← All glossary terms
Non-Human Identities4 min read

What is Non-Human Identity Security?

Non-Human Identity (NHI) security covers protecting service accounts, workloads, API keys, OAuth tokens, and bots — the largest and fastest-growing identity surface.

What is Non-Human Identity Security?

Definition

Non-Human Identity (NHI) security is the discipline of discovering, inventorying, governing, and continuously protecting all identities that are not human — including service accounts, workloads, API keys, OAuth tokens, secrets, certificates, bots, and AI agents.

In modern environments, NHIs outnumber human identities by 10–50× and are the fastest-growing identity surface. They authenticate to systems, hold permissions, perform actions, and are routinely stolen or abused — often with high blast radius.

In simple terms:

NHI security = treating non-human identities with the same rigor (or more) as human identities, given their volume, ambient authority, and frequent compromise.


Why It Matters

  • NHIs are involved in the majority of recent high-profile breaches (Cloudflare 2023, Microsoft Storm-0558, Okta 2023, Snowflake 2024).
  • NHIs typically have:
    • More permissions than humans.
    • No MFA.
    • Less monitoring.
    • No active management (no joiner/mover/leaver).
    • Long-lived credentials that leak easily.
  • NHIs are foundational to cloud, DevOps, SaaS, and AI — yet largely outside traditional IAM tooling.

What Counts as an NHI?

  • Service accounts (AD SAs, GCP SAs, AWS IAM users for workloads).
  • Workload identities (managed identities, IRSA, Workload Identity Federation).
  • OAuth client applications (Microsoft Entra ID (formerly Azure AD) apps, Salesforce connected apps).
  • API keys (OpenAI, Anthropic, vendor APIs).
  • Personal Access Tokens (GitHub PATs, Atlassian tokens).
  • Webhook secrets.
  • Certificates (mTLS, code signing).
  • SSH keys.
  • Secrets (DB passwords, encryption keys).
  • Bots (Slack, Teams, RPA).
  • AI agents.
  • CI/CD pipeline identities.
  • Vendor / SaaS integration identities.

Core Components of NHI Security

1. Discovery

  • Find every NHI across cloud, SaaS, on-premises, code, secrets vaults.
  • Continuous, not point-in-time.

2. Inventory

  • Centralize NHIs into one source of truth.
  • Each NHI has: type, owner, scope, status, last-used, risk score.

3. Ownership

  • Named human owner per NHI.
  • Auto-detected when missing.

4. Risk Classification

  • Tier by sensitivity / blast radius.

5. Authentication

  • Federation > managed identity > short-lived OAuth > API key.
  • Eliminate static keys where possible.

6. Authorization

  • Least privilege.
  • Right-sized roles.
  • Conditional / scoped grants.

7. Lifecycle

  • Provisioning workflow.
  • Decommissioning when unused.
  • Owner rotation when humans leave.

8. Secret Management

  • Centralized secret vault.
  • Rotation automation.
  • No hardcoding.

9. Audit and Monitoring

  • Comprehensive logs.
  • Anomaly detection (volume, geography, time, scope).

10. Incident Response

  • Per-NHI playbooks.
  • Rapid revocation.
  • Tabletop exercises.

11. Governance

  • Policy formal.
  • Quarterly review.
  • Compliance mapping.

Real-World Examples

1. Hardcoded API Keys

Developer commits API key to GitHub. Adversary scans; uses key; data exfiltration. Mitigation: secret scanning + rotation + secret manager.

2. Long-Lived Service Account Key

GCP SA JSON key generated 4 years ago, used in script, leaked via dev laptop. Adversary used for project enumeration. Mitigation: WIF; rotate; eliminate keys.

3. Orphaned NHI

Service account belonging to a developer who left 18 months ago, still active, still in 14 IAM roles. Mitigation: leaver process for NHIs; periodic review.

4. Over-Permissioned OAuth App

Connected app granted org-wide access for one read use case. Used in Storm-0558-style attack. Mitigation: scope review; least privilege; quarterly audit.

5. SaaS-to-SaaS Integration

Vendor connected app with broad scopes; vendor compromise → tenant data leak. Mitigation: vendor risk; scope minimization; periodic re-review.


Best Practices

  1. Continuous discovery across cloud, SaaS, on-premises, code, vaults.
  2. Single inventory for all NHIs.
  3. Owner per NHI (named human).
  4. Risk classification drives controls.
  5. Federation / managed identity preferred.
  6. Eliminate static keys where possible; rotate where unavoidable.
  7. Least privilege with quarterly review.
  8. Lifecycle automation (provisioning + decommissioning).
  9. Secret manager + rotation + no hardcoding.
  10. Audit + anomaly detection.
  11. Incident playbooks per NHI type.
  12. Compliance mapping (NIST, ISO, sector regs).

Checklist

  • All NHIs discovered?
  • Single inventory?
  • Owners assigned?
  • Risk classified?
  • Federation / managed identity preferred?
  • Static keys minimized + rotated?
  • Least privilege reviewed quarterly?
  • Lifecycle automated?
  • Secret manager used; no hardcoding?
  • Audit + anomaly detection?
  • IR playbooks per type?
  • Compliance mapped?

How Forestall Helps

Forestall delivers end-to-end NHI security:

  • Continuous discovery.
  • Single inventory.
  • Owner detection.
  • Risk classification.
  • Permission analysis.
  • Anomaly detection.
  • Remediation workflows.

Frequently Asked Questions

How many NHIs do organizations typically have?

10–50× human identities. Mid-size organizations often have 50K+ NHIs. Cloud-native orgs can have hundreds of thousands.

Are NHIs the biggest identity risk today?

For most organizations, yes — they're more numerous, less monitored, and increasingly targeted.

Where do I start?

Discovery + inventory. You can't govern what you can't see.

Is NHI security separate from IAM?

It's a discipline within identity security, with NHI-specific tooling and patterns. Best treated as a first-class program.

How often should I review NHIs?

Continuously via tooling; quarterly governance review per NHI tier.


Conclusion

Non-Human Identity security is the highest-leverage identity work most organizations can do today. NHIs outnumber humans, hold more authority, and are the entry point for many breaches. Discover, inventory, classify, eliminate static keys, enforce least privilege, automate lifecycle, monitor continuously, and respond fast. With NHI security in place, the largest identity surface becomes a managed asset rather than your organization's biggest blind spot.

Non-Human IdentityService AccountsMachine IdentityIdentity Security

Govern every non-human identity in your environment.

Forestall discovers, inventories, and continuously monitors NHIs across cloud, SaaS, and on-premises.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is Non-Human Identity Security? | Forestall