In the realm of cybersecurity, the term identity traditionally conjures images of usernames, passwords, and multi-factor authentication (MFA) prompts. However, an escalating and often overlooked threat is emerging: the proliferation of Non-Human Identities (NHIs). These digital entities, encompassing service accounts, service principals, Snowflake roles, IAM roles, and platform-specific constructs from cloud providers like AWS, Azure, and GCP, are becoming ubiquitous in modern tech infrastructures. Managing NHIs requires a nuanced understanding of their diverse forms and functions.
Secrets: The Currency of Machines
NHIs primarily authenticate using secrets—API keys, tokens, certificates, and other credentials that grant access to systems, data, and critical infrastructure. These secrets are highly coveted by attackers. Alarmingly, many organizations lack comprehensive awareness of the number of secrets they possess, their storage locations, or their usage patterns.
The State of Secrets Sprawl 2025 report revealed two startling statistics:
– 23.7 million new secrets were leaked on public GitHub in 2024 alone.
– 70% of the secrets leaked in 2022 remain valid today.
This widespread exposure is partly due to the absence of MFA for machines. When developers create tokens, they often grant them broader access than necessary to ensure functionality. Expiration dates are frequently disregarded, with some secrets set to remain valid for decades to prevent potential disruptions. This practice prioritizes speed over security, creating a vast attack surface.
Detecting compromised NHIs is inherently challenging. Unlike human users, whose anomalous activities can trigger alerts, machines operate continuously across global networks, making malicious activities less conspicuous. Many of these secrets function as undetected backdoors, facilitating lateral movement, supply chain attacks, and prolonged breaches. The Toyota incident serves as a pertinent example—one leaked secret can compromise an entire global system.
The Rise of the Machines (and Their Secrets)
The transition to cloud-native, microservices-oriented environments has led to an exponential increase in NHIs within organizations. NHIs now outnumber human identities by ratios ranging from 50:1 to 100:1, a trend expected to continue. These digital entities connect services, automate tasks, and drive AI pipelines, each requiring secrets to function.
Unlike human credentials, these secrets are often:
– Hardcoded in codebases.
– Shared across multiple tools and teams.
– Dormant in legacy systems.
– Passed to AI agents with minimal oversight.
They frequently lack expiration dates, clear ownership, and audit trails, leading to secrets sprawl and overprivileged access. Consequently, a single leak can precipitate a significant security breach.
Why the Old Playbook Doesn’t Work Anymore
Traditional identity governance and Privileged Access Management (PAM) tools were designed for human users in centrally managed environments. While effective for enforcing password policies and managing access to internal applications, these tools are ill-equipped to handle the complexities of NHIs.
NHIs differ from human identities in several key aspects:
– Authentication Methods: NHIs rely on secrets rather than passwords and MFA.
– Lifecycle Management: NHIs often lack defined onboarding and offboarding processes.
– Visibility: NHIs can be created and used without centralized oversight, leading to shadow IT.
This divergence necessitates a reevaluation of existing security strategies to effectively manage and secure NHIs.
The Path Forward: Securing Non-Human Identities
To address the challenges posed by NHIs, organizations should consider implementing the following measures:
1. Comprehensive Inventory: Develop a detailed inventory of all NHIs within the organization, including their associated secrets and access privileges.
2. Access Controls: Implement the principle of least privilege, ensuring NHIs have only the access necessary for their functions.
3. Secret Management: Utilize dedicated secret management tools to store, manage, and rotate secrets securely.
4. Monitoring and Auditing: Establish continuous monitoring and auditing of NHI activities to detect and respond to anomalies promptly.
5. Education and Training: Educate development and operations teams on the importance of NHI security and best practices for managing secrets.
By proactively addressing the security of NHIs, organizations can mitigate the risks associated with these digital entities and strengthen their overall cybersecurity posture.
