Cyber beyond human: compliance trends and security risks

At a glance

What this is: This is a compliance and risk overview of non-human identity security, with examples showing how MFA gaps, stale accounts, and unrotated credentials create exposure.

Why it matters: It matters because IAM and security teams have to govern NHI, human, and increasingly agentic access through the same lifecycle and control models, or risk blind spots in audit, access reviews, and response.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.

👉 Read Oasis Security's blog on cyber beyond human compliance trends and security risks

Context

Cyber beyond human describes the part of identity security that covers service accounts, tokens, certificates, API access, and other machine identities that operate outside normal user login flows. The compliance gap is that many programmes still assume access is tied to a person, a password, or a visible sign-in event, which is not true for NHIs.

This article is really about the mismatch between modern control expectations and hybrid identity reality. When dormant machine accounts, unrotated credentials, and MFA edge cases sit inside the same environment, audit readiness and operational security start to depend on discovery, ownership, and lifecycle control rather than just authentication policy.

Key questions

Q: How should security teams handle non-human identities in compliance programmes?

A: Security teams should treat non-human identities as governed assets, not implementation leftovers. That means assigning owners, recording business purpose, enforcing rotation and retirement, and including machine access in audit evidence. If the identity cannot be explained, reviewed, and revoked, it is outside effective governance.

Q: Why do service accounts and API keys create audit risk?

A: Service accounts and API keys create audit risk because they often persist without clear ownership, consistent review, or visible user login events. Auditors care whether access is justified and controlled. If the organisation cannot show lifecycle management and access provenance, the control environment is incomplete.

Q: What breaks when machine credentials are not rotated?

A: When machine credentials are not rotated, stale access accumulates and the organisation loses confidence that the secret still reflects the intended scope. Old credentials can survive after personnel, vendors, or applications change. That turns a small administrative miss into a broad exposure problem.

Q: Who is accountable when a non-human identity is over-privileged?

A: Accountability should sit with the system owner, the application owner, and the identity governance process that approved the access. Over-privileged machine identities usually exist because no one owned the full lifecycle. If ownership is unclear, remediation slows and exposure persists.

Technical breakdown

Why MFA edge cases still matter for machine access

Multi-factor authentication reduces risk for human sessions, but it does not solve the broader problem of machine identity sprawl. In hybrid environments, attackers often target delegated access paths, legacy integrations, or service credentials that bypass interactive login controls entirely. That means the security model has to account for both authenticated people and non-interactive identities that authenticate differently. The practical issue is not only whether MFA works, but whether the environment has mapped every non-human access path that MFA never touched in the first place.

Practical implication: inventory non-interactive access paths separately from human authentication flows and treat them as a distinct control surface.

Stale accounts, ownership gaps, and unrotated credentials

A non-human identity becomes dangerous when no one can prove who owns it, why it exists, or when it was last changed. Stale accounts persist after projects end, credentials remain valid after rotation windows pass, and consumers of the account often outlive the business purpose that created it. That is a lifecycle failure, not just a hygiene issue. In governance terms, access review cannot correct what discovery never found, and ownership cannot be enforced where the account has no accountable custodian.

Practical implication: tie every NHI to an owner, a purpose, and a rotation or retirement date before it is allowed into production.

Compliance pressure now follows access sprawl

Regulators and auditors care less about whether an identity is human or machine and more about whether the organisation can explain access, prove control, and show remediation. As NHI counts increase, compliance evidence becomes harder to assemble because the relevant artifacts are scattered across cloud platforms, secrets stores, directories, and application logs. That is why NHI governance is increasingly an audit-readiness problem as much as a technical one. The organisation that cannot inventory access will struggle to certify control.

Practical implication: build evidence collection around NHI discovery, ownership, rotation, and offboarding so audit requests can be answered without manual reconstruction.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cyber beyond human is really a governance story about identity scope, not just compliance posture. Machine identities are now part of the access fabric, but many programmes still treat them as implementation detail. That leaves gaps in ownership, rotation, and retirement that auditors eventually surface as control failures. The practitioner conclusion is simple: if the identity is not visible in governance, it is not governed.

Stale non-human identities create a compliance debt that compounds over time. Every unrotated secret, orphaned token, or forgotten integration increases the gap between stated policy and actual access. This is not just a security issue, it is evidence that lifecycle controls are not operating across the full identity estate. Teams should expect audit pressure to move from policy existence toward proof of operational control.

Cyber beyond human expands the scope of what access review has to cover. Human recertification alone does not address service accounts, API keys, or workload credentials that never appear in a user-centric review process. The field needs broader identity governance that can see non-interactive access as first-class identity, not a side case. Practitioners should align review scope to the actor type, not the tool category.

Identity blast radius is the named concept this topic exposes. Once a machine credential is shared across services, applications, or environments, the practical blast radius is larger than the team usually models. That blast radius is shaped by where the credential is accepted, how long it remains valid, and whether anyone can revoke it cleanly. The conclusion for practitioners is to govern reach, not just issuance.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how repeat exposure follows weak lifecycle control.
• For the governance response, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the identity lifecycle controls that turn discovery into remediation.

What this signals

Compliance programmes are moving from policy proof to identity proof, and that shift is especially acute for non-human access. When a machine identity cannot be tied to an owner, purpose, and retirement path, the control story is already weak even if the technology stack looks mature.

Identity blast radius: the practical risk is no longer whether an account exists, but how far it can move through applications, environments, and vendors before anyone can intervene. That is why lifecycle evidence and access provenance will matter more in audit cycles than broad statements about secure configuration.

Teams that align NHI governance with NIST Cybersecurity Framework 2.0 will be better positioned to prove identify, protect, detect, and recover outcomes across both human and machine access.

For practitioners

• Map every non-interactive access path Inventory service accounts, API keys, tokens, certificates, and delegated application access separately from human identities. Record where each credential is used, who owns it, and which systems can consume it so gaps do not hide inside broad directory views.
• Attach lifecycle controls to each NHI Require an explicit owner, business purpose, rotation schedule, and retirement trigger before a machine identity is allowed to persist in production. Review orphaned or duplicated credentials first, because they usually represent the highest hidden risk.
• Treat MFA as incomplete for machine governance Use MFA improvements for human authentication, but do not let them substitute for discovery of secrets, service accounts, and application-level trust paths. Separate the control evidence for interactive logins from the evidence for non-interactive access.
• Build audit evidence around access provenance Keep logs and records that show when each NHI was created, approved, rotated, consumed, and retired. That evidence should be searchable by application, owner, and environment so compliance requests can be answered without manual reconstruction.

Key takeaways

• Cyber beyond human exposes a governance gap where machine identities exist, but ownership and lifecycle controls do not keep up.
• The scale is already material, with most organisations reporting or suspecting NHI breaches and repeated incidents after compromise.
• The control that changes the outcome is not broader policy wording, but visible ownership, rotation discipline, and auditable retirement of non-human access.

Key terms

• Non-Human Identity: A non-human identity is any machine or software identity used to access systems, data, or services. It includes service accounts, API keys, tokens, certificates, workloads, bots, and AI agents when they authenticate or authorize actions on their own behalf.
• Identity Blast Radius: Identity blast radius is the amount of access, systems, and data reachable if one credential is abused or mismanaged. For non-human identities, it is shaped by where the secret is accepted, how broadly it is reused, and how quickly it can be revoked or retired.
• Lifecycle Governance: Lifecycle governance is the discipline of managing identity from creation through review, rotation, and retirement. For NHIs, it requires ownership, purpose, expiry, and offboarding controls because machine access often outlives the people and projects that created it.
• Access Provenance: Access provenance is the record of how an identity was created, approved, used, and withdrawn. In NHI governance, it is the evidence trail that lets teams prove an account is legitimate, explainable, and still within its intended access boundary.

Deepen your knowledge

Cyber beyond human security risks and non-human identity lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is still mapping machine access by hand, it is worth exploring.

This post draws on content published by Oasis Security: Cyber beyond human: Compliance Trends & Security Risks. Read the original.