NHI lateral movement bypasses human-centric detection logic

At a glance

What this is: This analysis argues that lateral movement through service accounts and OAuth grants succeeds because human-centric detection logic does not understand non-human identity behavior.

Why it matters: It matters because IAM, PAM, and NHI programmes can expose authentications without knowing whether those authentications are legitimate, anomalous, or already part of an attacker’s path.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Abnormal AI's analysis of NHI lateral movement through service accounts

Context

NHI lateral movement is a governance problem as much as a detection problem. Service accounts, API tokens, and OAuth grants are not human users, so controls that depend on human login patterns will miss how they are actually used once an attacker pivots into them.

The article’s central claim is that organisations can often see non-human identity authentications but still fail to tell whether those authentications are normal. That gap matters because posture data alone does not explain runtime behaviour, especially when permissions look appropriate on paper but become dangerous in motion.

Key questions

Q: How should security teams detect lateral movement through service accounts and OAuth grants?

A: Security teams should detect lateral movement by building identity-specific baselines for each service account and grant, then alerting on deviations in source system, target system, access timing, and request sequence. Human-behaviour analytics alone will miss machine-paced abuse. The key is to combine runtime context with ownership and lifecycle data so that valid access can still be judged as suspicious when it behaves outside its normal graph.

Q: Why do service accounts with valid permissions still create lateral movement risk?

A: Service accounts create lateral movement risk because valid permissions can be reused by attackers without triggering obvious policy violations. If the account already has access to multiple systems, the attacker does not need to escalate in a noisy way. The risk increases when those permissions are broad, persistent, and poorly understood, which is why entitlement scope and runtime use both matter.

Q: What breaks when organisations rely only on posture checks for NHI security?

A: Posture-only checks break because they tell you whether an identity is configured correctly, not whether it is being abused in real time. An account can look compliant and still be part of an attacker’s pivot chain. Security teams need live behavioural signals, because configuration status alone cannot distinguish legitimate automation from compromised activity.

Q: Who should own response when a non-human identity starts behaving unusually?

A: Ownership should sit with the team that governs the identity lifecycle and the service or application it supports, not only with the SOC. Security, IAM, and platform owners need a shared response path because the incident is both a detection event and an access-governance event. The right question is who can validate legitimacy fastest and revoke trust before movement spreads.

Technical breakdown

Why human-centric detection fails on NHI lateral movement

Human-focused monitoring assumes a person has a recognizable rhythm: known hours, familiar devices, and a stable interaction pattern. Service accounts and OAuth grants do not behave that way. They can authenticate legitimately while an attacker uses them to move between applications, cloud services, and internal resources. The real weakness is not the presence of an authentication event, but the absence of a behavioural model that can tell whether that event fits the identity’s history. Without that baseline, an attacker’s pivot can look operationally normal to the tooling.

Practical implication: build detection logic around identity-specific baselines, not generic user-behaviour rules.

OAuth grants and API tokens create hidden movement paths

OAuth grants connect applications, not just people, and API tokens often outlive the session or workflow that created them. That persistence matters because attackers can traverse trusted integrations long after the original access path is forgotten. In practice, the token or grant becomes a durable authorisation bridge between systems, especially when provisioning teams never mapped the full access graph. The result is lateral movement that rides on valid trust relationships instead of malware or noisy privilege escalation.

Practical implication: inventory long-lived grants and tokens as active attack paths, not passive configuration artifacts.

Posture-only controls miss runtime abuse

A posture-only control checks whether an identity is configured correctly, overprivileged, or approved. It does not tell you whether the identity is being used in a way that matches its normal purpose at the moment of access. That distinction is critical for service accounts with legitimate permissions, because the attacker does not need to break the policy to abuse the identity. They only need to operate inside the permissions that were already granted. Runtime context is what turns a valid credential into a compromise signal.

Practical implication: pair configuration review with runtime anomaly detection for every high-value non-human identity.

Threat narrative

Attacker objective: The attacker’s objective is to expand access quietly through trusted non-human identities until environment-wide control or data exposure becomes possible.

1. Entry occurs when attackers compromise a human account and use it as the first foothold into the environment.
2. Escalation happens as they pivot through service accounts, API tokens, and OAuth grants that already possess valid permissions.
3. Impact follows when lateral movement stays hidden from human-centric detection logic, allowing deeper access without obvious alerting.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Human-behaviour detection does not scale to non-human identity movement. The article is correct that defenders can see an NHI authentication event and still miss the compromise, because the question is not whether access happened but whether it fit the identity’s normal operating pattern. That makes the problem one of runtime identity interpretation, not simple visibility. Practitioners should treat NHI behavioural context as a first-class governance requirement, not a secondary telemetry layer.

OAuth grants and service accounts create identity paths, not just access rights. Once grants connect applications and service accounts hold broad permissions, the attacker can move through the environment by following legitimate trust relationships. This is where the control problem shifts from hardening a credential to understanding the graph of delegated access. Organisations need to recognise that access topology itself becomes attack surface, especially when it is never fully mapped.

Runtime baseline absence is the named concept here: identity blind movement. A service account behaving abnormally is not useful if no one defined normal for that identity before the breach. That assumption was designed for human users whose behaviour is familiar enough to baseline informally. It fails when the actor is a non-human identity with machine-paced, task-specific, and often sparse patterns of use. The implication is that teams must rethink how they model legitimacy for machine and application identities.

Posture-only governance leaves a blind spot during active lateral movement. Excess privilege reduction still matters, but this article shows that configuration hygiene alone cannot answer whether an identity is being used as intended right now. That makes the discipline of NHI governance broader than permission review. Practitioners should treat runtime misuse as a separate governance layer with its own thresholds, alerts, and ownership.

Attackers increasingly exploit the gap between authorised access and authorised behaviour. The security industry often assumes that if a service account is properly provisioned, it is safe enough until the next review cycle. This article shows why that assumption is unstable once attackers inherit valid non-human credentials. The practical conclusion is that identity assurance must extend beyond issuance and into live behaviour monitoring.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• That governance gap is why teams should pair delegated-access mapping with lifecycle offboarding discipline, as outlined in the Ultimate Guide to NHIs.

What this signals

Identity blind movement: when organisations can observe NHI logins but cannot interpret whether those logins fit the identity’s normal use, attacker activity can blend into legitimate machine traffic. That is a programme design problem, not just a detection tuning issue, and it will keep widening as service accounts and OAuth grants multiply across environments.

The practical signal for IAM and security leaders is that posture review alone is no longer enough. If the environment has broad OAuth connectivity and weak grant visibility, the attack surface is already shaped for lateral movement, which means behavioural baselines and lifecycle ownership need to become operational controls rather than reporting metrics.

For teams aligning to NIST Cybersecurity Framework 2.0 and OWASP NHI guidance, the priority is to close the gap between authorised access and authorised behaviour before it becomes a recurring incident pattern. The organisations most exposed are those that know they have NHIs, but cannot explain what normal looks like for each one.

For practitioners

• Build identity-specific behavioural baselines Track normal authentication hours, source infrastructure, target systems, and request patterns for each high-value service account and OAuth grant so that anomalous use stands out before lateral movement completes.
• Map delegated access paths end to end Inventory which applications, APIs, and service accounts are connected by OAuth grants and long-lived tokens, then identify where those relationships create hidden pivot routes for attackers.
• Separate posture checks from runtime detection Keep permission review and misconfiguration scanning, but add live monitoring for identities that suddenly access new systems, new geographies, or new infrastructure patterns.
• Review privileged non-human identities first Prioritise service accounts and tokens that already have broad access, because legitimate permission is what makes lateral movement quiet once an attacker is inside.

Key takeaways

• Attackers are exploiting the difference between a valid authentication event and a normal non-human identity action.
• Visibility into service account logins is not enough when teams cannot judge whether the activity matches the identity’s normal behaviour.
• Identity-specific baselines, delegated-access mapping, and runtime monitoring are the controls that change the outcome of this threat pattern.

Key terms

• Non-Human Identity: A non-human identity is any machine or software credential used to authenticate and act in an environment, including service accounts, API keys, tokens, and certificates. In practice, these identities often outnumber human users and require lifecycle, access, and runtime governance that differs from human IAM.
• OAuth Grant: An OAuth grant is a delegated authorisation relationship that lets an application access resources on behalf of a user or system. The grant can outlive the original session, which makes it a durable trust path if teams do not track scope, expiry, and downstream connectivity.
• Behavioural Baseline: A behavioural baseline is the expected pattern of identity activity, built from timing, source infrastructure, target systems, and request sequence. For non-human identities, the baseline must be identity-specific, because machine accounts often behave in sparse, task-driven ways that do not resemble human logins.
• Posture-Only Security: Posture-only security relies on configuration state, permissions, and compliance checks to judge risk. It is useful but incomplete for non-human identities because it cannot determine whether an identity is being used legitimately at runtime or as part of an attacker’s lateral movement path.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: NHI lateral movement bypasses human-centric detection logic. Read the original.