LLMjacking turns exposed NHI secrets into rapid AI abuse

TL;DR: Exposed AWS credentials were probed in an average of 17 minutes and sometimes in just 9, and attackers then enumerated model access before attempting unauthorized AI invocations, according to Entro Security. The lesson is clear: LLMjacking is an NHI governance problem, not just a cloud misconfiguration problem.

At a glance

What this is: This is an analysis of how exposed non-human identities enable LLMjacking, with attacker activity moving from reconnaissance to model abuse within minutes.

Why it matters: It matters because IAM and NHI teams need controls that detect, rotate, and constrain machine credentials before automated abuse reaches AI services.

👉 Read Entro Security's analysis of LLMjacking and compromised AWS NHIs

Context

LLMjacking is the abuse of cloud AI services through exposed machine credentials, not through stolen human passwords. For IAM and NHI teams, the problem is that secrets used by agents, workloads, and automation often have broader reach than their owners realise, and exposure can turn into AI abuse before normal detection and response processes react.

The security gap is familiar: secrets leak into code repositories, paste sites, chat tools, and collaboration channels, then attackers test them at machine speed. That makes NHI governance a front-line control for GenAI access, because identity, privilege, and billing all collide once a valid key can invoke models or enumerate AI endpoints.

Key questions

Q: How should teams stop LLMjacking when NHI secrets leak?

A: Teams should assume leaked machine credentials will be tested quickly, then combine secret discovery, immediate revocation, least privilege, and runtime monitoring for AI endpoints. The key is to shorten the leak-to-containment window so that a valid secret cannot be used long enough to enumerate models, burn spend, or generate content.

Q: Why does LLMjacking matter for IAM and NHI governance?

A: LLMjacking turns credential hygiene into a direct control over AI abuse, cloud spend, and policy enforcement. If a machine identity can invoke models, then any secret exposure can become a data, finance, and trust incident at once, which makes NHI lifecycle controls part of core security governance.

Q: What is the difference between secrets rotation and least privilege for AI workloads?

A: Secrets rotation reduces how long an exposed credential stays usable, while least privilege limits what that credential can do if it is stolen. For AI workloads, both are necessary because a fresh secret with broad permissions can still reach model endpoints and create abuse even if exposure was brief.

Q: When should organisations treat model enumeration as suspicious?

A: Organisations should treat model enumeration as suspicious whenever it comes from a machine identity that normally performs routine automation, especially if it appears before any normal application workload. That pattern often means an attacker is mapping the value of the account before attempting unauthorized AI use.

Technical breakdown

How exposed AWS keys become an LLMjacking path

LLMjacking usually starts when a valid non-human credential is exposed and picked up by automated scanning. Once a key is found, attackers do not need to break authentication. They can test permissions, enumerate services, and look for model endpoints that the credential can reach. The important architectural point is that cloud AI access is often just another API permission on the same identity, so the same secret that unlocks storage or telemetry may also unlock model invocation. That creates a single point of failure across data, compute, and GenAI services.

Practical implication: Treat AI service access as part of the NHI attack surface, not a separate concern.

Why attackers enumerate before they invoke models

A common pattern is reconnaissance before exploitation. Attackers first query account value, service availability, and permission scope so they can decide whether a credential is worth using and how noisy the next steps might be. In GenAI environments, that can include checking which foundation models are available, whether billing is active, and whether invocation permissions exist. This behaviour matters because it shows intent to optimise abuse while avoiding early detection. The credential is not just a login token. It is a map of what the attacker can monetize or misuse.

Practical implication: Monitor for low-noise API calls that reveal account value or model inventory before actual AI usage.

What changes when model invocation is tied to machine identity

When model access is attached to a machine identity, the identity becomes the control plane for both cost and misuse. An attacker who can invoke models can burn credits, create harmful content, or pivot into broader cloud exploration depending on the permissions attached to the key. This is why least privilege, short-lived credentials, and fast revocation matter more than static trust in the application layer. In practice, the trust boundary is the credential itself, not the service account name or the application that generated it.

Practical implication: Use short-lived, tightly scoped credentials for AI workloads and revoke exposed keys immediately.

Threat narrative

Attacker objective: The attacker wants to abuse paid AI access, test model permissions, and potentially generate harmful content or drain cloud budgets under the victim's identity.

1. Entry occurs when a valid AWS credential is exposed through public repositories, paste sites, or collaboration channels.
2. Escalation begins as attackers validate the secret, enumerate permissions, and query which cloud and AI services are available.
3. Impact follows when they attempt unauthorized model invocation, turning the victim's AI access into attacker-controlled usage.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

LLMjacking is an identity governance failure first and an AI abuse problem second. The moment a non-human credential can reach model endpoints, the security boundary shifts from application logic to secret hygiene, scope control, and revocation speed. That means IAM teams cannot treat GenAI access as an isolated service integration. They have to govern it as part of the overall NHI estate, or the exposure window becomes the control failure.

Ephemeral credential trust debt is now a real architectural risk. Teams often assume that machine credentials are safer than human accounts because they are automated and narrowly scoped. In practice, exposed keys can be validated and abused within minutes, which means short-lived access only helps if discovery, detection, and revocation are equally fast. Practitioners should measure the full time from leak to invalidation, not just the nominal TTL.

Model enumeration is a governance signal, not just a usage event. When attackers first ask what models exist, they are mapping the value of the environment before they spend it. That behaviour should be treated as a precursor to cost abuse, policy bypass, or content misuse. The right response is to log and alert on model inventory queries, not only on high-volume inference calls.

NHI blast radius is now tied to GenAI spend and content risk. A compromised key can create financial loss, policy violations, and downstream trust issues at the same time. This widens the governance discussion beyond secrets rotation into entitlement design, runtime monitoring, and abuse containment. For security leaders, the practical conclusion is that AI access must inherit the same blast-radius thinking used for privileged cloud identities.

Static secrets remain the most fragile control in agentic environments. The more an organisation relies on long-lived credentials to reach cloud AI services, the more it depends on perfect secrecy across code, logs, and collaboration tools. That assumption does not hold under modern attacker speed. The safer pattern is continuous secret discovery, narrow permissions, and lifecycle controls that make exposure survivable.

From our research:

• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
• For practical response patterns, see 52 NHI Breaches Analysis, which shows how identity exposure turns into repeatable attack paths.

What this signals

Ephemeral credential trust debt is the gap between how long a secret exists and how quickly an organisation can discover and revoke it. That gap becomes dangerous in GenAI environments because attackers can validate, enumerate, and abuse exposed access in minutes, not days. Security programmes should measure leak-to-revocation time as a first-class control metric.

With 88.5% of organisations saying their non-human IAM practices lag human IAM, the governance issue is structural rather than incidental. Teams that adopt AI workloads without redesigning secret handling, entitlement scope, and monitoring will inherit the same blind spots at higher speed.

The next control boundary is not the model itself but the identity that can reach it. Programmes should align NHI controls with OWASP Agentic AI Top 10 and NIST AI 600-1 Generative AI Profile, because model abuse often starts with identity misuse rather than a model flaw.

For practitioners

• Implement continuous secret discovery Scan repositories, logs, paste services, and collaboration channels for exposed AWS keys and other NHI secrets, then trigger immediate revocation workflows when a match appears.
• Reduce AI permissions to the minimum scope Separate model invocation rights from unrelated cloud permissions and remove broad entitlements that let a single secret reach storage, billing, and AI endpoints.
• Alert on model enumeration behaviour Watch for low-noise calls that reveal available foundation models, account value, or permission scope before any high-volume inference activity starts.
• Move machine credentials toward short-lived access Replace static keys with ephemeral credentials where possible, and set revocation workflows so leaked access can be invalidated before automated abuse spreads.
• Review NHI incident response for AI abuse paths Add runbooks for unauthorized model invocation, unexpected billing spikes, and browser-based access from identities that should only act headlessly.

Key takeaways

• LLMjacking shows that exposed machine credentials can become a direct path to AI abuse, not just a secret-leak event.
• Attackers typically enumerate access before invoking models, which means low-noise reconnaissance is an early warning signal.
• The practical response is faster discovery, shorter credential lifetimes, tighter AI entitlements, and monitoring that treats NHI abuse as a first-class incident.

Key terms

• LLMjacking: LLMjacking is the abuse of cloud-based large language models through stolen or exposed non-human identities. The attacker does not need to break the model itself. They exploit valid credentials to enumerate services, invoke models, and create cost, content, or data risk under the victim's account.
• Ephemeral Credential Trust Debt: Ephemeral credential trust debt is the risk created when an organisation assumes short-lived access is safe but cannot detect or revoke exposure quickly enough. In practice, the shorter the token lifetime, the less value it has only if discovery, alerting, and invalidation move faster than attackers do.
• Model Enumeration: Model enumeration is the process of checking which AI models, endpoints, or permissions are available to a credential before attempting actual use. It is a reconnaissance step that reveals account value and likely abuse paths. For defenders, it is often an early sign that a machine identity has been compromised.
• NHI Blast Radius: NHI blast radius is the amount of damage a compromised machine identity can cause before it is contained. It includes unauthorized access, data exposure, AI misuse, and spend impact. Reducing blast radius means limiting permissions, shortening credential lifetime, and monitoring for unusual behaviour at runtime.

What's in the full article

Entro Security's full blog covers the operational detail this post intentionally leaves for the source:

• The exact sequence of reconnaissance API calls used after the leaked AWS keys were discovered
• The monitored source locations where exposed secrets were planted and how quickly each was hit
• The example AWS actions and model enumeration patterns observed during the attack window
• The response recommendations for detecting and revoking compromised NHIs in production environments

👉 The full Entro Security post includes the observed attack sequence and defensive guidance for exposed keys

Deepen your knowledge

LLMjacking, AI credential abuse, and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is building controls for GenAI access and secret exposure, it is worth exploring.