Common Non-Human Identity Security Risks
From hardcoded credentials to over-permissioned SAs to orphaned identities, learn the most common NHI security risks and how to remediate.
Common Non-Human Identity Security Risks
A practical list of the most common Non-Human Identity (NHI) security risks observed in real environments, with detection guidance and remediation.
1. Hardcoded Credentials
Pattern: API keys, SA keys, passwords in code / config / Dockerfiles.
Risk: Leakage; one of the leading breach causes.
Detection:
- Secret scanning (GitHub, GitLab, GitGuardian, Trufflehog).
Remediation:
- Move to secret manager.
- Push protection.
- Rotation playbook.
- Federation.
2. Long-Lived Service Account Keys
Pattern: GCP SA JSON keys / AWS IAM access keys / Azure SP secrets unrotated for years.
Risk: Multi-year exposure window; vendor breach amplification.
Detection:
- Inventory of keys + ages.
Remediation:
- Workload Identity Federation.
- Managed identity.
- Rotation cadence.
3. Over-Permissioned Service Accounts
Pattern: SAs with Editor / Owner / SA Admin / domain-wide / *.All.
Risk: Compromise impact = sum of all permissions.
Detection:
- Granted vs used analysis (IAM Recommender, Access Analyzer, Forestall).
Remediation:
- Right-size to least privilege.
- Quarterly review.
4. Shared Service Accounts
Pattern: One SA used by many workloads / teams.
Risk: No attribution; aggregated permissions.
Detection:
- Audit log analysis; multiple consumers per SA.
Remediation:
- Per-workload SAs.
5. Orphaned NHIs
Pattern: NHIs created by departed employees, retired use cases, or pilots; still active.
Risk: Unmonitored; over-permissioned; persistent attack vector.
Detection:
- No-owner; no-recent-use; workload-deleted.
Remediation:
- Suspend then decommission.
- HR + workload integration.
6. No Owner
Pattern: NHI exists but no human accountable.
Risk: No recertification; no incident response point of contact.
Detection:
- Inventory ownership coverage.
Remediation:
- Auto-detect from creator / first-grant / tags.
- Tag enforcement at creation.
- No-owner SLA.
7. Domain-Wide Delegation Misuse (Workspace)
Pattern: Workspace SA with DwD used routinely.
Risk: SA can act as any user.
Detection:
- List DwD-enabled SAs and their consumers.
Remediation:
- Replace with per-user OBO.
- Remove DwD where unnecessary.
8. Misconfigured Workload Identity Federation
Pattern: WIF pool with no / weak attribute conditions.
Risk: External workloads (any GitHub repo) impersonate cloud identity.
Detection:
- Audit WIF providers.
Remediation:
- Strict conditions per repo / branch / environment.
9. Service Account Impersonation Chains
Pattern: Token Creator / SA User granted broadly enabling SA → SA → SA chains.
Risk: Privilege escalation paths.
Detection:
- Map IAM relationships.
Remediation:
- Per-SA Token Creator; no broad grants.
10. Kerberoasting (AD)
Pattern: User-based SAs with SPN registered; weak passwords.
Risk: Offline cracking; AD takeover.
Detection:
- Find SPNs on user accounts; check password complexity.
Remediation:
- gMSA / dMSA.
- Strong passwords (25+ char) for legacy SAs.
- KAS armoring; FAST.
11. AS-REP Roasting (AD)
Pattern: Accounts with "Do not require Kerberos preauth."
Risk: Offline AS-REP cracking.
Detection:
- AD attribute scan.
Remediation:
- Enable preauth.
12. PAT Sprawl
Pattern: Personal Access Tokens issued forever; many per user; never rotated.
Risk: Token theft; insider risk.
Detection:
- Inventory PATs per user / org.
Remediation:
- Expiry policies.
- Scoped PATs.
- Replace with OAuth where possible.
13. Stale Connected Apps (SaaS)
Pattern: OAuth grants from years ago, no longer used; still active.
Risk: Vendor breach abuse; over-permissioned.
Detection:
- SaaS OAuth grant audit.
Remediation:
- Quarterly review; revoke unused.
14. Vendor SA / App Sprawl
Pattern: Vendor SAs / connected apps with broad scopes.
Risk: Vendor compromise → customer impact (Cloudflare 2023).
Detection:
- Vendor risk assessments; SaaS app inventory.
Remediation:
- Scope minimization.
- Periodic review.
- Vendor isolation.
15. Secret Sprawl
Pattern: Secrets in many locations (vaults, code, configs, CI, drives).
Risk: Leakage; rotation impossible.
Detection:
- Continuous scanning; secret inventory.
Remediation:
- Centralize in vault.
- Eliminate copies.
16. CI Secret Misconfig
Pattern: CI secrets visible in PR builds; in logs; shared across pipelines.
Risk: PR-based secret theft; insider risk.
Detection:
- CI secret access audit; log inspection.
Remediation:
- Branch-protected secrets.
- OIDC federation (no static secrets).
- Log scrubbing.
17. Webhook Signing Reuse
Pattern: Same webhook secret across services; no rotation.
Risk: Compromise of one reveals all.
Detection:
- Webhook configuration audit.
Remediation:
- Per-service secrets.
- Vault.
- Rotation.
18. No Audit / Monitoring on NHIs
Pattern: NHI actions unlogged; no anomaly detection.
Risk: Compromise undetected.
Detection:
- Audit pipeline review.
Remediation:
- Comprehensive logging.
- Centralize to SIEM.
- Anomaly detection per NHI type.
19. Cost / Quota Abuse
Pattern: Vendor API key without budget cap; compromise → bill spike.
Risk: Financial impact; service degradation.
Detection:
- Cost monitoring.
Remediation:
- Per-NHI budgets / rate limits.
- Cost alerts.
20. No Incident Playbook
Pattern: No runbook for compromised NHI / leaked secret.
Risk: Slow / chaotic response.
Detection:
- IR readiness audit.
Remediation:
- Per-NHI-type IR playbooks.
- Tabletop annually.
How Forestall Helps
Forestall continuously detects these risk patterns across cloud / AD / SaaS / K8s / code; risk-ranks; tracks remediation; reports KPIs.
Conclusion
NHI security risks cluster into a finite, well-known set of patterns. Catalog them, detect continuously, prioritize by impact, and remediate systematically. Most have well-understood mitigations — federation, rotation, ownership, lifecycle, monitoring. With these patterns under control, the largest identity surface in your environment becomes a managed asset rather than your biggest blind spot.
Detect and remediate common NHI risks.
Forestall continuously checks NHIs for risk patterns and prioritizes remediation.