Most enterprises have a pretty good grasp of how many people work for them, but little idea of how many non-human identities (NHIs) exist within their organization. These digital identities are growing at an astonishing rate, and while most enterprises have fairly well-established user security, the number of vulnerable and undersecured NHIs is quickly becoming a major worry.
It’s Friday afternoon, and a DevOps engineer is feeling the pressure. The engineer needs to get an automated script working that pulls information from a database into a C-level reporting dashboard that’s going to be launched to execs on Monday. But access errors mean the script keeps failing.
Because of the tight deadline, the engineer creates a new service account – an NHI – with full admin access, instead of requesting a read-only credential from the security team. And so that the script runs without any problems, and the engineer hard-codes the key directly into it.
The engineer plans to sort all this out after the weekend, but Monday morning brings a whole new set of problems, and the engineer forgets. This insecure, overprivileged service account keeps running, forgotten and unmonitored – until an attacker discovers it.
This is a single example, but the reality is this kind of scenario is playing out on a massive scale, and the issue’s only getting bigger, particularly for global organizations that have complex cross-border operations. So what exactly are NHIs, why are they such a worry, and how can they be secured?
What Are Non-Human Identities?
NHIs are digital identities used by non-human entities like devices, services, scripts, workloads, and applications. NHIs use security credentials like API keys, tokens, and certificates to access and interact with other systems, cloud resources, apps, and data.
A deal being signed, for example, might automatically trigger an invoice to be sent to the new customer. That’s likely to involve an automated invoicing system talking to other enterprise platforms like e-commerce, CRM, and ERP. Each time the invoicing system interacts with these other platforms or sends or receives data, it uses security credentials to prove that it’s authorized to do so.
Some people use the term “machine identities” interchangeably with NHIs. Many industry analysts, however, define machine identities as a subset of NHIs. Under this definition, machine identities are associated with infrastructure components, like IoT devices, desktops and laptops, and servers.
Although they’re mostly invisible to the average user, enterprise IT relies on huge numbers of these identities – in many organizations, NHIs outnumber humans by 82 to 1. And this number is growing exponentially, thanks to the increase in cloud usage and agentic AI systems, and the rise of shadow AI, which creates a whole new set of NHIs without proper IT oversight.
Why Are NHIs a Security Concern?
Because NHIs underpin complex digital infrastructures and automated processes, they’re increasingly essential to enterprise operations, but they’re also becoming a massive part of the attack surface.
If NHIs are, as is often the case, badly managed or undersecured, or static credentials are inadvertently exposed and fall into the hands of bad actors, the resulting breach might not be identified until long after the damage is done.
According to Omdia, three out of five organizations lack confidence in their ability to adequately secure NHIs. This has worrying implications for their ability to comply with regulations that require organizations to secure and limit access to sensitive data and systems.
Two-thirds of organizations have already experienced a successful cyberattack resulting from compromised NHIs. Recently, for example, the cloud app hosting company Vercel reported that hackers had breached its internal systems. The hackers claimed to have exfiltrated sensitive customer data and were offering it for sale online.
It appears that the hackers gained entry to Vercel’s systems through a third-party AI app downloaded by an employee and used that connection to take over the employee’s Google account. The attackers then found unencrypted credentials that allowed them, according to Astrix Security, “to move laterally through the web of NHIs connected to Vercel: service accounts, API tokens, CI/CD integrations, browser extensions, and automation workflows that organizations had installed and largely forgotten.”
Why Are NHIs Vulnerable to Attack?
Legacy Security Focuses on People, Not NHIs
Traditional security approaches and static policies were designed for humans, not NHIs that usually operate autonomously. Unlike human users, NHIs aren’t compatible with security controls like multi-factor authentication (MFA), and legacy systems can’t always integrate with modern identity approaches.
NHIs Are Often Overprivileged
To avoid automation failures, as many as 97% of NHIs are given too many privileges to access the networks, systems, agents, and data they work across. This means they’re appealing entry points for attackers, as they can provide bad actors with lateral access to a variety of different corporate resources.
NHIs Are Undermanaged and Hard to See
When a human leaves a company, there are standardized processes to revoke their credentials and access. This usually isn’t the case with NHIs, though, which are often given static credentials and long-lasting privileges and then forgotten about, even though they might be active only for a short amount of time.
The average large enterprise has nearly 3.8 million dormant accounts. This, along with the fact that NHIs often don’t have clear ownership, makes it particularly hard to audit what they do, who created them and why, and what they have access to.
NHIs Need Layered Security
Effectively securing these entities starts with auditing what NHIs exist, what they do, what they can access, and what privileges they have. Organizations then need to implement standardized naming and access conventions, centralized and rigorously enforced security policies, secrets vaults and rotation, assigned human ownership, regular reviews and monitoring, and the removal of identities when they’re no longer needed. Products like identity and access management (IAM), privileged account management (PAM), and machine identity life cycle management tools can help with these steps.
These approaches are essential layers of the overall security picture, but they’re only the beginning.
Zero Trust Is Fundamental to Securing NHIs
Instead of traditional perimeter-based security models, it’s time to take a new approach to security architecture so that all permissions and access requests are continuously validated, whether they’re from humans or NHIs.
Zero trust does just this. It works on the basis that no person, device, or identity – either inside or outside the network – can be implicitly trusted.
Unlike the broad access and static credentials that many NHIs are granted, zero trust gives only limited access for a limited time, and identities are continuously challenged and verified according to centralized policies and controls. Access is granted based on a full contextual picture, including the identity of the user or NHI; the integrity of the devices involved; and the data, applications, and systems being accessed.
Zero trust is built on the concept of least privilege (PoLP). PoLP assigns only the bare minimum of privileges to the NHI so it can do its job, and nothing more. This limits the damage if the NHI is compromised.
Zero Trust Examines Intent and Prevents Lateral Movement
But effective zero trust goes beyond verifying identity to interrogating behavior.
If security credentials are stolen, identity verification alone won’t protect against an attack. Instead, continual monitoring identifies suspicious behavior, like a user or NHI making large file transfers or submitting atypical access requests to sensitive data.
It’s generally harder for an attacker to hide the movement of data than the fact that an NHI has been compromised, so comprehensive network visibility helps security teams spot this kind of unusual traffic.
Another element of effective zero trust is microsegmentation. Implementing and enforcing network boundaries around resources contains breaches and stops attackers from moving laterally through organizational infrastructure if they gain entry.
Zero Trust Demands a Broad Range of Skills
Zero trust is a security model, not an off-the-shelf service. It needs to be designed and implemented around the specific risk, compliance, strategic, and operational profile of each individual organization. It also demands skills that span cybersecurity; AI; and network, application, and data architecture, many of which are in short supply.
This leaves organizations having to choose between acquiring in-house expertise – an approach that can suit businesses in highly regulated industries or those that need maximum control and customization – or working with a partner that can provide the skills, scale, experience, and ongoing professional development that effective zero trust requires.
Zero Trust Is Part of a Bigger Strategic Picture
For many businesses, the tools, apps, and systems that rely on NHIs are quickly becoming fundamental to their strategy and competitive positioning. Securing NHIs isn’t simply about keeping company assets safe now – it’s also about putting a security model in place that’s ready for whatever future direction the organization decides to take. Building a zero-trust architecture that minimizes the current risk from NHIs also maximizes organizations’ future ability to explore new opportunities without compromising agility, compliance, or security.