Modern enterprise networks are highly complex environments that rely on hundreds of apps and infrastructure services. These systems need to interact securely and efficiently without constant human oversight, which is where non-human identities (NHIs) come in. NHIs — including application secrets, API keys, service accounts, and OAuth tokens — have exploded in recent years, thanks to an ever-expanding array of apps and services that must work together and identify one another on the fly. In some enterprises, NHIs now outnumber human identities by as much as 50-to-1.
However, NHIs introduce unique risks and management challenges that have security leaders on high alert. Forty-six percent of organizations have experienced compromises of NHI accounts or credentials over the past year, and another 26% suspect they have, according to a recent report from Enterprise Strategy Group.
It’s no wonder NHIs — and the difficulties they present with oversight, risk reduction, and governance — have been a recurring topic at Okta’s CISO Forum. Here, we’ll explore their rise, risks, and how CISOs and security leaders are managing them today.
The spectacular rise of NHIs
The rise in NHIs can be traced to increasing use of cloud services, AI and automation, and digital workflows. It’s a trend that’s likely to continue, as more and more tasks are automated and humans are less of a part of the equation.
NHIs allow apps to authenticate to one another, both inside a specific domain and with third-party applications like cloud services. Those secrets, keys, and tokens are just as sensitive as the credentials used by humans, and in some cases, even more so, as they can provide adversaries with powerful access to specific applications and services if they’re leaked.
CISOs are taking notice. In fact, over 80% of organizations expect to increase spending on non-human identity security.
According to Mark Sutton, CISO at Bain Capital, "Non-human identities have become a focus for teams based on the maturity of their identity and access management programs. It's quickly becoming the next hottest fire because people have somewhat solved for user identities. The natural progression is then to start looking at service accounts and machine-to-machine non-human identities, including APIs."
Simply put, once organizations establish strong protocols for securing human identities, the logical next step is tackling NHIs. “That, and non-human identities are a part of the threat landscape, and it’s where attackers are going next.”
Secret leakage and other risks of NHIs
Like any other set of credentials, NHIs are sensitive and need to be protected. But while humans can employ robust security measures such as MFA or biometrics to protect sensitive credentials, NHIs often rely on less secure measures for authentication. That can make them easy targets for attackers.
Leakage of NHI secrets can also be a serious concern. This can happen in a number of ways, whether it’s through hard-coding them into an application’s source code or accidentally copying and pasting them into a public document. Secret leakage is a significant problem, and secrets often show up in public GitHub repositories. In fact, security firm GitGuardian found more than 27 million new secrets in public repositories last year. This poses an even larger problem when you consider that NHI secrets are not rotated very often in most environments, so the useful life of a leaked secret could be quite long.
And, because they often require broad and persistent permissions to perform tasks, NHIs can accumulate excessive permissions, further increasing the attack surface. All of this makes NHIs a prime target for attackers and a major challenge for CISOs and their security teams.
Three challenges CISOs face in securing NHIs
While NHIs are now on CISOs’ radar, securing them is another story. Here are three challenges we’re hearing from CISOs, and how they’re managing them:
Gaining visibility. The biggest hurdle in trying to secure and manage NHIs is actually finding them. Visibility into where NHIs lie in an environment can be limited, and discovering all or even most of them is a difficult task. Many organizations have thousands of NHIs that they didn’t even know existed. The old adage “you can’t secure what you don’t know about” holds true here. That means discovering and inventorying NHIs is critical. Implementing an identity security posture management solution can help admins and security professionals identify NHIs across their organization.
Risk prioritization and reduction. The next challenge is prioritizing the risks associated with the NHIs in the environment. Not all NHIs are created equal. Finding the most powerful NHIs and identifying over-privileged NHIs is a key step in securing these identities. Many service accounts and other NHIs have far more privileges than they actually need, which can create risks for the organization. Identifying high-value NHIs and adjusting privileges and permissions can help reduce that risk. “It’s about understanding the blast radius associated with each non-human identity and asking ‘what’s the risk?’ Not all NHIs carry the same threat,” Sutton stressed.
Establishing governance. With so many NHIs being created today, governance has become a real thorn in the side for CISOs. But when they’re not properly governed, bad things can happen — take, for instance, the series of Internet Archive breaches tied to unrotated tokens in October 2024. Often, NHIs are created by developers to serve short-term needs, but they’re rarely tracked or decommissioned properly. Understanding who’s creating NHIs, how they’re creating them, and for what purpose is a good first step. Then, security teams must establish a clear process for managing them so non-human identities can’t be created arbitrarily. “We have to think about what our authentication and password policies are,” says Sutton. “For instance, there are likely many service accounts with weak, static passwords that haven’t been rotated for years. How do we make sure we’re managing those?”
Final thoughts
Non-human identities are essential to businesses today, helping them automate processes, enable integrations, and ensure smooth operations. The challenge: They’re difficult to secure and are an enticing target for threat actors because they’re often non-federated, lack MFA, use static credentials, and have excessive privileges.
At the end of the day, non-human identities and human identities may have different characteristics and needs, but both require an end-to-end approach that protects them before, during, and after authentication. NHIs may not be people, but they’re increasingly powerful actors in your environment. That makes securing them not optional, but urgent.
