Service accounts and vendor identities often have broad, persistent, and poorly reviewed access, which makes them ideal for lateral movement after initial compromise. If those accounts are not tightly scoped, monitored, and offboarded, attackers can use trusted paths to reach critical systems and amplify disruption far beyond the first infected machine.
Why This Matters for Security Teams
Service accounts and vendor identities are dangerous in a ransomware scenario because they are trusted by design, often carry persistence, and frequently bypass the scrutiny applied to human users. When attackers compromise one of these accounts, they do not need to “break in” again. They can move laterally through approved channels, reach backup systems, disable monitoring, or encrypt shared storage while blending into normal administrative traffic.
This is why NHI governance is now a core ransomware control, not a niche IAM concern. The pattern is especially visible in breach analysis such as the 52 NHI Breaches Analysis, which shows how trusted machine identities become high-value entry points once they are exposed or over-permissioned. NHI Mgmt Group’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
In practice, many security teams discover the exposure only after ransomware operators have already used a service account or vendor path to expand access across the environment.
How It Works in Practice
Ransomware crews look for identities that are always-on, hard to attribute, and difficult to challenge. Service accounts often fit that model because they authenticate automatically, may be exempt from MFA, and are reused across applications, scripts, and jobs. Vendor accounts add another layer of risk because they frequently arrive with broad support access, delayed offboarding, and weak visibility into what the third party actually can do.
Once compromised, these identities let attackers operate through legitimate tools. They can enumerate directories, access file shares, disable backups, tamper with EDR, or reach hypervisors and cloud control planes. That is why current guidance from the OWASP Non-Human Identity Top 10 and the NIST Cybersecurity Framework 2.0 emphasizes inventory, least privilege, monitoring, and revocation as first-class controls for machine identities.
- Scope each service account to a single workload, not a shared function across teams.
- Replace standing privileges with just-in-time elevation where operationally feasible.
- Review vendor access on a schedule and remove dormant or unused accounts quickly.
- Monitor for unusual time of day, source host, and tool usage patterns on non-human identities.
- Store secrets in a managed vault and rotate them after vendor work, incidents, or staff changes.
NHIMG research highlights the operational gap: only 5.7% of organisations have full visibility into their service accounts, and 92% expose NHIs to third parties, which makes incident containment much harder. These controls tend to break down in legacy environments where application dependencies, hardcoded credentials, and shared admin paths make account-by-account isolation difficult.
Common Variations and Edge Cases
Tighter control over service accounts and vendor access often increases operational overhead, requiring organisations to balance faster support workflows against stronger containment. That tradeoff is real in environments with managed service providers, industrial systems, or long-running batch jobs, where access cannot simply be turned off without business impact.
Best practice is evolving toward tiered access models rather than one-size-fits-all restrictions. For example, some vendors need interactive break-glass access, while others only need API-level connectivity to one application. In those cases, current guidance suggests separating duties, limiting scope to named assets, and using time-bound approvals instead of broad standing entitlements. The same principle applies to automation: if an integration needs a secret to run overnight, that secret should still be short-lived, monitored, and revocable.
There is no universal standard for vendor risk scoring yet, but the direction is clear. Security teams should prioritise identities with privileged reach, shared usage, or unclear ownership, then align remediation with Ultimate Guide to NHIs — Key Challenges and Risks and the Top 10 NHI Issues. The highest-risk edge case is third-party access that persists after the business relationship ends, because it leaves a trusted path open long after controls and expectations have changed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Service account sprawl and weak rotation directly increase ransomware blast radius. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and monitoring are central to limiting trusted lateral movement. |
| NIST AI RMF | The governance function supports accountability for automated identities and third-party access. |
Inventory non-human identities, eliminate standing secrets, and rotate privileged credentials on a fixed schedule.
Related resources from NHI Mgmt Group
- Why do service accounts and secrets with standing access increase risk in cloud environments?
- Why do vendor access and privileged accounts increase hidden risk?
- Why do mergers and acquisitions increase access risk for service accounts and privileged users?
- Why do service accounts and vendor credentials increase PCI DSS risk?
