OWASP NHI Top 10 reframes machine identity risk for enterprises

At a glance

What this is: OWASP’s 2025 Non-Human Identity Top 10 focuses on machine identity risks that conventional human-centric IAM models often miss, especially around secrets, lifecycle, and privilege.

Why it matters: IAM and NHI teams need a control model that can find, govern, and retire machine identities at the same pace they are created.

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read GitGuardian's analysis of the OWASP NHI Top 10 and machine identity risk

Context

Non-human identities are service accounts, API keys, tokens, certificates, and agent credentials that act without a person in the loop. In practice, the control gap is that most IAM programs still model access around human login, while machine identities are created in code, reused across systems, and left behind after their original purpose ends.

GitGuardian’s review of the OWASP NHI Top 10 lands in a mature but uneven market reality: the issue is not whether machine identity risk exists, but whether teams can govern it at scale. The key takeaway for NHI governance is that discovery, ownership, rotation, and offboarding have to be treated as lifecycle controls, not one-off cleanups.

The article’s starting point is typical for enterprise environments, not exceptional. Most organisations have already accumulated a large machine identity footprint, but few can map it cleanly enough to enforce consistent policy across cloud, CI/CD, third-party services, and AI-enabled workflows.

Key questions

Q: How should security teams govern non-human identities in DevSecOps pipelines?

A: Treat non-human identities as first-class assets in the pipeline. Discover them, assign ownership, scan for secrets at commit and build time, and require policy checks before deployment. That combination reduces hidden access paths and makes rotation or deactivation feasible when an application changes.

Q: Why do non-human identities create more risk than traditional user accounts?

A: Non-human identities are often numerous, reused, and tightly embedded in systems, so they are harder to see and easier to forget. They also operate without normal human session patterns, which makes human-centric IAM reviews and login controls incomplete.

Q: What is the difference between secrets rotation and NHI lifecycle management?

A: Secrets rotation replaces a credential, while NHI lifecycle management governs the whole identity from creation to retirement. Rotation reduces exposure, but lifecycle management also covers ownership, offboarding, privilege scope, and detection of abandoned machine identities.

Q: When should organisations prioritise least privilege for machine identities?

A: They should apply least privilege at creation, not after an incident. The best time to reduce access is when the workload is first designed, because later privilege reduction is harder once services, scripts, and dependencies depend on broad access.

Technical breakdown

Why machine identities break human-centric IAM assumptions

Machine identities do not behave like users. They authenticate programmatically, often at high frequency, and they may be embedded in applications, pipelines, or infrastructure rather than managed through an interactive directory flow. That means session-based controls, manual reviews, and periodic user recertification do not fully address how NHIs are created, used, or retired. The core architectural problem is that access is often inherited from deployment patterns rather than granted through explicit identity governance. Once secrets are copied into code, tickets, or configuration layers, the identity becomes harder to find than to create.

Practical implication: Practitioners need NHI discovery and ownership mapping before they can enforce meaningful least privilege or lifecycle policy.

Secret leakage and long-lived credentials create persistent exposure

A secret is not just a token. It is the authentication boundary for an NHI, and when it leaks into source control, chat, or logs, the attacker often gets a reusable path into the environment. Long-lived credentials make this worse because the compromise window can extend far beyond the original deployment event. In machine identity programs, rotation is not a hygiene task; it is a containment mechanism. The architectural goal is to shorten credential lifetime, reduce where secrets are stored, and make replacement automatic enough that teams stop relying on stale credentials for operational continuity.

Practical implication: Security teams should prioritize secret scanning, automated rotation, and removal of long-lived credentials from code and collaboration tools.

Offboarding and privilege scoping must be continuous controls

Improper offboarding happens when an NHI remains valid after the workload, integration, or project has ended. Overprivilege happens when the identity is granted broad access because the team could not otherwise get the system working. Together they create an identity blast radius problem, where one exposed secret can reach more systems than intended and remain active long after business need has changed. The architectural fix is to tie entitlement review, deactivation, and renewal to the identity’s actual lifecycle rather than to a calendar review cycle that assumes human employment patterns.

Practical implication: Teams should connect decommissioning, access review, and privilege reduction to workload change events, not annual review windows.

Threat narrative

Attacker objective: The attacker wants durable machine access that survives ordinary user-focused controls and can be reused across systems without immediate detection.

1. Entry occurs through exposed or embedded NHI secrets in code, tickets, logs, or collaboration systems, which gives the attacker a reusable credential path into machine-to-machine systems.
2. Escalation follows when the compromised identity is overprivileged, reused across environments, or still active after the original workload has been retired.
3. Impact is achieved through persistent access to applications, pipelines, or data services that still trust the credential long after the initial leak.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OWASP’s NHI Top 10 is a category signal, not just a checklist. Once a widely used security body names non-human identities as a distinct risk class, enterprise programs can no longer treat machine identity as an implementation detail. The practical consequence is that NHI governance now belongs in the same policy conversation as human IAM, PAM, and zero trust. Teams should use the Top 10 as a control design input, not a compliance appendix.

Secret sprawl is now an identity problem, not only a secrets problem. When credentials are duplicated, embedded in code, and reused across services, the security issue is the identity relationship those secrets represent. That is why discovery and context matter as much as vaulting. A security team cannot govern what it cannot map, and it cannot rotate what it cannot confidently classify. Practitioners should treat secret inventory as the front door to NHI control.

Identity blast radius is the right lens for machine identities. The real risk is not just exposure, but how far one exposed credential can reach before it is revoked. Overprivileged NHIs, reused credentials, and weak offboarding expand that radius across cloud, CI/CD, and third-party services. The discipline now is to reduce the blast radius before the incident. Practitioners should design for narrow scope, short life, and rapid invalidation.

Lifecycle governance is becoming the dividing line between mature and immature NHI programs. Organisations that still rely on ad hoc cleanup will keep accumulating dormant identities and unresolved access paths. The stronger model is continuous ownership, continuous review, and continuous retirement of machine access. That shift is what turns NHI security from a project into an operating practice. Practitioners should build lifecycle ownership into delivery workflows.

OWASP-NHI gives practitioners a shared vocabulary for control mapping. The value is not the list itself, but the ability to translate recurring identity failures into repeatable governance actions. That makes policy design, engineering enforcement, and audit evidence easier to align. Practitioners should use the framework to standardise language between security, IAM, and application teams.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• From our research: 71% of NHIs are not rotated within recommended time frames, which means stale credentials remain a common operational weakness, according to the Ultimate Guide to NHIs.
• The next control conversation should shift from inventory alone to lifecycle enforcement, using the NHI Lifecycle Management Guide to turn discovery into retirement and renewal discipline.

What this signals

Identity blast radius will become the more useful operating metric for machine identities than raw inventory counts. The reason is simple: a small number of overprivileged NHIs can expose far more of the environment than a large number of tightly scoped ones. With 97% of NHIs carrying excessive privileges, the control problem is clearly structural, not incidental.

Security programmes should expect NHI governance to move closer to zero trust and workload identity standards. That means continuous verification of access paths, tighter entitlement boundaries, and less dependence on static secrets. The practical direction is to align machine identity controls with NIST Cybersecurity Framework 2.0 and the identity guidance in the OWASP Non-Human Identity Top 10.

Secret sprawl debt is the backlog created when credentials are copied faster than they are retired. That debt compounds across cloud, CI/CD, and third-party services, which is why security teams need a living inventory plus automated retirement paths. Practitioners should use the source article’s framing to justify broader cleanup work rather than treating leaked secrets as isolated exceptions.

For practitioners

• Inventory every NHI and its owner Map service accounts, API keys, tokens, certificates, and AI agent credentials to a named business or engineering owner. Without ownership, offboarding, rotation, and privilege review will remain partial and inconsistent.
• Shorten credential lifetime by default Replace long-lived secrets with automated rotation, ephemeral credentials, or runtime-issued tokens wherever the workload supports it. The goal is to reduce how long a leaked credential remains useful.
• Tie offboarding to workload retirement Create a decommissioning workflow that disables the identity when the service, pipeline, or integration is retired. Include cross-checks for stale credentials in code repositories, configuration files, and chat tools.
• Enforce least privilege at creation time Review requested permissions before deployment and remove broad access after the workload stabilises. Use environment-specific entitlements so the same NHI cannot reach production, staging, and third-party services by default.
• Embed NHI controls into DevSecOps gates Add secret scanning, policy checks, and approval steps to CI/CD so machine identity risk is evaluated where identities are created. This is the most practical way to catch hardcoded credentials before release.

Key takeaways

• Machine identity risk now sits in a distinct control category that human-centric IAM models do not fully cover.
• The scale problem is not theoretical, because excessive privilege and stale credentials remain common across NHI environments.
• The right response is lifecycle governance: discover, scope, rotate, and retire machine identities continuously.

Key terms

• Non-Human Identity: A non-human identity is a credentialed digital entity used by software, services, or automation rather than a person. In practice, it includes service accounts, API keys, tokens, certificates, and agent identities that can authenticate, request access, and interact with systems at machine speed.
• Identity Blast Radius: Identity blast radius is the amount of systems, data, or services an identity can reach if it is compromised. For NHIs, the blast radius often grows when credentials are reused, permissions are broad, or offboarding is incomplete, making scope control a core security objective.
• Secret Sprawl: Secret sprawl is the uncontrolled distribution of credentials across code, tickets, logs, chat tools, repositories, and configuration files. It makes discovery, rotation, and revocation difficult because the same secret may exist in multiple places, some of them outside formal security tooling.
• NHI Lifecycle Management: NHI lifecycle management is the end-to-end process of creating, governing, rotating, reviewing, and retiring machine identities. It ties access to business need and workload state, so credentials do not remain active after the service, integration, or automation has moved on.

What's in the full article

GitGuardian's full post covers the operational detail this post intentionally leaves for the source:

• Step-by-step breakdown of each OWASP NHI Top 10 risk and how the vendor maps it to common enterprise failure modes.
• Specific guidance on discovering, classifying, and tracking machine identities across code, vaults, and CI/CD systems.
• Examples of how the article recommends integrating NHI controls into DevSecOps workflows and review cycles.
• The vendor's own explanation of how its scanning and context features are positioned for lifecycle remediation.

👉 GitGuardian's full post expands on the OWASP NHI Top 10 and the control changes it implies for teams.

Deepen your knowledge

OWASP NHI Top 10 alignment and machine identity lifecycle controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme around non-human identities, it is worth exploring.