The Ultimate Guide to Non-Human Identities Report

NHI Workshop – The NHI Maturity Model & Risk Based Approach

Introduction to Panel and Session Overview

The session was thoughtfully hosted and facilitated by Jesse Minor, Identity Security Consultant, who humorously described himself as a meme enthusiast and recovering identity chaos addict.

The panel was composed of distinguished experts in the field, including Anthony Viggiano, Former Identity Governance Director at Cigna, Rich Dandliker, Chief Strategy Officer at Vesa and Sriram Santhanam, Senior Director, InfoSec at GAP Inc.

The primary focus of this session was to delve into the complexities of understanding, assessing, and effectively managing the risks associated with non-human identities.

Emphasis was placed on adopting a risk-based approach, which involves prioritizing security efforts based on the potential impact and likelihood of threats related to these identities.

Key Perspectives from Panelists

  • Anthony Viggiano – Supports enhancing user experience while maintaining security. Believes that reducing friction can improve policy compliance for NHIs.
  • Rich Dandliker – Highlights misconceptions about NHIs, noting some companies wrongly believe NHIs mean no humans involved. Stresses the importance of hard work and realistic automation efforts.
  • Sriram Santhanam – Emphasizes that managing NHIs isn’t just an upgrade of traditional identity management but requires specialized strategies and a solid understanding of core principles.

90-Day Cleanup Strategy for NHI Chaos

  • Keep – Engage knowledgeable personnel and utilize existing tools like spreadsheets and scanning tools.
  • Kill – Avoid aggressive “kill and scream” tactics initially; focus on risk assessment.
  • Convert – Implement a risk-based approach by:
  • Discovering all NHIs through scans and Active Directory.
  • Prioritize high-risk accounts, e.g., those vulnerable to Kerberoasting.
  • Focus on accounts linked to critical business applications and their entitlements.
  • Most critical risk – Ignoring NHIs can break business operations, so balance security with business continuity.

Challenges and Best Practices in NHI Management

Ownership and Lifecycle

  • Clearly assign ownership for NHIs, starting from provisioning.
  • Shift organizational culture from a purely technical focus to one emphasizing process and accountability.
  • Proper ownership facilitates improved security and lifecycle oversight.

Access Review Strategies

  • Use access reviews as a foundation but tailor them for NHIs.
  • Ask straightforward questions like “Is this account still necessary?” and “Who is responsible for this account?”
  • Move away from spreadsheets; utilize automation and distributed workflows.
  • Adopt an iterative, risk-based review process.

Common Misconceptions and Technical Hurdles

  • Keys vs. Passwords – Keys are more complex, can have many-to-many relationships, and are more dangerous than passwords.
  • Maturity vs. Compliance – Many companies engage in superficial compliance activities, like vaulting accounts without proper rotation or oversight.
  • Visibility – Knowing what NHIs exist is a critical first step; without it, security efforts are ineffective.
  • Credentials and Secrets – Hard-coded credentials and secrets are major vulnerabilities; secret scanning tools help but must be complemented by downstream security controls.
  • Automation – Most organizations overestimate their automation maturity; true automation is hard and often incomplete, especially with legacy systems.
  • False Sense of Security – Relying solely on automation can be risky if foundational inventories and controls are lacking.

Effective Triage and Prioritization

Given the vast number of NHIs that may exist, organizations should focus their efforts on high-value, high-risk identities first. This involves:

  • Addressing orphaned accounts, those with no clear owner or purpose, closing or revalidating them to reduce attack surface.
  • Identifying and filling process gaps that may allow NHIs to persist unnoticed or unmanaged.
  • Prioritizing remediation based on risk level rather than striving for perfection across all identities. Establishing a risk threshold helps determine which issues require immediate attention and which can be deferred.
  • Accepting that some trade-offs are permissible if they do not significantly elevate organizational risk, thereby enabling more pragmatic and achievable security improvements.

Panel’s “Yes or BS” Statements and Insights

  • You can’t secure what you can’t see – Agree. Visibility into NHIs is a fundamental prerequisite for security; however, visibility alone is insufficient. It must be coupled with active risk mitigation strategies.
  • Hard-coded credentials are a breach waiting to happen – Agree. Hard-coded credentials pose significant security risks, especially if they are unprotected or embedded in code, making them prime targets for attackers.
  • The CI/CD pipeline is the most neglected NHI attack surface – Disagree. The CI/CD pipeline is a critical attack surface, it is just one among many, including cloud environments, APIs, and legacy systems.
  • If no one owns it, it won’t get fixed – Agree. Clear ownership is essential for accountability, timely remediation, and ongoing management of NHIs.
  • Secret scanning tools catch more than they break – Agree. These tools are vital for identifying secrets and credentials, but their effectiveness depends on proper integration with downstream security controls and response processes.
  • API keys are the new passwords and are often mishandled – Agree. API keys are frequently stored insecurely in code repositories, accessible to unauthorized users, and often possess high privileges, making their mishandling particularly dangerous.
  • Zero trust is meaningless without NHI – Agree. Implementing zero trust principles without considering NHIs is incomplete; NHIs are integral to defining trust boundaries and access controls.
  • Most companies are overestimating their NHI maturity – Disagree. Many organizations are aware of their limited visibility and capabilities regarding NHIs and are candid about their current state, recognizing the need for improvement.

Final Recommendations for NHI Risk Management

  1. Prioritize Risks – Focus on identifying and mitigating those risks that have the potential to cause the most significant damage or disruption in the shortest amount of time. This targeted approach ensures efficient use of resources and maximum impact.
  2. Establish Clear Ownership – Assign definitive responsibility for each NHI to specific individuals or teams. Clear accountability is crucial for ongoing management, security, and timely remediation efforts.
  3. Master the Fundamentals – Before attempting complex automation or advanced strategies, organizations must first understand where their accounts are located, how they are used, and their basic operational characteristics. Building a solid foundation is essential for effective security management.
  1. Focus on Reducing Inherent Risk – Progress in NHI management is not merely about achieving compliance or ticking boxes; it is about continuously lowering the inherent risks associated with NHIs. Maturity is a journey of ongoing improvement aimed at minimizing potential vulnerabilities.

Closing Remarks

The session concluded with a strong emphasis on the importance of adopting a risk-based mindset when managing NHIs. Establishing clear ownership, mastering foundational practices, and understanding that true maturity involves actively reducing risks rather than just fulfilling compliance requirements are key takeaways. The panelists expressed gratitude for the engaged participation and insightful questions from attendees, reinforcing the collective need to approach NHI management with diligence, strategic thinking, and a focus on continuous improvement.

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.