OWASP NHI Top 10 exposes the machine identity governance gap

At a glance

What this is: This is an analysis of the OWASP NHI Top 10 and its key finding that machine identities are now a major security gap because they outnumber human users, spread across environments, and are often poorly governed.

Why it matters: It matters because IAM, PAM, and lifecycle teams need a control model that treats service accounts, tokens, and workload identities as first-class identities rather than implementation detail.

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

👉 Read Unosecur's analysis of the OWASP NHI Top 10 and machine identity risk

Context

Non-human identities are machine credentials such as service accounts, API keys, OAuth apps, bots, cloud roles, and workload identities. The core governance problem is that these identities increasingly carry the access needed to run modern infrastructure, yet they are rarely managed with the same discipline as human accounts.

The OWASP NHI Top 10 matters because it turns scattered machine-identity failures into a structured risk model. For IAM, PAM, and identity architects, the issue is not only visibility but ownership, lifecycle control, and privilege scope across cloud, SaaS, and CI/CD environments.

Key questions

Q: What breaks when machine identities are not governed like first-class identities?

A: When machine identities are treated as implementation detail, ownership, review, and offboarding break down. That leaves service accounts, API keys, and OAuth apps active long after their purpose ends. The result is hidden access that can be reused, overextended, and difficult to trace back to a responsible team.

Q: Why do long-lived machine credentials increase breach risk?

A: Long-lived credentials create a standing access path that can survive code changes, personnel changes, and forgotten integrations. Once exposed, they can be replayed for as long as they remain valid. That makes them more dangerous than narrowly scoped, short-lived credentials because the attacker has more time to find, test, and abuse them.

Q: How can security teams tell whether NHI governance is actually working?

A: Look for evidence of ownership, expiry, scope, and rotation across the machine identity estate. If a team can quickly answer who owns each credential, what it is for, when it expires, and whether it can cross environments, governance is maturing. If those answers are missing, control is still fragmented.

Q: Who should own machine identity governance in the enterprise?

A: Machine identity governance should sit with identity and security teams, but it must be operationally shared with platform, cloud, and application owners. IAM sets policy, platform teams enforce runtime patterns, and application owners manage the lifecycle of the identities their systems depend on.

Technical breakdown

Machine identity sprawl and the visibility vacuum

Machine identities proliferate wherever software authenticates to software. In practice, that means cloud roles, service accounts, tokens, and apps accumulate faster than most inventories can keep up. The technical failure is not just volume. It is the lack of a unified control plane that can discover identities, map ownership, and distinguish active credentials from abandoned ones. Once identities are spread across vaults, cloud IAM, GitHub, and pipeline configs, governance becomes fragmented and reactive.

Practical implication: build a continuously updated inventory of machine identities and tie each one to an owner, purpose, and expiry condition.

Secret leakage and long-lived credentials

Secrets become dangerous when they are copied into code, logs, tickets, or configuration files and then left in place for months or years. A leaked API key or token is not merely a password problem. It is an impersonation problem, because many machine identities are not bound to context, device, or step-up verification. The attack value increases when the secret is long-lived, broadly reusable, and difficult to distinguish from legitimate automation traffic.

Practical implication: remove static secrets where possible and enforce short-lived, scoped credentials for machine access.

Overprivileged and cross-environment machine access

Machine identities often receive broad permissions to reduce deployment friction, then keep those permissions indefinitely. That creates a large blast radius when a token is stolen or an app is misused. Cross-environment reuse makes the problem worse because a single identity can bridge dev, test, and production. From an architecture perspective, this is where identity governance, environment isolation, and trust boundaries intersect, and where weak scoping turns a small compromise into a platform-wide incident.

Practical implication: scope machine access per workload and environment, and review whether any identity can cross boundaries without explicit justification.

Threat narrative

Attacker objective: The attacker aims to turn a low-friction machine identity into durable access that can be used for data theft, lateral movement, or operational disruption.

1. Entry occurs through leaked, reused, or forgotten machine credentials such as API keys, OAuth tokens, or service accounts.
2. Escalation happens when those credentials have more access than the workload actually needs, allowing the attacker to move from a single identity into broader cloud, SaaS, or CI/CD access.
3. Impact follows when the compromised identity reaches customer data, internal mailboxes, deployment systems, or other high-value assets.

Breaches seen in the wild

• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Machine identity governance fails when organisations treat NHIs as implementation detail. The article correctly exposes a structural problem: service accounts, API keys, OAuth apps, and workload identities now carry production authority, but they are often outside the governance workflows used for human accounts. The result is fragmented ownership, weak lifecycle discipline, and inconsistent accountability across clouds and pipelines. Practitioners should treat NHI control as a core identity programme function, not a sidecar to infrastructure management.

Secret sprawl is really identity sprawl with a hidden blast radius. A leaked secret is not just an exposure event, it is a portable identity that can impersonate automation at scale. That is why the article’s emphasis on leaked keys and reused tokens maps directly to the OWASP NHI Top 10 and NIST CSF access governance. The field should stop describing this as a credential hygiene problem and start describing it as durable identity exposure.

Environment boundaries fail when the same machine identity crosses them. Reuse across dev, test, production, SaaS, and cloud services collapses the assumption that lower-risk environments can contain weaker controls. Once one identity can operate everywhere, the environment becomes the unit of failure, not the workload. Teams need to recognise that boundary design is part of identity architecture, not a separate infrastructure concern.

Human IAM maturity does not transfer automatically to machine identities. The article shows the common trap: organisations harden SSO, MFA, and behavioural analytics for people while leaving NHIs with static, persistent, and overbroad access. That mismatch is why NHI governance now belongs in the same strategic conversation as PAM, IGA, and cloud security. Practitioners should align machine identity controls to the same governance standard as human access, then tighten from there.

Ephemeral credential trust debt: The industry keeps assuming that short-lived access is enough on its own, but ephemeral credentials still depend on correct scoping, ownership, and revocation logic. The implication is that time-bounding access reduces exposure, but it does not solve the underlying governance debt created by unmanaged machine identities.

From our research:

• Only 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• From our research: 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, according to The 2024 Non-Human Identity Security Report.
• Machine identity governance belongs in the same strategic conversation as the Top 10 NHI Issues, especially where ownership and lifecycle controls are still manual.

What this signals

Machine identity debt is now a programme-level issue, not a point problem. The organisations that still manage NHIs as scattered technical artefacts will keep absorbing invisible risk until ownership, expiry, and scope are treated as core governance fields. That shift is especially urgent in environments where automation, SaaS integrations, and cloud workloads all depend on credentials that outlive their original purpose.

With 69% of security leaders agreeing identity management must fundamentally shift to address agentic AI systems, the line between machine identity governance and future AI governance is already blurring, according to the 2026 Infrastructure Identity Survey. Teams that modernise NHI controls now will have a cleaner path when autonomous tooling starts inheriting the same identity patterns.

Identity blast radius: The practical question is no longer whether NHIs exist, but how far a single compromised identity can travel before detection. If one token can reach production, SaaS, and CI/CD, then incident containment depends on scoping design, not just monitoring. This is where the organisation should align cloud, platform, and identity controls around revocation speed and environment separation.

For practitioners

• Inventory machine identities continuously Correlate service accounts, API keys, OAuth apps, bots, and workload identities across cloud, SaaS, GitHub, and CI/CD so ownership and purpose are visible in one place.
• Replace static secrets with short-lived credentials Prioritise ephemeral tokens and workload-bound credentials for high-value automation paths, especially where secrets are currently copied into code or pipeline configuration.
• Tighten privilege scope by environment Prevent one machine identity from operating across dev, test, and production unless the business case is explicit and reviewed, and validate that each role is least privileged.
• Automate offboarding for stale machine accounts Add expiry, rotation, and deletion workflows to the lifecycle of every machine identity so forgotten test accounts and orphaned apps do not remain active indefinitely.
• Review third-party trust chains regularly Map every external integration that can assume access into your environment and verify that the trust path is still required, narrowly scoped, and revocable.

Key takeaways

• The article shows that machine identities are now a core governance problem because they expand faster than most organisations can inventory or control them.
• The scale of the issue is visible in the same failure pattern across leaked secrets, overprivileged access, and weak lifecycle ownership.
• The right response is to govern NHIs with the same discipline used for human identities, then tighten around ownership, scope, and expiry.

Key terms

• Non-Human Identity: A non-human identity is any credentialed digital entity that authenticates without a person behind it, such as a service account, API key, token, certificate, bot, or workload identity. These identities often hold powerful access and require lifecycle governance, scoping, and ownership just like human accounts.
• Secret Sprawl: Secret sprawl is the uncontrolled spread of credentials across code, configuration, logs, tickets, and collaboration tools. It creates hidden impersonation risk because one exposed secret can unlock multiple systems, especially when the same credential is reused or left active for long periods.
• Environment Isolation: Environment isolation is the practice of keeping development, test, and production access separated so compromise in one zone does not automatically reach another. For machine identities, weak isolation usually means the same credential or trust relationship can cross boundaries and enlarge the blast radius.
• Lifecycle Offboarding: Lifecycle offboarding is the process of removing identity access when a workload, integration, account, or vendor relationship ends. For non-human identities, offboarding must cover deletion, rotation, revocation, and ownership transfer, because abandoned credentials often remain valid long after they should have been removed.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• A structured breakdown of each OWASP NHI Top 10 category and the incident pattern behind it.
• Unpublished implementation detail on how the vendor correlates NHI inventory, ownership, and behaviour across cloud and SaaS environments.
• Operational examples for automated lifecycle governance, including rotation, offboarding, and expiry workflows.
• Benchmarking and reporting examples that help teams translate NHI risk into audit and programme language.

👉 The full Unosecur post covers the OWASP NHI Top 10 breakdown, incident examples, and governance framing.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.