at provision time what only misbehaves at runtime
The instinct, when identity sprawl gets named as the problem, is to reach for governance at the front door. Inventory the agents, scope their permissions tightly, rotate their credentials, review their access. All of that is great and you should do it. But it shares a blind spot with every static control: it describes what an identity is allowed to do, not what it’s actually doing right now. A perfectly provisioned agent with perfectly scoped permissions is still a live actor making real calls against real systems, and a stolen credential for that agent inherits every one of those perfect permissions.
This is why the agent identity problem resolves, in the end, to a runtime problem. The questions that actually protect you are behavioral and live. What is this agent doing, not what was it authorized to do. Is this pattern of access normal for this workload, given everything it’s done before, or is it a deviation worth stopping. Which identity, human or machine, is behind the action unfolding on this system in this moment. You can’t answer any of those at provision time, because at provision time nothing has happened yet. You can only answer them by watching behavior as it occurs, with enough context to tell a routine machine action apart from the first step of an intrusion.
None of this is an argument against the pyramid of agents. The efficiency is real and it’s coming whether any of us are ready, which is rather the point. It’s an argument that the celebrated diagram is only half-drawn. Stand up the agents, take the productivity, build the 100-person company that punches like a much bigger one. Just don’t pretend the identities aren’t there. They are the org chart now, mostly machine, mostly privileged, mostly unwatched, and moving at the speed of the adversary who’d love to borrow them.
At Upwind we believe the honest version of this story is this the pyramid is made of identities, and you secure identities by watching what they do at runtime, not by trusting what they were allowed to do at setup. The efficiency is the easy half. Seeing it clearly is the half that’s actually worth building.


