That makes more sense :)
I guess you could look at auto-merge for those repositories that don’t have the “branch must be up to date” rule enforced; ¯_(ツ)_/¯.
I’m not sure how you are currently automating; but if you are using GitHub apps / probot then this API should help :) https://developer.github.com/v3/pulls/#update-a-pull-request-branch
I totally get your concerns around the machine account permissions; but as with everything there is a trade-off between security, risk, exposure, likelihood and impact against the business benefits…
The only truly secure computing can be found locked away in a basement, disconnected from the internet, and turned of at the power source - which is not super useful :)
Joking aside, using a GitHub app, or OAuth app should allow you to use the least privileged rights to achieve your automation; which is the best possible outcome…