← All glossary terms
Non-Human Identities5 min read

What is Non-Human Identity Attack Surface?

The NHI attack surface spans every credential, identity, integration, and trust path attackers can exploit. Learn the layers and how to reduce it.

What is Non-Human Identity Attack Surface?

Definition

The Non-Human Identity (NHI) attack surface is the complete set of NHIs, credentials, integrations, federation paths, and trust relationships an attacker can exploit to gain unauthorized access, escalate privileges, persist, or exfiltrate data.

In modern environments, the NHI attack surface dwarfs the human identity attack surface — by volume, by permissions, and by lack of monitoring.

In simple terms:

The NHI attack surface = every place an attacker can touch a non-human identity in your environment.


Why It Matters

  • NHIs are the most-targeted identity surface in modern breaches.
  • NHI attack surface grows daily (cloud, SaaS, AI).
  • Without inventory, you can't measure or reduce.
  • Compliance frameworks require explicit NHI surface analysis.

NHI Attack Surface Layers

1. Identity Surfaces

  • Service accounts (AD, cloud, SaaS).
  • Workload identities.
  • OAuth client applications.
  • Personal Access Tokens.
  • API keys.
  • Bots / agents.

2. Credential Surfaces

  • Passwords / secrets.
  • Service account keys (JSON, PEM).
  • OAuth client secrets.
  • Refresh tokens.
  • Certificates (private keys).
  • SSH private keys.
  • Webhook signing secrets.

3. Federation Surfaces

  • Workload Identity Federation pools.
  • OIDC trust relationships.
  • SAML federation.
  • Cross-cloud federation.

4. Delegation Surfaces

5. Integration Surfaces

  • SaaS-to-SaaS integrations.
  • Vendor-to-customer integrations.
  • CI/CD integrations.
  • Webhook endpoints.

6. Trust Relationship Surfaces

  • Cross-tenant trust.
  • Cross-cloud trust.
  • Multi-org trust.

7. Storage Surfaces

  • Secret managers.
  • Code repositories.
  • Container registries.
  • Backup files.
  • Configuration management.

8. Operational Surfaces

  • Audit log gaps.
  • Monitoring blind spots.
  • Lifecycle gaps (orphans).
  • Lack of ownership.

9. Supply-Chain Surfaces

  • Vendor SAs in your environment.
  • Third-party integrations.
  • Open-source libraries with secrets.

10. Configuration Surfaces

  • Misconfigured federation conditions.
  • Over-permissioned roles.
  • Weak rotation cadences.

Common NHI Attacks

1. Credential Theft

  • From code, logs, vendor breach, dev machine.

2. Long-Lived Secret Abuse

  • Leaked years-old credential.

3. Federation Misuse

  • Weak attribute conditions enable impersonation.
  • Trick user into granting malicious app broad scopes.

5. Service Account Impersonation Chain

  • Hop SA → SA → SA via Token Creator misconfig.

6. Domain-Wide Delegation Abuse

  • Workspace SA acts as users.

7. Kerberoasting (AD)

  • Crack user-SA Kerberos tickets offline.

8. AS-REP Roasting

  • SAs without preauth.

9. Workload Identity Misuse

  • Misconfigured WIF pool grants impersonation.

10. CI Secret Theft

  • CI environment exposes secrets.

11. Vendor Breach

  • Vendor SA / app compromise → customer impact.

12. Insider Theft

  • Departing employee retains personal NHI access.

Real-World Examples

1. Cloudflare 2023

Stolen Okta service account token (vendor breach) used to access internal systems. Mitigation: vendor risk; per-vendor isolation; anomaly detection.

2. Storm-0558 (Microsoft)

Stolen signing key forged tokens; accessed Exchange Online mailboxes. Mitigation: signing key access controls; HSM; audit hardening.

3. Toyota GitHub Leak

SA key in public repo for 5 years. Mitigation: secret scanning + push protection + rotation.

4. Snowflake 2024

Customer credentials (no MFA) abused for data exfiltration. Mitigation: vendor MFA enforcement; anomaly detection; vendor risk.

5. WIF Misconfiguration

WIF pool with no attribute conditions allowed any GitHub repo to impersonate. Mitigation: strict conditions per repo / branch.


Reducing the Surface

Identity Surfaces

  • Inventory.
  • Decommission orphans.
  • Per-purpose, per-workload identities.

Credential Surfaces

  • Eliminate static where possible (federation).
  • Rotate; secret manager.
  • No hardcoding.

Federation Surfaces

  • Strict attribute conditions.
  • Audit + monitor.

Delegation Surfaces

  • Bound OBO scopes.
  • Avoid domain-wide delegation.
  • Per-SA impersonation grants.

Integration Surfaces

  • Vendor risk assessment.
  • Scope minimization.
  • Periodic review.

Trust Surfaces

  • Justify cross-trust; minimize.

Storage Surfaces

  • Centralize in vaults.
  • Secret scanning everywhere.

Operational Surfaces

  • Comprehensive audit.
  • Anomaly detection.
  • Lifecycle management.

Supply-Chain Surfaces

  • Vendor reviews.
  • Periodic re-review.

Configuration Surfaces

  • IaC enforcement.
  • Org Policies.
  • Quarterly review.

Best Practices

  1. Continuous discovery of all NHIs.
  2. Single inventory for all NHIs and credentials.
  3. Threat-model NHI surface per environment.
  4. Federation default; eliminate static where possible.
  5. Bounded delegation.
  6. Vendor risk reviews.
  7. Comprehensive audit.
  8. Anomaly detection.
  9. Lifecycle management.
  10. Quarterly surface review.

Checklist

  • NHI inventory complete?
  • Credential inventory complete?
  • Federation inventory + conditions reviewed?
  • Delegation inventory (OBO, DwD, impersonation)?
  • Integration inventory + vendor risk?
  • Trust relationship inventory?
  • Storage surface (secret managers, repos, registries) reviewed?
  • Audit pipeline complete?
  • Anomaly detection live?
  • Lifecycle management active?
  • Quarterly surface review?

How Forestall Helps

Forestall inventories the NHI attack surface across cloud / SaaS / AD / K8s / code, identifies high-risk paths, and prioritizes reduction.


Frequently Asked Questions

Is the NHI attack surface bigger than human attack surface?

Almost always — by volume of identities, credentials, and integrations.

Where do I start?

Inventory + credential discovery. Then federation + bounded delegation + audit.

How often does the surface change?

Daily — new NHIs, new integrations, new federation. Treat as living inventory.

Are vendor NHIs part of my surface?

Yes — vendor NHIs in your environment are your responsibility to monitor.

How do I prioritize reduction?

Risk-rank by blast radius (data sensitivity, system criticality) × likelihood (credential exposure, federation laxity).


Conclusion

The NHI attack surface is the largest, fastest-growing identity surface in modern environments — and the most-exploited. Inventory continuously, threat-model systematically, federate aggressively, bound delegation strictly, audit comprehensively, and review quarterly. With NHI attack surface management in place, your environment shifts from a sprawling, opaque, easily exploited identity landscape to a measured, manageable, defended one.

Non-Human IdentityIdentity Attack SurfaceIdentity Security

Map and shrink your NHI attack surface.

Forestall inventories every NHI, credential, and trust path.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is the NHI Attack Surface? | Forestall