The likelihood that a person will be persuaded or tricked into enabling an attack. In identity programmes, it is most useful when tied to specific workflows such as approvals, password resets, forwarding rules, and exception handling.
Expanded Definition
Human risk is the chance that a person will be persuaded, manipulated, or rushed into taking an action that helps an attacker. In NHI and identity operations, that action often happens inside workflows with authority attached, such as approving access, resetting credentials, changing forwarding rules, or granting exceptions. The term is useful because it ties people risk to a specific control failure, not a vague awareness problem.
Definitions vary across vendors when human risk is treated as awareness training, behavioural scoring, or fraud detection. In NHI governance, the more precise view is operational: a human becomes a risk multiplier when their decision point can create or extend access for an agent, service account, API key, or privileged workflow. That makes human risk adjacent to social engineering, but not identical to it. It also overlaps with control design, because the same person may be low risk in one workflow and high risk in another. The NIST Cybersecurity Framework 2.0 helps frame this as a governance and protection issue rather than a purely user-education problem. The most common misapplication is treating human risk as a generic phishing concern, which occurs when organisations ignore the exact approval or exception workflow an attacker is trying to abuse.
Examples and Use Cases
Implementing human-risk controls rigorously often introduces friction in approval paths, requiring organisations to weigh speed of operations against the cost of tighter verification and escalation.
- A finance manager approves a vendor payment exception after receiving a spoofed urgent request, allowing a fraudulent change to go through.
- An IT admin resets a password or MFA factor for a caller claiming to be an executive, creating a foothold that later reaches service accounts.
- A help desk agent updates mailbox forwarding rules after a convincing pretext, exposing credentials, secrets, or internal messages.
- A platform owner grants a temporary access exception for a bot or agent without validating the request, expanding privilege far beyond the original need.
- An approver clicks through an identity workflow without checking context, enabling misuse of the exact kind described in the Top 10 NHI Issues and related patterns in the Ultimate Guide to NHIs.
These scenarios show why human risk is often about workflow design, not just user intent. A control that relies on a person noticing deception is weaker than one that forces confirmation, context checks, or secondary approval before privilege is changed.
Why It Matters in NHI Security
Human risk matters in NHI security because many of the highest-impact failures begin with a person authorising something that should have been challenged. Once a trusted human approves a reset, exception, or access path, the attacker may gain durable access to tokens, secrets, or service accounts, which then become harder to detect than direct account compromise. That is why NHI governance needs to consider the person at the decision point, not only the machine identity that ultimately gets abused.
The scale of the problem is reflected in NHI breach data: NHI Mgmt Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 97% of NHIs carry excessive privileges. Those numbers matter because human error often becomes the bridge from legitimate workflow to excessive access. The issue is especially relevant in agentic systems, where one approval can unlock multiple downstream actions and where the OWASP NHI Top 10 and NHI guidance both stress that trust decisions must be bounded and auditable. Organisations typically encounter human risk only after a fraudulent approval, privilege escalation, or secret exposure has already occurred, at which point the workflow itself becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV | Human risk is governed through oversight of people and workflows that can create access. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Unsafe approval paths and secret exposure are core NHI abuse patterns. |
| OWASP Agentic AI Top 10 | A1 | Agentic systems can be misused when people approve unsafe tool or action requests. |
Review approval and exception workflows so human decisions are monitored and bounded.
