Because they often persist longer than human sessions and hold broader rights than the original user. Once attackers obtain them, they can blend into normal automation and move through systems without triggering human-centric controls. That is why machine identity governance must focus on privilege scope, ownership, and expiry, not only on user authentication.
Why Service Accounts and Tokens Amplify Phishing Damage
Phishing against a person is usually bounded by that person’s session, approval path, and working hours. Phishing against a service account or token is different. Those secrets can outlive the original login, carry broader permissions, and continue to work inside automation long after an attacker leaves the inbox behind. In practice, that turns one successful lure into repeated, low-friction access across systems.
The risk is not theoretical. NHIMG research on the Guide to the Secret Sprawl Challenge shows how often secrets escape normal controls, while the 2025 State of NHIs and Secrets in Cybersecurity found that 44% of NHI tokens are exposed in the wild. That matters because phishing rarely ends at initial access. Once a token is stolen, the attacker can blend into automated traffic rather than forcing obvious interactive behavior.
Security teams often misread this as a user-awareness problem when the real issue is machine identity scope and expiry. In practice, many security teams encounter token abuse only after downstream data access has already occurred, rather than through intentional detection.
How the Damage Spreads After a Token Is Stolen
A token or service account can be more dangerous than a password because it is already trusted by applications, scripts, and APIs. If the attacker gains it through phishing, the next step is often quiet reuse: mailbox access, CI/CD execution, SaaS API calls, or internal tooling. That is why phishing damage grows when credentials are long-lived, duplicated, or over-privileged. The problem is not only authentication. It is what the secret can do after it is accepted.
Good practice is to treat every secret as a workload capability with a narrow task boundary. That means ownership, scope, and revocation need to be explicit. Current guidance suggests combining privileged access management with short TTLs, JIT issuance, and workload identity so that a token is only valid for a specific purpose. NIST’s NIST Cybersecurity Framework 2.0 supports this through asset visibility, access control, and continuous monitoring.
- Limit tokens to a single application, pipeline, or API path.
- Issue JIT credentials for the shortest task window possible.
- Bind secrets to workload identity rather than static user ownership.
- Revoke on offboarding, pipeline completion, and suspicious reuse.
- Log token use so automated access is distinguishable from human activity.
Attack patterns seen in the Salesloft OAuth token breach and the JetBrains GitHub plugin token exposure show how stolen machine credentials can pivot through trusted integrations without breaking ordinary sign-in alarms. These controls tend to break down when tokens are shared across multiple apps, because attribution and revocation become ambiguous.
Where Teams Get Tripped Up in Real Environments
Tighter token control often increases operational overhead, requiring organisations to balance automation velocity against revocation discipline. That tradeoff is especially visible in CI/CD, SaaS integrations, and AI-enabled workflows where static credentials feel convenient but create durable blast radius. Best practice is evolving, but there is no universal standard for this yet.
One common failure is assuming a service account is “safe” because it is not tied to a person. That assumption breaks when former-employee tokens remain active, when secrets are copied into chat or ticketing systems, or when the same NHI is reused across apps. NHIMG research shows 91% of former employee tokens remain active after offboarding and 60% of NHIs are overused, which makes phishing damage extend far beyond the first compromised account.
Another edge case is incident response. If a token is embedded in an orchestration tool or automation runner, revoking it can halt business processes, so teams delay action. That is why governance must separate identity from convenience and pre-plan break-glass alternatives. The Dropbox Sign breach and the New York Times breach illustrate how credential misuse becomes broader when operational systems depend on secrets that were never meant to be long-lived.
For organisations aligning to modern identity programs, the practical move is to inventory service accounts, remove shared use, enforce expiry, and make revocation automatic. In most environments, the hardest part is not detection. It is replacing static secrets with controls that automation can actually live with.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Long-lived NHI secrets increase phishing blast radius and need rotation. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access limits what stolen service tokens can do. |
| NIST AI RMF | AI RMF governance supports accountability for autonomous token-using systems. |
Shorten token TTLs, rotate on use, and revoke exposed NHI secrets automatically.
Related resources from NHI Mgmt Group
- Why do service accounts and API tokens make application exploits worse?
- What are common vulnerabilities associated with service accounts in AI deployments?
- Why do non-human identities create more risk than many human accounts?
- Why do non-human identities create more remediation risk than many human accounts?
