← All glossary terms
Non-Human Identities4 min read

Common Non-Human Identity Security Risks

From hardcoded credentials to over-permissioned SAs to orphaned identities, learn the most common NHI security risks and how to remediate.

Common Non-Human Identity Security Risks

A practical list of the most common Non-Human Identity (NHI) security risks observed in real environments, with detection guidance and remediation.


1. Hardcoded Credentials

Pattern: API keys, SA keys, passwords in code / config / Dockerfiles.

Risk: Leakage; one of the leading breach causes.

Detection:

  • Secret scanning (GitHub, GitLab, GitGuardian, Trufflehog).

Remediation:

  • Move to secret manager.
  • Push protection.
  • Rotation playbook.
  • Federation.

2. Long-Lived Service Account Keys

Pattern: GCP SA JSON keys / AWS IAM access keys / Azure SP secrets unrotated for years.

Risk: Multi-year exposure window; vendor breach amplification.

Detection:

  • Inventory of keys + ages.

Remediation:


3. Over-Permissioned Service Accounts

Pattern: SAs with Editor / Owner / SA Admin / domain-wide / *.All.

Risk: Compromise impact = sum of all permissions.

Detection:

  • Granted vs used analysis (IAM Recommender, Access Analyzer, Forestall).

Remediation:

  • Right-size to least privilege.
  • Quarterly review.

4. Shared Service Accounts

Pattern: One SA used by many workloads / teams.

Risk: No attribution; aggregated permissions.

Detection:

  • Audit log analysis; multiple consumers per SA.

Remediation:

  • Per-workload SAs.

5. Orphaned NHIs

Pattern: NHIs created by departed employees, retired use cases, or pilots; still active.

Risk: Unmonitored; over-permissioned; persistent attack vector.

Detection:

  • No-owner; no-recent-use; workload-deleted.

Remediation:

  • Suspend then decommission.
  • HR + workload integration.

6. No Owner

Pattern: NHI exists but no human accountable.

Risk: No recertification; no incident response point of contact.

Detection:

  • Inventory ownership coverage.

Remediation:

  • Auto-detect from creator / first-grant / tags.
  • Tag enforcement at creation.
  • No-owner SLA.

7. Domain-Wide Delegation Misuse (Workspace)

Pattern: Workspace SA with DwD used routinely.

Risk: SA can act as any user.

Detection:

  • List DwD-enabled SAs and their consumers.

Remediation:

  • Replace with per-user OBO.
  • Remove DwD where unnecessary.

8. Misconfigured Workload Identity Federation

Pattern: WIF pool with no / weak attribute conditions.

Risk: External workloads (any GitHub repo) impersonate cloud identity.

Detection:

  • Audit WIF providers.

Remediation:

  • Strict conditions per repo / branch / environment.

9. Service Account Impersonation Chains

Pattern: Token Creator / SA User granted broadly enabling SA → SA → SA chains.

Risk: Privilege escalation paths.

Detection:

  • Map IAM relationships.

Remediation:

  • Per-SA Token Creator; no broad grants.

10. Kerberoasting (AD)

Pattern: User-based SAs with SPN registered; weak passwords.

Risk: Offline cracking; AD takeover.

Detection:

  • Find SPNs on user accounts; check password complexity.

Remediation:

  • gMSA / dMSA.
  • Strong passwords (25+ char) for legacy SAs.
  • KAS armoring; FAST.

11. AS-REP Roasting (AD)

Pattern: Accounts with "Do not require Kerberos preauth."

Risk: Offline AS-REP cracking.

Detection:

  • AD attribute scan.

Remediation:

  • Enable preauth.

12. PAT Sprawl

Pattern: Personal Access Tokens issued forever; many per user; never rotated.

Risk: Token theft; insider risk.

Detection:

  • Inventory PATs per user / org.

Remediation:

  • Expiry policies.
  • Scoped PATs.
  • Replace with OAuth where possible.

13. Stale Connected Apps (SaaS)

Pattern: OAuth grants from years ago, no longer used; still active.

Risk: Vendor breach abuse; over-permissioned.

Detection:

  • SaaS OAuth grant audit.

Remediation:

  • Quarterly review; revoke unused.

14. Vendor SA / App Sprawl

Pattern: Vendor SAs / connected apps with broad scopes.

Risk: Vendor compromise → customer impact (Cloudflare 2023).

Detection:

  • Vendor risk assessments; SaaS app inventory.

Remediation:

  • Scope minimization.
  • Periodic review.
  • Vendor isolation.

15. Secret Sprawl

Pattern: Secrets in many locations (vaults, code, configs, CI, drives).

Risk: Leakage; rotation impossible.

Detection:

  • Continuous scanning; secret inventory.

Remediation:

  • Centralize in vault.
  • Eliminate copies.

16. CI Secret Misconfig

Pattern: CI secrets visible in PR builds; in logs; shared across pipelines.

Risk: PR-based secret theft; insider risk.

Detection:

  • CI secret access audit; log inspection.

Remediation:

  • Branch-protected secrets.
  • OIDC federation (no static secrets).
  • Log scrubbing.

17. Webhook Signing Reuse

Pattern: Same webhook secret across services; no rotation.

Risk: Compromise of one reveals all.

Detection:

  • Webhook configuration audit.

Remediation:

  • Per-service secrets.
  • Vault.
  • Rotation.

18. No Audit / Monitoring on NHIs

Pattern: NHI actions unlogged; no anomaly detection.

Risk: Compromise undetected.

Detection:

  • Audit pipeline review.

Remediation:

  • Comprehensive logging.
  • Centralize to SIEM.
  • Anomaly detection per NHI type.

19. Cost / Quota Abuse

Pattern: Vendor API key without budget cap; compromise → bill spike.

Risk: Financial impact; service degradation.

Detection:

  • Cost monitoring.

Remediation:

  • Per-NHI budgets / rate limits.
  • Cost alerts.

20. No Incident Playbook

Pattern: No runbook for compromised NHI / leaked secret.

Risk: Slow / chaotic response.

Detection:

  • IR readiness audit.

Remediation:

  • Per-NHI-type IR playbooks.
  • Tabletop annually.

How Forestall Helps

Forestall continuously detects these risk patterns across cloud / AD / SaaS / K8s / code; risk-ranks; tracks remediation; reports KPIs.


Conclusion

NHI security risks cluster into a finite, well-known set of patterns. Catalog them, detect continuously, prioritize by impact, and remediate systematically. Most have well-understood mitigations — federation, rotation, ownership, lifecycle, monitoring. With these patterns under control, the largest identity surface in your environment becomes a managed asset rather than your biggest blind spot.

Non-Human IdentityIdentity SecurityBest Practices

Detect and remediate common NHI risks.

Forestall continuously checks NHIs for risk patterns and prioritizes remediation.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

Common Non-Human Identity Security Risks | Forestall