NHI security risks are now a board-level business liability

At a glance

What this is: This is a governance analysis of why non-human identities have become a major enterprise risk, with breaches, compliance exposure, and ROI framing all pointing to the same control gap.

Why it matters: It matters because IAM, PAM, and lifecycle teams now need to govern service accounts, tokens, and machine credentials with the same discipline as human access, or risk breach and audit failure.

By the numbers:

• Non-human identities now outnumber human users by as much as 50 to 1 in many organizations.
• A 2024 survey by the Cloud Security Alliance found that 1 in 5 organizations reported a security incident related to non-human identities.
• Only 15% of companies felt confident in their ability to secure those machine identities.
• The average cost of a data breach initiated by stolen or compromised credentials was $4.62 million in IBM’s 2023 report.

👉 Read Cerbos' guide to NHI risk, compliance, and ROI

Context

Non-human identity security is the discipline of controlling the service accounts, API tokens, bots, workloads, and machine credentials that let systems talk to each other. In this article, Cerbos argues that these identities are now a board-level risk because they outnumber people, often have broad access, and are frequently left outside the governance routines used for human access.

The article’s central claim is that unsecured NHIs turn ordinary operational shortcuts into breach paths, compliance gaps, and business loss. That framing is accurate for IAM teams: the control problem is not simply secret sprawl, but the absence of lifecycle, monitoring, and policy enforcement around identities that never sleep and are rarely reviewed with enough rigor.

The article is also a reminder that NHI governance is no longer a narrow security subtopic. It now intersects with auditability, customer trust, cloud operations, and developer velocity, which means access teams need to think in terms of enterprise identity risk rather than isolated credential hygiene.

Key questions

Q: How should security teams govern non-human identities that outnumber human users?

A: They should treat non-human identities as a governed population with ownership, lifecycle, scope, and monitoring requirements. That means every service account, token, and API key needs an accountable owner, an explicit purpose, and a retirement path. Inventory alone is not enough. Control only works when identity, access, and logging are tied together.

Q: Why do service accounts with standing privilege create such high breach risk?

A: Because a stolen or leaked machine credential often has direct access to production systems, support tools, or data stores without extra user prompts. If the permission set is broader than the workload needs, the attacker inherits that excess reach. Standing privilege turns one secret into a reusable access path across the environment.

Q: What do organisations get wrong about rotating machine credentials?

A: They often rotate secrets without fixing the underlying access scope or ownership problem. Rotation helps only if the credential is truly tied to a known system, the old secret is revoked everywhere, and the new one is monitored. Otherwise, the environment still contains untracked access paths that can be abused later.

Q: Which controls matter most when auditors ask about machine identity security?

A: Auditors usually need evidence of ownership, least privilege, rotation, and logging. If those four controls are in place and consistently applied, the organisation can explain who owns each credential, why it exists, how often it changes, and how misuse would be detected. That evidence is the real governance test.

Technical breakdown

Why NHI sprawl breaks traditional IAM assumptions

Traditional IAM assumes identities are relatively enumerable, individually owned, and reviewed on a human cadence. NHIs break that model because they are created by applications, pipelines, and integrations at machine speed, then left in place long after the original business need changed. Service accounts and tokens often inherit permissions from operational convenience rather than explicit governance. That creates a hidden estate where access exists, but accountability does not. The result is not just more identities, but more identities that evade normal certification, ownership, and exception handling routines. Practical implication: build an inventory that ties every machine identity to an owner, purpose, and expiry condition.

Practical implication: build an inventory that ties every machine identity to an owner, purpose, and expiry condition.

How standing privilege turns machine access into breach fuel

A machine identity with persistent, broad permissions is a ready-made pivot point for attackers. If a token, key, or service account is stolen, the compromise is not limited to one user session. It can extend into production systems, support portals, code repositories, or customer data stores, depending on where the identity can reach. This is why over-privilege and lack of rotation repeatedly appear in NHI breach narratives. The technical failure is not authentication alone, but the combination of long-lived secrets and excessive scope. Practical implication: map machine access paths to real data and system boundaries, then remove permissions that are not required for the identity’s current job.

Practical implication: map machine access paths to real data and system boundaries, then remove permissions that are not required for the identity’s current job.

Why compliance teams now care about service accounts and secrets

Compliance frameworks increasingly expect identity control evidence across all account types, not just employees. That means organisations must show who owns a service account, when its credentials rotate, how usage is logged, and whether access can be justified during audit. Hard-coded credentials, orphaned accounts, and broad shared tokens make that evidence difficult or impossible to produce. In practice, the compliance risk is often a symptom of weak governance rather than a separate problem. Practical implication: treat machine identity evidence as part of access governance, so audit readiness and security operations share the same source of truth.

Practical implication: treat machine identity evidence as part of access governance, so audit readiness and security operations share the same source of truth.

Threat narrative

Attacker objective: The attacker wants to turn legitimate machine access into broad operational reach that can expose data, secrets, or infrastructure.

1. Entry begins when an attacker obtains a valid machine credential, such as a leaked token, hard-coded key, or overexposed service account password.
2. Escalation follows when that credential carries more access than the identity actually needs, allowing the attacker to move into sensitive systems, support tools, or production resources.
3. Impact occurs when the attacker uses legitimate access paths to exfiltrate data, steal secrets, or trigger downstream compromise without needing a malware-heavy intrusion chain.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

NHI security is now an enterprise risk-management problem, not a narrow secrets-management task. The article is right to connect machine credentials to downtime, compliance, and financial loss, because that is where the real exposure sits. Once service accounts and tokens reach production scale, they affect business continuity, customer trust, and audit outcomes. Practitioners should treat NHI governance as part of the core identity programme, not a side project.

Standing privilege is the failure mode that keeps repeating across NHI incidents. The article’s breach examples all share the same pattern: a valid credential exists longer than the control environment expects, and it has more reach than it should. This aligns with OWASP Non-Human Identity Top 10 guidance and the NIST Cybersecurity Framework’s access-control logic. The lesson for practitioners is to focus on where persistent access can still exist unnoticed.

Hard-coded and orphaned machine credentials create a governance blind spot that traditional review cycles do not catch. A service account or API token can sit outside ownership, expiry, and certification workflows for months while remaining fully functional. That means IAM teams cannot rely on human recertification rhythms to find machine risk. The implication is straightforward: lifecycle governance must be extended to every non-human identity with the same accountability standards as privileged human access.

Machine identity exposure now links security control failure to regulatory failure. The article correctly notes that unmanaged NHIs can break auditability under frameworks such as SOC 2, ISO 27001, and sector regulations like NIS2. That matters because the evidence required to satisfy auditors, customers, and regulators is the same evidence needed to secure the environment: ownership, scope, rotation, and logs. Practitioners should view compliance proof as an output of good NHI governance, not a separate exercise.

Ephemeral credential trust debt is the named concept this article surfaces. The industry still behaves as if machine credentials are stable enough to inventory once and review later, but modern systems generate, reuse, and expose them too quickly for that assumption to hold. That creates a trust debt that accumulates every time a token is left active, unowned, or unmonitored. Practitioners need to recognise that hidden debt before the next incident forces the issue.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate finding shows that 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
• For a deeper breach-focused view, 52 NHI Breaches Analysis shows how weak ownership and overexposed credentials turn into real-world incident patterns.

What this signals

Ephemeral credential trust debt: the longer machine credentials remain unowned, unrotated, or over-scoped, the more likely they are to become invisible entry points. The governance challenge for practitioners is to reduce the lifespan of that debt before it turns into an incident, especially where OAuth-connected apps and third-party integrations expand the attack surface beyond what IAM teams can see.

The next maturity step is to connect access governance to observable machine behaviour. That means using the OWASP Non-Human Identity Top 10 as a control lens, not a checklist, and aligning operational evidence with the NIST Cybersecurity Framework 2.0 so identity, detection, and response can work from the same signal set.

As machine identity populations grow, the practical question is no longer whether organisations need NHI governance. The question is whether their programme can prove ownership, scope, and rotation quickly enough to satisfy customers, auditors, and incident responders before the next credential is used outside its intended boundary.

For practitioners

• Inventory every machine identity with an owner and expiry rule Record service accounts, API tokens, bots, and workload credentials in a single inventory with named ownership, business purpose, and a defined retirement condition. Without that metadata, access reviews cannot tell whether the identity still serves an active system or a dead integration.
• Remove standing privilege from machine accounts Reduce every non-human identity to the smallest data and system set it actually needs. Validate permissions against current workload behavior, not historical convenience, and revoke broad access that exists only because no one has re-scoped it recently.
• Automate secret rotation and orphan detection Use policy and telemetry to rotate long-lived keys, detect stale tokens, and flag credentials that are no longer attached to active services. The goal is to shrink the time a stolen secret remains usable and to surface identities that have lost accountability.
• Tie audit evidence to machine identity controls Make ownership, rotation history, and access logs available as part of routine compliance evidence. If auditors cannot trace who controls a machine credential or when it was last reviewed, the governance process is failing before the control test begins.

Key takeaways

• Non-human identities now represent a board-level governance problem because they can outnumber human users, hold broad access, and evade normal access reviews.
• The recurring failure pattern is standing privilege combined with poor ownership, which turns one leaked secret into a wider breach path.
• The control answer is not just secret rotation. It is lifecycle governance, least privilege, and auditable evidence across every machine identity.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software, infrastructure, or automation rather than a person. It includes service accounts, API tokens, certificates, bots, and workload credentials. In practice, these identities need ownership, scope, rotation, and logging because they can carry meaningful access on their own.
• Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only when needed. For machine identities, it often appears as persistent permissions attached to a token, service account, or key. That creates unnecessary exposure because a stolen secret can be reused immediately without another approval step.
• Secret Rotation: Secret rotation is the process of replacing credentials such as keys, tokens, or certificates on a controlled schedule or after an event. For machine identities, rotation only works when the old credential is fully revoked and the new one is tied to a known owner, system, and monitoring path.
• Identity Inventory: An identity inventory is the authoritative list of who or what can authenticate and what each identity can access. For non-human identities, it must include ownership, purpose, expiry, and usage data. Without that structure, teams can see credentials exist but cannot govern them reliably.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Cerbos: NHI risks, compliance, and the cost of inaction. Read the original.