TL;DR: NHIs now outnumber human users by 45:1 to 100:1 in cloud environments, while 95% of cloud identities are over-privileged and 80% of breaches involve compromised identities, according to Andromeda Security. The control problem is no longer secret rotation alone. Blast-radius reduction, ownership, and lifecycle governance are now the decisive variables in NHI security.
At a glance
What this is: This risk brief argues that NHI sprawl, over-privilege, and weak lifecycle governance have turned non-human identities into a primary enterprise attack surface.
Why it matters: It matters because IAM, cloud, and PAM teams must govern machine identities with the same discipline they apply to human access, or breach impact will keep expanding.
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 95% of cloud identities are over-privileged, increasing the attack blast radius.
- 80% of breaches involve compromised identities.
👉 Read Andromeda Security's risk brief on non-human identity security
Context
Non-human identity risk is the gap between how cloud systems are built and how identity governance is usually run. Service accounts, API keys, certificates, tokens, and AI agents often exist outside the controls that govern human users, yet they still carry access, privileges, and business impact.
The problem is not just that these identities are numerous. It is that they are created quickly, used across cloud and DevOps workflows, and often left without clear ownership, review, or offboarding. That leaves security, cloud, and IAM teams managing access they cannot fully see or reliably contain.
Key questions
Q: How should security teams govern non-human identities in cloud environments?
A: Security teams should treat non-human identities as first-class governed assets, not implementation details. That means inventorying every service account, token, certificate, and workload identity, assigning ownership, reviewing entitlements, and tying offboarding to workload retirement. Governance fails when machine access exists outside lifecycle control and when secret rotation is used as a substitute for entitlement management.
Q: Why do over-privileged service accounts increase breach impact?
A: Over-privileged service accounts increase breach impact because the credential is only the entry point. The permissions attached to the identity determine how far an attacker can move, what data they can reach, and whether they can disrupt operations. If entitlements are broad, one exposed secret can become a cloud-wide incident rather than a contained access event.
Q: What breaks when non-human identities have no offboarding process?
A: When non-human identities have no offboarding process, credentials remain valid after the workload, vendor relationship, or project has ended. That creates orphaned access paths that attackers can reuse long after the business need has disappeared. The governance failure is not just stale credentials, but stale accountability.
Q: How do teams know if NHI governance is actually working?
A: Teams know NHI governance is working when they can answer three questions quickly: who owns each identity, what permissions it actually uses, and how it will be retired. If discovery is incomplete, entitlements are broad, or offboarding is manual and inconsistent, the programme is still carrying hidden exposure rather than controlling it.
Technical breakdown
Why NHI credential sprawl creates a hidden control surface
Non-human identities are typically authenticated with secrets such as API keys, OAuth access keys, certificates, and tokens rather than with interactive user controls like MFA. That makes them easier to create at scale and harder to govern centrally. When these credentials are embedded in code, config files, CI/CD pipelines, or automation jobs, discovery becomes fragmented and revocation becomes inconsistent. The result is a control surface that exists across engineering and cloud operations, but is often absent from the identity system of record.
Practical implication: build discovery that spans code, pipeline, cloud, and vault layers instead of relying on a single directory view.
How over-privileged machine identities expand blast radius
An NHI is not just a credential. It is a credential plus the entitlements attached to it, and those permissions determine how far an attacker can move if the identity is compromised. When cloud identities carry excessive privileges, a stolen key becomes a lateral-movement primitive rather than a narrow access event. This is why entitlement scope matters more than the initial compromise itself. The control failure is not only exposure of the secret, but also the persistence of permissions that were never right-sized to the workload’s actual behaviour.
Practical implication: map each NHI to the minimum entitlements it actually uses and remove standing permissions that are never exercised.
Why lifecycle governance fails when NHIs are treated like temporary plumbing
Many organisations create machine identities during development, vendor onboarding, or automation rollout, but never tie them to ownership, review, or retirement. That means the identity outlives the business need. Unlike humans, NHIs do not automatically trigger HR-driven offboarding, so decommissioning depends on engineering and security process discipline. Without a lifecycle model, orphaned service accounts and stale tokens remain available long after the system, project, or vendor relationship changes.
Practical implication: assign an owner, review cadence, and retirement condition to every NHI before it is put into production.
Threat narrative
Attacker objective: The attacker wants rapid, low-friction cloud access through a credential that bypasses human-facing controls and opens a larger operational footprint than a single account should allow.
- Entry occurs when attackers obtain exposed credentials such as API keys, OAuth tokens, or service account secrets from code, pipelines, or cloud storage.
- Escalation follows when the compromised NHI has excessive permissions that let the attacker enumerate resources, access data, or pivot into adjacent systems.
- Impact lands when the attacker uses those privileges to move laterally, exfiltrate data, or disrupt cloud operations at a scale that reflects the identity’s blast radius.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
NHI sprawl has become a governance problem, not a tooling problem. The article is right to treat volume as part of the risk, but scale only becomes dangerous when organisations cannot inventory, classify, and own what they expose. NHIs now outnumber human identities by orders of magnitude, which means the attack surface grows faster than most IAM programmes can absorb. The practical conclusion is that discovery and accountability must precede any other control investment.
Over-privilege is the real amplifier of NHI compromise. Secrets are the entry point, but entitlement scope determines whether the incident stays local or becomes a cloud-wide event. This is why the control conversation has to move from secret hygiene to blast-radius management. Teams that focus only on rotation will still leave attackers with the permissions needed to move laterally, exfiltrate data, or alter workloads.
Lifecycle failure is the hidden assumption behind orphaned machine access. Human identity governance assumes offboarding is driven by HR, but NHIs are often created and forgotten outside that model. That assumption fails when developers, vendors, and automation systems can create access faster than owners can retire it. The implication is that lifecycle governance for NHIs cannot be an afterthought appended to human IAM.
Dynamic least privilege is the right concept, but only if it is measured against actual workload behaviour. The article’s call for just-in-time elevation is directionally sound, yet the deeper issue is whether teams know which permissions are ever used at all. Entitlements that never get exercised are not controls, they are latent exposure. Practitioners should treat unused privilege as governance debt, not spare capacity.
Identity blast radius: The most useful concept in this brief is that an NHI’s risk is defined less by its existence than by how far its permissions reach. That concept helps security, cloud, and PAM teams talk about machine identity in business terms that executives can understand. The measurable objective is not just fewer secrets, but smaller blast radius when one is exposed.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- From our research: Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- For the broader control model, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how ownership, rotation, and offboarding fit together.
What this signals
NHI sprawl changes the operating model for identity teams. When machine identities outnumber human users by 25x to 50x, as our research shows, manual review cycles stop being credible as a primary control. The practical shift is toward continuous discovery, entitlement reduction, and lifecycle enforcement across engineering-owned identity surfaces.
Over-privilege now needs to be managed as a measurable risk state. With 97% of NHIs carrying excessive privileges, the question is no longer whether privilege creep exists but whether your programme can prove where it is shrinking. Teams should use entitlement usage data to separate standing access that is necessary from standing access that is merely convenient.
Identity blast radius is the concept to operationalise next. The brief makes clear that secret theft and entitlement scope are inseparable, so the next maturity step is to link discovery, monitoring, and offboarding into one control path. 52 NHI Breaches Analysis is the most useful companion resource for understanding how that failure pattern plays out in practice.
For practitioners
- Inventory every non-human identity across code and cloud Build a complete inventory of service accounts, API keys, OAuth tokens, certificates, and workload identities across applications, CI/CD, and cloud accounts. Tie each identity to an owner, system, and retirement condition so nothing remains unaccounted for.
- Right-size entitlements before you rotate secrets Review the permissions attached to each NHI and remove privileges that are never used. If a privilege is only needed occasionally, convert it to just-in-time elevation instead of leaving it standing.
- Put offboarding on the machine identity lifecycle Require a decommissioning step for every NHI when a project ends, a vendor relationship changes, or a workload is retired. Offboarding should revoke the credential, remove the access path, and confirm the identity is no longer reachable.
- Separate detection of exposure from detection of abuse Track both where secrets are stored and what the identity does after use. A leaked key without anomalous activity is still an incident candidate, but a valid identity performing unexpected actions is the faster signal for containment.
Key takeaways
- Non-human identity risk is driven by the combination of secret exposure, excessive privilege, and weak lifecycle control.
- The scale is material, with cloud environments carrying far more NHIs than human users and most of them operating with excess permissions.
- The most effective response is to shrink blast radius through inventory, entitlement right-sizing, and enforced offboarding.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | The post centres on exposed NHI credentials and unmanaged machine identity sprawl. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege entitlement management is the article's core control issue. |
| NIST Zero Trust (SP 800-207) | The brief frames machine identities as high-value access paths in a zero-trust model. |
Apply continuous verification to non-human access paths and reduce implicit trust in cloud workflows.
Key terms
- Non-Human Identity: A non-human identity is any machine or software identity used to authenticate and authorise access to systems, data, or services. It includes service accounts, API keys, tokens, certificates, workload identities, and AI agents. Governance must cover ownership, privilege, lifecycle, and revocation, not just secret storage.
- Blast Radius: Blast radius is the amount of damage an attacker can cause after compromising an identity. In NHI environments, it is defined by entitlements, downstream trust, and how broadly a credential can reach across cloud, data, and operational systems. The larger the blast radius, the more one compromise can spread.
- Just-in-Time Elevation: Just-in-time elevation is the practice of granting higher privilege only when it is needed and removing it immediately after use. For non-human identities, it is most effective when standing permissions are trimmed to the minimum operational baseline and temporary access is tightly scoped to a workload or task.
- Lifecycle Offboarding: Lifecycle offboarding is the controlled retirement of an identity when its business purpose ends. For NHIs, that means revoking secrets, removing entitlements, and confirming the account cannot be reused by a workload, vendor, or attacker. Without offboarding, machine identities tend to persist beyond their legitimate use.
What's in the full article
Andromeda Security's full article covers the operational detail this post intentionally leaves for the source:
- Breakdown of the control gaps behind NHI sprawl across cloud, DevOps, and AI workflows
- Operational recommendations for discovery, entitlement right-sizing, and lifecycle ownership
- The article's framing of business impact across compliance, cloud cost, and lateral movement
- Source examples and supporting evidence behind the stated breach patterns
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-11-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org