Subscribe to the Non-Human & AI Identity Journal

Standing foothold risk

Standing foothold risk is the exposure created when an attacker can keep usable access in an environment after the initial compromise. It combines persistence, weak detection, and delayed revocation, allowing the attacker to widen access and prepare destructive actions.

Expanded Definition

Standing foothold risk describes the operational danger that follows when an attacker retains usable access after an initial intrusion. In NHI environments, that foothold often exists through service accounts, API keys, tokens, certificates, or delegated agent permissions that were never revoked, rotated, or detected.

This concept sits at the intersection of persistence, identity governance, and delayed response. It is not simply “the attacker is still inside”; it is the specific condition where the access path remains valid enough to support reconnection, lateral movement, or staged abuse. That makes it closely related to the identity controls discussed in the NIST Cybersecurity Framework 2.0, especially around continuous monitoring and access governance. In NHI practice, standing foothold risk is often amplified by long-lived secrets and weak offboarding, as covered in Ultimate Guide to NHIs – Key Challenges and Risks and Top 10 NHI Issues.

The most common misapplication is treating a blocked login as a resolved incident, which occurs when valid non-human credentials, sessions, or trust relationships still remain active in adjacent systems.

Examples and Use Cases

Rigorous containment of standing foothold risk often introduces operational friction, requiring organisations to weigh rapid revocation against the chance of breaking production workflows or agentic automations.

  • An API key used by a build pipeline is stolen, but the key remains valid for weeks because rotation is manual and no alert fires on unusual use.
  • A service account compromised during phishing of an engineer still has broad permissions, so the attacker returns later through a trusted integration path.
  • An AI agent is granted tool access for a one-time task, but its token is never expired, leaving a reusable foothold for follow-on activity.
  • A third-party integration is decommissioned without revoking its certificates, creating an access path that survives the original incident response.
  • After a cloud alert, the team closes the visible intrusion but misses cached credentials in CI/CD variables, enabling the attacker to re-enter.

These patterns are consistent with NHI breach reporting in the 2024 ESG Report: Managing Non-Human Identities, which shows how compromised NHIs can drive repeat incidents. They also align with the persistence and revocation concerns described in the NIST Cybersecurity Framework 2.0.

Why It Matters in NHI Security

Standing foothold risk matters because compromised non-human identities rarely stop at the first system they touch. Once an attacker has a durable identity path, they can enumerate assets, expand privileges, stage exfiltration, and wait for a better moment to act. That makes delayed detection especially damaging in NHI-heavy environments where machine access is both trusted and highly automated.

NHIMG research shows how widespread this exposure can be: 71% of NHIs are not rotated within recommended time frames, and 91.6% of secrets remain valid five days after an organisation is notified. Those conditions create exactly the kind of durable access an attacker needs to preserve a foothold, as noted in the Ultimate Guide to NHIs. The governance gap is not just technical; it reflects missing ownership, weak lifecycle controls, and incomplete visibility into where credentials exist and who can use them. The broader risk picture is reinforced by the Ultimate Guide to NHIs – Why NHI Security Matters Now.

Organisations typically encounter standing foothold risk only after an intrusion resurfaces through the same identity path, at which point revocation, rotation, and trust reconstruction become operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Covers improper secret handling and persistence paths that enable standing access.
NIST CSF 2.0 PR.AA Identity and access management controls govern durable machine access and revocation.
NIST Zero Trust (SP 800-207) PR.AC Zero trust requires continuous authorization, not durable trust after compromise.
NIST SP 800-63 AAL2 Authenticator assurance informs how resilient tokens and credentials should be.
OWASP Agentic AI Top 10 A3 Agentic systems can retain dangerous tool access after an initial compromise.

Use stronger assurance for machine identities and rotate authenticators on a short cadence.