Skip to main content
Daniel J Glover
Back to Blog

Non-Human Identity: Your Blind Spot

11 min read
CybersecurityIdentityIAMZero TrustAI Security

Your organisation has a growing workforce you have never onboarded, trained, or probably even counted. They have access to your most sensitive systems. They never take holidays, never attend security awareness training, and their credentials often never expire.

Meet your non-human identities. And they are almost certainly your biggest identity security blind spot.

What is a non-human identity (NHI)?

A non-human identity is any digital credential that grants system access without being tied to a human user. This includes service accounts, API keys, OAuth tokens, machine identities, and AI agent credentials. NHIs typically outnumber human users 50:1 to 100:1 in modern cloud environments, yet most organisations lack visibility into their NHI estate and fail to apply the same security controls they use for human identities.

Non-human identity security has emerged as one of the most critical - and most neglected - areas of enterprise security in 2026. As organisations scale artificial intelligence, cloud automation, and API-driven architectures, the population of service accounts, API keys, OAuth tokens, and AI agents has exploded. According to ConductorOne's 2025 Future of Identity Security Report, 51% of security professionals now consider non-human identity security as important as human account security.

Yet most organisations are flying blind.

The Scale of the NHI Problem

The numbers are staggering. In cloud environments, non-human identities (NHIs) outnumber human users by ratios of 50:1 to 100:1. Every microservice, every automation script, every CI/CD pipeline, every AI agent - each creates identities that require access to systems and data.

Consider a typical modern enterprise:

  • Hundreds of service accounts for internal applications
  • Thousands of API keys for third-party integrations
  • OAuth tokens for SaaS applications
  • Machine identities for cloud workloads
  • Service principals for infrastructure automation
  • AI agent credentials for autonomous systems

Each of these is a potential entry point for attackers. And unlike human identities, non-human identities typically operate outside the scope of traditional Identity and Access Management (IAM) systems.

The identity gap is real:

As I explored in Identity is the New Firewall, identity has become the primary control plane for modern security. But that article focused primarily on human identities. The reality is that human identities are now the minority of your identity estate - and often the better-secured minority.

Identity TypeTypical RatioVisibilityLifecycle ManagementCredential Rotation
Human users1x (baseline)High - in HR systems, ADAutomated with HR eventsRegular via policy
Service accounts10-20xMedium - often undocumentedOften manual, frequently forgottenRarely rotated
API keys20-50xLow - scattered across systemsCreated ad hoc, rarely decommissionedSeldom or never
OAuth tokens10-30xLow - often invisible to ITUser-initiated, unmanagedVaries by provider
AI agentsGrowing rapidlyVery low - new categoryImmature processesUndefined

Why Attackers Love Non-Human Identities

Attackers have noticed what defenders have not. Non-human identities are increasingly the preferred attack vector for sophisticated threat actors.

The attraction is obvious:

Overprivileged by default. Service accounts are frequently granted far more access than they need - often administrative access - because restricting them requires understanding their exact requirements. "Just give it admin" is faster than proper analysis.

Static credentials. Unlike human passwords that are changed periodically (theoretically), service account credentials often remain unchanged for years. API keys created by a developer who left three years ago may still be active today.

No MFA. Multi-factor authentication - standard for human accounts - is rarely applied to service accounts. Authentication is typically single-factor: the credential itself.

Limited monitoring. Security operations centres are tuned for human behaviour patterns. Service account activity at 3 AM is expected, not anomalous. Detecting compromise requires understanding what "normal" looks like for each NHI - knowledge most organisations lack.

No offboarding. When an application is decommissioned, its service accounts often are not. When an integration is discontinued, its API keys remain active. When a vendor relationship ends, their OAuth tokens persist.

The result: attackers who compromise a non-human identity often have broad access, with credentials that work indefinitely, with minimal detection risk.

The OWASP NHI Top 10 Framework

Recognising the growing threat, OWASP launched the Non-Human Identities Top 10 - a community-driven framework identifying the most critical NHI security risks. Developed by security experts from leading organisations, it provides a standardised vocabulary and prioritisation for NHI security.

The Ten Risks

NHI1: Improper Offboarding Non-human identities persist long after their purpose ends. Decommissioned applications leave orphaned service accounts. Departed employees leave behind personal API keys. Discontinued integrations retain active OAuth tokens.

NHI2: Secret Leakage Credentials exposed in source code, configuration files, logs, or error messages. Secrets committed to Git repositories. API keys in client-side code. Connection strings in stack traces.

NHI3: Vulnerable Third-Party NHI Third-party applications and services granted OAuth access to your environment may themselves be compromised. A breach at your CRM vendor becomes a breach in your systems via the tokens you granted them.

NHI4: Insecure Authentication Weak authentication mechanisms for non-human identities. Long-lived tokens. Hardcoded credentials. Missing certificate validation. Insecure credential storage.

NHI5: Overprivileged NHI Non-human identities with access far exceeding their requirements. Service accounts with administrative privileges. API keys with full read-write access when read-only would suffice.

NHI6: Insecure Cloud Deployment Configurations Cloud workload identities misconfigured to allow excessive access. IAM roles too permissive. Instance profiles granting unneeded capabilities. Cross-account access overly broad.

NHI7: Long-Lived Secrets Credentials that never expire. API keys unchanged for years. Service account passwords that have not rotated since creation. Certificates valid for decades.

NHI8: Environment Isolation Non-production NHIs with access to production systems. Development service accounts connecting to production databases. Test API keys with production privileges.

NHI9: NHI Reuse Single credentials shared across multiple applications or purposes. One API key used by multiple integrations. Service accounts shared across teams. Tokens reused across environments.

NHI10: Human Use of NHI Humans using service accounts or machine credentials for interactive access. Shared "system" accounts for administrative convenience. API keys used in place of personal credentials.

Securing Non-Human Identities in Practice

Addressing NHI security requires a combination of technical controls and governance processes. Here is a practical framework.

Discovery and Inventory

You cannot secure what you cannot see. The first step is comprehensive discovery:

  • Scan Active Directory and identity providers for service accounts and machine identities
  • Audit cloud IAM for service principals, workload identities, and cross-account roles
  • Review source code repositories for embedded credentials
  • Catalogue API integrations and their associated tokens
  • Map OAuth grants across SaaS applications

Most organisations are shocked by what they find. The discovered inventory is typically 5-10 times larger than the known inventory.

Classification and Ownership

Every non-human identity needs:

A documented purpose. What does this identity do? Why does it exist?

A human owner. Who is accountable for this identity? This is not optional - unowned identities are ungoverned identities.

A classification level. What sensitivity of data can this identity access? What would be the impact of its compromise?

A review date. When will this identity be evaluated for continued need?

Least Privilege Enforcement

Apply the same least privilege principles to NHIs that you (hopefully) apply to human identities:

  • Right-size permissions. Grant only the access actually required, not the access that is convenient.
  • Scope narrowly. Limit to specific resources, not resource types or entire environments.
  • Prefer read-only. Default to read access; require justification for write access.
  • Time-bound where possible. Just-in-time access for NHIs is harder but not impossible.

Credential Hygiene

The technical controls for credential security:

Secrets management. Centralise credential storage in solutions like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. No hardcoded credentials. No credentials in source code.

Automated rotation. Credentials should rotate automatically on a schedule appropriate to their risk. Days to weeks for high-sensitivity credentials; months for lower sensitivity.

Ephemeral credentials. Where possible, use short-lived credentials that expire automatically. OAuth tokens with short lifetimes. Temporary AWS credentials via IAM roles.

Certificate-based authentication. For machine-to-machine communication, mutual TLS with short-lived certificates is more secure than static secrets.

Monitoring and Detection

NHI activity needs security monitoring like human activity - but with different baselines:

  • Establish behavioural baselines for each NHI. What times does it authenticate? What resources does it access? What data volumes does it process?
  • Alert on anomalies. Authentication from unexpected sources. Access to resources outside normal patterns. Unusual data volumes.
  • Integrate with SIEM. NHI authentication and access events should flow to your security operations alongside human events.

As discussed in Zero Trust: It's Not a Product, It's a Strategy, continuous verification applies to non-human identities too.

NHI Governance and Lifecycle Management

Technical controls alone are insufficient without governance processes to ensure they are applied consistently.

Lifecycle Stages

StageHuman IdentityNon-Human Identity Challenge
CreationTriggered by HR hire eventAd hoc, often undocumented, no standard process
ProvisioningAutomated based on roleManual, often with excessive initial permissions
ReviewAnnual access certificationRarely reviewed; no standard cadence
ModificationRole change triggers re-provisioningModifications undocumented; scope creep common
DeprovisioningTriggered by HR terminationNo trigger; manual and frequently forgotten

Governance Framework

Creation standards. Define who can create NHIs, what approval is required, and what documentation is mandatory. No more ad hoc service account creation.

Ownership assignment. Every NHI must have a human owner at creation. Ownership transfers when people change roles or leave.

Regular certification. Owners must periodically certify that NHIs are still needed and appropriately permissioned. Quarterly for high-risk; annually for lower-risk.

Automated deprovisioning. Where possible, tie NHI lifecycle to application lifecycle. When the application is decommissioned, its identities are decommissioned.

Exception management. Document and time-limit exceptions. No permanent exceptions to security requirements.

AI Agents: The Emerging Challenge

The rise of agentic AI introduces a new category of NHI that existing frameworks struggle to address.

AI agents are autonomous, dynamic non-human identities that can reason, delegate, and act across systems without direct human input. Unlike traditional service accounts, AI agents may:

  • Initiate their own authentication requests
  • Request access to resources dynamically
  • Delegate work to other agents
  • Modify their own behaviour based on learning

This creates governance challenges traditional NHI frameworks do not address. As I discussed in AI Governance: Controls That Work, AI governance is still maturing - and AI agent identity is one of its most complex frontiers.

The OWASP Agentic AI Top 10 extends the NHI framework specifically to address AI agent risks.

NHI Security Maturity Assessment

Assess your current NHI security posture:

Level 1: Unaware

  • No inventory of non-human identities
  • No ownership assignments
  • No credential rotation
  • No specific monitoring
  • Service accounts created ad hoc

Level 2: Reactive

  • Partial inventory exists
  • Some ownership documented
  • Manual credential rotation (rare)
  • Incident-driven monitoring
  • Basic creation standards

Level 3: Defined

  • Comprehensive inventory
  • All NHIs have assigned owners
  • Scheduled credential rotation
  • Baseline monitoring in place
  • Formal creation and approval process

Level 4: Managed

  • Automated discovery and inventory
  • Ownership certification enforced
  • Automated credential rotation
  • Behavioural analytics for detection
  • Least privilege enforcement

Level 5: Optimised

  • Real-time visibility and control
  • AI-driven anomaly detection
  • Zero standing privilege for NHIs
  • Continuous verification
  • Integrated with identity governance

Most organisations are at Level 1 or 2. Reaching Level 3 should be the immediate goal for 2026.

Building Your NHI Security Programme

Non-human identity security is not a product to buy or a project to complete. It is a capability to build - one that will become increasingly critical as automation and AI expand.

Start here:

  1. Discover your NHIs. You will find more than you expect. Much more.

  2. Assign ownership. No unowned identities. Period.

  3. Implement secrets management. Get credentials out of code and into vaults.

  4. Establish rotation. Start with your highest-risk credentials.

  5. Monitor NHI activity. Add NHI events to your security operations visibility.

  6. Integrate with governance. Include NHIs in access certification and lifecycle management.

The organisations that thrive in 2026 will be those that recognised early: non-human identities are not a niche concern for cloud teams. They are a primary attack surface requiring the same governance rigour as human identities.

Your non-human workforce is growing faster than your human workforce. It is time to manage them with the same discipline.

Strengthening Your Identity Security Programme

Building comprehensive identity security - covering both human and non-human identities - requires strategic planning and systematic implementation. My IT management services help organisations assess their identity security posture, implement governance frameworks, and build programmes that address the full spectrum of identity risk.

Get in touch to discuss your identity security challenges.

Related reading: Identity is the New Firewall | Zero Trust: It's Not a Product, It's a Strategy | AI Governance: Controls That Work

Share this post

DG

Daniel J Glover

IT Leader with experience spanning IT management, compliance, development, automation, AI, and project management. I write about technology, leadership, and building better systems.

Related Posts

13 January 2026

Identity-first security strategy

The network perimeter is dead. Discover why Identity and Access Management is now the primary control plane for modern security architecture and strategy.

9 March 2026

Network Segmentation Guide

A practical guide to network segmentation strategy for IT leaders, from VLANs and microsegmentation to zero trust alignment.

7 March 2026

PAM Strategy for IT Leaders

A practical guide to privileged access management strategy that protects your most sensitive systems without crippling productivity.

Let's Work Together

Need expert IT consulting? Let's discuss how I can help your organisation.

Get in Touch