Abdelrahman – Non Human Identity Management Group

NHI Workshop – Why the Urgency Now

Introduction to Panel and Session Overview

The panel features four experts in the field of identity management and security:

Dwayne McDaniel – Sr. Developer Advocate at GitGuardian, focusing on solving NHI governance at scale.
Anusha Iyer – CEO and founder of Corsa, specializing in identity providers for NHIs, with extensive experience in federal and intelligence sectors.
Jobson Andrade – Senior Manager Identity Operations at Mars, overseeing global identity operations, including non-human identities across diverse environments.
Kamal Muralidharan – Co-founder and CTO of Andromeda Security, with a background in cloud security and lifecycle management of human and non-human identities.

Core Theme: The Urgency of Managing NHIs

The discussion emphasizes the increasing threat landscape driven by identity-based attacks, especially involving NHIs. Key points include:

Attackers increasingly target credentials, which are easier to steal than exploiting zero-day vulnerabilities.
Recent breaches, such as the Active Directory compromise, highlight how NHIs can be exploited to access sensitive data and escalate attacks.
Research indicates millions of hard-coded credentials are publicly available, notably 23.7 million in GitHub repositories in 2024 alone.

This trend underscores the critical need for immediate action to secure NHIs and their credentials.

How Did We Get Here?

Factors Contributing to the Current State

Panelists discuss the evolution of identity management challenges:

Expansion of connected systems – The proliferation of IoT devices, hybrid cloud environments, and SaaS applications increases the attack surface.
Decentralization of credential management – DevOps practices and cloud adoption allow individuals to create and manage credentials independently, often without centralized governance.
Shift from private to public cloud – The physical boundaries of data centers have dissolved, making NHIs accessible from outside traditional networks.
Speed over security – Business priorities often favor rapid deployment, leading to insecure practices like hardcoded secrets.

Challenges in Managing Secrets and Credentials

Key issues identified include:

Storing secrets in source code repositories like GitHub, leading to exposure.
Sharing credentials via social platforms such as Slack, increasing risk of leaks.
Difficulty in transitioning to secretless architectures, though some progress is possible with keyless solutions.

Solutions suggested using secret managers and adopting more secure credential management practices.

Managing the Growth of NHIs and Secrets

Risk-Based Approach

Organizations should:

Assess the risk associated with each secret or NHI.
Assign ownership and responsibility to relevant teams or leaders.
Implement policies to migrate away from secrets where feasible, such as using certificates or federated identities.
Communicate the importance of reducing secrets to the business to foster a security-first mindset.

Lessons from Human Identity Management

Panelists highlight parallels between human and non-human identity management:

Adoption of MFA and adaptive authentication has significantly reduced risks associated with human credentials.
Applying similar principles to NHIs, such as making minimal entitlements and monitoring behavior which can mitigate risks.
Managing NHIs as first-class citizens with proper governance is essential for security and operational efficiency.

The Impact of AI and the Need for Urgency

AI, especially agentic and autonomous AI, introduces new challenges and opportunities:

AI adoption is rapid, often within weeks, compared to multi-year cloud migrations.
Agentic AI systems will have entitlements and behaviors that need to be monitored and controlled.
Potential risks include AI systems acting autonomously in ways that could compromise security.

Panelists stress the importance of developing tools and frameworks to track, monitor, and govern NHIs and AI agents effectively.

Operational and Governance Challenges

Key issues include:

Managing complex chains of agents and their permissions.
Ensuring governance keeps pace with technological evolution.
Balancing speed of deployment with security controls.

There is a call for better frameworks and policies to handle the increasing complexity of NHIs and AI systems.

Final Recommendations

Panelists agree on several core principles:

Support business growth responsibly by implementing governance without becoming a bottleneck.
Recognize that APIs, agents, and automation are now the primary decision-makers in ecosystems.
Treat all identities, human or non-human with equal care, ensuring proper entitlement management and security.
Shift organizational focus from just protecting assets to enabling secure, scalable innovation.

They encourage ongoing dialogue, sharing best practices, and adopting a proactive stance to secure NHIs and AI systems as integral parts of future infrastructure.

Closing Remarks

The panel emphasizes that managing NHIs is not just a technical challenge but a strategic imperative. The rapid evolution of technology, especially AI, demands immediate action, robust governance, and a mindset shift towards viewing NHIs as vital assets that require the same level of care as human identities.

NHI Workshop – Opening Remarks

Introduction and Welcome

Lalit Choda, founder of the Non-Human Identity Management Group, opens the session with enthusiasm, highlighting the significant interest in NHI topics. The workshop is well-attended, indicating a high level of industry concern and curiosity about non-human identities.

He extends gratitude to the NHIMG team and the Cyber Risk Alliance for hosting and supporting the event, as well as to over 20 industry experts, including practitioners and CISOs, who are sharing their insights. The goal is to explore challenges, risks, and management strategies related to NHI exposure.

Special thanks are given to the organizing team, emphasizing the months of planning that have culminated in this event.

Speaker Background

Lalit Choda, also known as “Mr. NHI,” has over 30 years of experience, primarily in investment banking. His previous nickname was “Mr. Socks,” reflecting a long-standing industry presence. His expertise includes regulatory programs, human controls, PAM, and managing large-scale NHI initiatives involving over 100,000 identities.

Recent contributions include publishing a groundbreaking report “The Ultimate Guide To Non-Human Identities” and founding the NHI Management Group, the group’s “goal is simple: it’s to educate and evangelize about NHI risks and help you on your journey in solving these problems.”

You can read the ‘The Ultimate Guide To Non-Human Identities’ from here

Workshop Goals and Expectations

The primary aim is to provide attendees with deep insights into NHI risks, including real-world examples and best practices. Participants are encouraged to understand their organization’s exposure and consider how to address these vulnerabilities.

The workshop is structured into two main parts:

First Part – Fundamentals of NHI, including definitions, risks, challenges, and the urgency of addressing them.
Second Part – Practical guidance on risk management, emerging topics like AI and NHI, stakeholder engagement, and market solutions.

Agenda Breakdown

First Half

Introduction to NHI: What they are and why they matter
Risks and challenges associated with NHI
The urgency of addressing NHI now
Real-life examples and demonstrations of NHI breaches

Break

15-minute coffee break with refreshments available at the back

Second Half

Guidance on starting NHI risk mitigation
Discussion of maturity models and risk-based approaches
Exploration of AI’s role in NHI risks, especially Agentic AI
Panel discussion on convincing decision-makers to invest in NHI programs
Market landscape overview: solutions, trends, and industry outlook

Audience Engagement and Initial Polls

To gauge the audience’s familiarity and concern with NHI, three quick questions are posed:

Concern about NHI risks – Approximately 50-60% are very concerned, indicating high awareness.
Knowledge of resolving NHI risks – Only about 2 people (likely vendors) feel fully equipped, highlighting a knowledge gap.
Active efforts to address NHI risks – Around 10-15% are currently working on mitigation, suggesting room for growth and increased focus.

This initial engagement sets the stage for the importance of the workshop and the need for practical solutions.

NHI Workshop – Closing Remarks

The Last Words

The NHI Workshop concluded with closing remarks by Lalit Choda known in the industry as “Mr NHI”, who emphasized the critical importance of understanding and proactively addressing Non-Human Identity (NHI) security challenges. Lalit urged participants to recognize that NHIs represent a longstanding cybersecurity issue, one that organizations can no longer afford to overlook. While these challenges have persisted for decades with limited improvement, Lalit highlighted that recent advancements in tooling and solutions now offer significant opportunities to rapidly accelerate remediation efforts, enabling businesses to finally gain control and stay ahead of evolving threats.

Challenges and Risks of NHI

Key points discussed regarding NHI include:

Significant technical debt accumulated over the years, making fixes complex and time-consuming.
The necessity of a holistic approach to managing risks, rather than isolated fixes.
The importance of developing a strategic, risk-based approach to prioritize risks and mitigate them effectively.

Despite the slow progress historically, the emergence of new tools offers hope for faster and more effective risk mitigation. However, these require dedicated effort and strategic planning.

Appreciating The Guest Speakers

The session featured several guest speakers who contributed valuable insights. Their contributions were highly appreciated, emphasizing the collaborative effort needed to tackle NHI risks effectively.

Additional Resources and Opportunities

Participants were informed about various resources and upcoming events to deepen their understanding:

NHI Pavilion – Located on the right side, this pavilion hosts over 15 vendors showcasing capabilities related to managing NHI risks and security. The organizers and the host group will also be present to engage with attendees.
Networking and Learning – Attendees are encouraged to visit the pavilion, speak with vendors, and gather insights to enhance their risk management strategies.
Upcoming Talk – Lalit will deliver a session titled “A Practitioner’s Guide to Managing NHI Risks” on Thursday at 3:30 PM. This talk will cover practical insights from managing a large NHI program at a major investment bank, including fixing over 100,000 NHIs.
Resources – The session will share valuable resources such as the “52 Breaches Article “, “The Ultimate Guide to Non-Human Identities Report” the launch of the NHI forum for questions and advice.

Links

The Ultimate Guide to Non-Human Identities Report: https://nhimg.org/the-ultimate-guide-to-non-human-identities

The 52 Non-Human Identity Breaches: https://nhimg.org/52-non-human-identity-breaches

The NHI Forum: https://nhimg.org/community

A Practitioners Guide to Managing Non-Human Identity (NHI) Risks Session: https://nhimg.org/a-practitioners-guide-to-managing-nhi-risks

You can watch more sessions, webinars and learn more about Non-Human Identities by visiting The Non-Human Identity Management Group, the leading independent authority in NHI Research and Advisory from here

NHI Workshop – Agentic AI and The Intersection With NHIs

Introduction to Panel and Session Overview

The session was expertly hosted by Henrique Texiera, SVP of Strategy at Saviynt, who guided a forward-looking discussion on one of the hottest topics in identity security: the rise of Agentic AI and its intersection with Non-Human Identities (NHIs). The panel featured leading voices in the field, including Idan Gour, Co-Founder & CTO at Astrix Security, Ido Shlomo, Co-Founder & CTO at Token Security and Paresh Bhaya, Co- Founder and Head of GTM at Natoma.

The discussion highlighted the potential risks, opportunities, and strategic considerations for organizations adopting AI agents, especially as these agents become more autonomous and integrated into enterprise operations.

Key Discussion Points

Ownership of AI and NHI Identities

Participants agreed that the Identity and Access Management (IAM) leader should own AI agent identities because of their broad, organizational perspective. They understand existing identities and can oversee the integration of agentic workloads and third-party technologies.

Same leader should manage both NHI and AI agent identities for consistency.
AI agents are viewed as a subset of NHI but with unique characteristics.

Nature of AI Agents Compared to Other NHIs

AI agents are different from traditional NHIs like RPA bots because they combine flexibility (like humans) with robustness (large scale). They are unpredictable, capable of natural language interactions, and operate with a level of autonomy that challenges existing identity management frameworks.

Current AI agents are often basic, but their capabilities are rapidly evolving.
They blur the lines between deterministic automation and human-like unpredictability.

Security implications include the need to rethink how ownership, data sharing, and security controls are applied to these agents.

Biggest Risks in Agentic AI

The primary risk identified is uncontrolled and excessive privileges. As AI agents become more autonomous, they may access sensitive data with broad permissions, leading to potential catastrophic outcomes.

Today, privilege management is a challenge; in the future, agents may operate without human oversight.
Domain-specific and multi-agent systems will increase complexity and risk.

Concerns include prompt injection, data poisoning, and the difficulty of controlling multiple interconnected agents.

Challenges of Scaling AI Agents

While a single AI agent’s risks are significant, the scale of multiple agents amplifies the threat. The protocol model (e.g., context protocol) enables agents to communicate and operate autonomously, complicating discovery, ownership, and security management.

Protocols like MCP (Model Context Protocol) are critical but underdeveloped.
Security gaps in these protocols could lead to widespread vulnerabilities.

Recommendations for 2025: Low-Hanging Fruits

Participants offered practical steps for organizations:

Early adoption of controls – Implement security controls from day one when deploying MCP and AI agents.
Build infrastructure proactively – Develop systems for inventory, discovery, and ownership of NHIs and AI agents.
Engage vendors – Initiate conversations with vendors about security, data access, and governance early in the procurement process.
Leadership enthusiasm – Be the most excited person about AI in your organization to influence adoption and security practices.

Role of Security and Identity Teams

Security teams often see their role as blockers, but the panel emphasized that security should be integrated into the deployment process from the start. The MCP protocol offers a way to accelerate AI adoption while maintaining control, provided security considerations are prioritized.

Security teams need to shift from reactive to proactive, embedding controls into the architecture rather than as afterthoughts.

Industry Collaboration and Vendor Cooperation

Vendors in the identity space should:

Work together to combat criminal activities and malicious actors.
Reinvent themselves to support AI agent security and management.
Focus on customer needs over competition, especially in the fast-moving AI landscape.

Collaboration across vendors and organizations is essential to develop standards, protocols, and best practices for secure AI agent deployment.

Closing Remarks

The session concluded with a clear call to action around the emerging identity frontier: AI agents as a new class of non-human identities. Panelists emphasized that these identities come with unique security challenges, requiring urgent attention from identity and security leaders.

A key message was the critical risk of uncontrolled privileges, which if left unmanaged, could result in significant organizational damage. As such, security must be integrated from day one, not as an afterthought. The role of protocols like the Model Context Protocol (MCP) was highlighted as essential for providing structure and guardrails in agent-to-agent communications.

Panelists also underscored the importance of proactive, engaged leadership in managing AI-driven identities, advocating for a culture that is not only technically prepared but strategically excited about securing the future these intelligent systems.

Finally, the discussion stressed the need for industry-wide collaboration and vendor alignment, emphasizing that no single organization can tackle these risks in isolation. Collective effort is vital to stay ahead of evolving threats in the era of Agentic AI.

NHI Workshop – How To Convince C-Level Decision Makers to Invest in A NHI Program

Introduction to Panel and Session Overview

The session was hosted by Troy Wilkinson, a former Fortune 500 CISO who guided a dynamic conversation alongside industry leaders Danny Brickman, Co-Founder & CEO at Oasis Security and Eli Erlikhman, VP of Cybersecurity at Sprinkler. This engaging panel explored how to effectively convince C-level executives to invest in a Non-Human Identity (NHI) program, a critical and often overlooked facet of cybersecurity. The discussion emphasized translating technical risks into clear business impacts, showcased real-world incidents that underscore the urgency of managing NHIs proactively, and offered practical strategies for embedding security seamlessly into business operations.

Main Topics Discussed

Key Challenges in NHI Management

Difficulty in gaining leadership buy-in due to technical jargon and the need to translate risks into business terms (dollars and cents).
Addressing legacy technical debt and the complexity of managing non-human identities like service accounts, APIs, and certificates.
Increasing complexity with AI and agentic AI systems, which expand the number of non-human identities.

Strategies for Effective Communication with Leadership

To gain support, it’s essential to:

1. Articulate Business Risk Clearly

Use risk scenarios, such as compromised service accounts or API leaks, to demonstrate potential impacts on the business. For example, a service account not updated for 15 years can be exploited, leading to security breaches.
Translate technical issues into financial and operational risks using models like FAIR (Factor Analysis of Information Risk) and frameworks like MITRE ATT&CK for specificity.
Identify and map all “skeletons” (vulnerabilities) related to identities to highlight potential threats.

2. Build a Compelling Business Case

Align NHI initiatives with business objectives, such as faster AI adoption or operational efficiency.
Show how NHI supports digital transformation, emphasizing that neglecting it could lead to vulnerabilities.
Engage stakeholders across DevOps, development, and security teams understand their workflows pain points.

3. Develop a Clear Program Vision (Nirvana State)

Define a future ideal state for identity security, such as full lifecycle management, ephemeral accounts, or federated infrastructure.
Focus on integrating existing tools (secret managers, identity providers) and building governance layers on top of current infrastructure.

4. Prioritize Identity Security

Identify the most risky identities and vulnerabilities to focus efforts.
Explain why identity security is more critical than other areas, emphasizing its role as a bridge between security and business enablement.

5. Business Terms Communication

Use language that resonates with executives, risk, resilience, and business value rather than technical jargon.
Provide contextualized stories relevant to the company’s specific environment and challenges.

Role of AI in Business

AI accelerates the growth of non-human identities, often increasing their number and complexity. Organizations adopting AI tend to see a rise in non-human identities, which underscores the urgency of managing them.
AI systems rely on existing databases and service accounts, making NHI management integral to AI deployment.
Positioning NHI as part of AI strategy creates a compelling business case, emphasizing speed, innovation, and risk mitigation.

Recent Incidents and Risk Awareness

Many organizations have experienced security incidents involving identities, such as API leaks or compromised service accounts.
A notable example includes a hacking campaign targeting banks via open APIs, illustrating real-world risks.
Using data breaches articles and news (e.g., NHIMG 52 breaches article) helps justify investments by highlighting potential threats.

Building a Strategic NHI Program

There is no universal standard; each company must define its own vision based on its future state and business needs.

Defining the “nirvana state”, the ideal future state of identity management (e.g., lifecycle management, ephemeral accounts, federated infrastructure).
- Leveraging existing infrastructure and tools to avoid unnecessary new investments.
- Implementing governance controls on top of current systems to enhance security and compliance.
- Ensuring the language and processes align with developer and DevOps teams to promote agility and speed.

Key Takeaways for Securing NHI

To make a compelling case and implement effective NHI programs, consider the following:

Build a business case based on risk, resilience, and enabling business objectives.
- Use real incidents and threat intelligence to highlight vulnerabilities and potential impacts.
- Engage all relevant stakeholders early, including DevOps, development, security, and executive teams.
- Focus on automation, lifecycle management, and governance to reduce manual effort and errors.
- Recognize that non-human identities are pervasive (“ghosts”) and require proactive management.

Closing Remarks

The panel highlighted the urgency and complexity of managing Non-Human Identities, especially with AI’s rapid proliferation. Success in securing NHIs hinges on shifting the conversation from purely technical to business risks, resilience, and enablement. CISOs and security leaders must become skilled storytellers, crafting narratives that resonate not just with executives, but also with developers, engineers, and security teams. By defining clear strategic goals, leveraging existing infrastructure with governance overlays, and embedding security into development workflows, organizations can build robust, scalable NHI programs that protect critical assets and enable innovation.

NHI Workshop – The Market Landscape

Introduction to Panel and Session Overview

The final session was expertly hosted by Nirit Icekson, CMO at Entro Security, along with industry leaders Rom Carmel, Co-Founder & CEO at Apono, Ehud Amiri, VP of Product Management at Saviynt and Steve Rennick, IAM Architect at Ciena, who shared their insights on the evolving landscape of the Non-Human Identity (NHI) market trends, risk management solutions and future outlooks. The conversation began with light personal anecdotes to humanize the topic before delving into the complexities facing organizations managing NHI today. The panelists underscored the growing awareness and urgency around NHI, reflecting on how the market has matured over the past two and a half years.

Audience and Vendor Engagement

Noted the presence of many vendors and prospects, highlighting a vibrant ecosystem.
Appreciated the engaged audience, noting their attentiveness and participation.

Speakers’ Personal Backgrounds and First Jobs

Each speaker shared their early work experiences, illustrating diverse paths into the industry:

Nirit – Started selling ice cream at 15, then moved into technical writing and copywriting.
Steve – Began with lawn care, then progressed to help desk support, and now specializes in identity architecture.
Rom – Worked also in the ice cream business, then as vulnerability researcher, and now in access management space.
Ehud – His first job was in a cookie factory, then in development and automatic rights management.

Roles and Responsibilities in NHI Management

Discussion centered on the typical personas involved in NHI management:

Cloud Architects and DevOps – Focused on efficiency, agility and operational aspects.
CISOs and Identity Managers – Concerned with security policies, compliance, and overarching governance.

Key challenge: Aligning these two personas within the organization to create a secure, seamless, and productive environment.

Evolution of the NHI Market

Insights from the speakers highlight how perceptions of NHI have shifted over the past two years:

Earlier – NHI was largely unrecognized or misunderstood, especially outside security circles.
Now – Increased visibility due to tools providing better insights, and a broader understanding across organizations.

Despite progress, ongoing education remains crucial to deepen understanding and implementation.

Market Perspectives and Changing Focus

Historically, organizations viewed NHI from an external attack surface perspective, Now, there’s a shift towards internal visibility and governance, recognizing internal risks such as misconfigurations, bad practices, and compliance issues.

This shift is driven by:

Increased internal awareness of identity risks.
The influence of AI agents and automation.

There is a growing consensus that identity management should encompass both human and non-human entities uniformly.

Changing Role of Identity Teams

Previously, identity teams focused mainly on human identities. Now, they are increasingly owning NHI management, emphasizing the need for consistent control across all types of identities, including machines and AI agents. This evolution supports a unified approach to identity and access management (IAM).

Educational Challenges and Strategies

Many organizations still lack understanding of NHI, often equating it with service accounts or traditional identities. Education is vital to:

Clarify what NHI entails.
Highlight its importance for security and compliance.
Build awareness among stakeholders.

Effective communication and demonstrating business value are key to fostering organizational buy-in.

Progress Over the Last Two and a Half Years

Visibility into NHI has significantly improved, aided by new tools and increased awareness. However, challenges remain in addressing poor practices and technical debt.

Key points include:

Organizations are more aware but often lack the processes to remediate issues.
Meeting stakeholders where they are, understanding their current practices is essential.
Long-term success depends on integrating NHI into broader security and governance programs.

External Factors and Future Outlook

Market drivers include:

Demand for consolidated identity solutions covering both human and non-human identities.
Emerging AI and automation technologies increasing the complexity and urgency of NHI management.

Future trends predicted include:

Continued emphasis on automation and dynamic identity management.
Increased regulatory focus, with compliance standards evolving to include NHI considerations.
Potential for significant incidents or breaches involving AI or non-human identities, emphasizing the need for robust controls.

Predictions and Challenges for the Next Two Years

Tools will improve, but fundamental issues like technical debt will persist.
Organizations often avoid addressing core problems, risking recurring issues.
Without tackling tech debt, progress in security maturity will be limited.

Auditing and regulation are expected to drive better practices, but enforcement remains a challenge.

Closing Remarks

This session provided a comprehensive overview of the current state and future direction of non-human identity management. From growing awareness and evolving stakeholder roles to the accelerating impact of AI and the pressing need for regulation and remediation, the discussion painted a realistic yet hopeful picture. The path forward hinges on bridging gaps between technical and security teams, educating all stakeholders, investing in foundational clean-up efforts, and embracing automation as a core capability. Only through these concerted efforts can organizations hope to effectively manage the risks and complexities posed by the expanding universe of non-human identities.

NHI Workshop – How Attackers Compromise NHIs

Introduction to Panel and Session Overview

The session features Vincenzo Iozzo and Michael Silva discussing how attackers compromise NHIs, with a live demo to illustrate attack techniques and defense mechanisms. The goal is to provide insights into the ease of breaching organizational security and how to mitigate such risks.

Speaker Backgrounds and Focus

Vincenzo Iozzo – CEO at SlashID, specializes in posture management and active threat detection for both human and non-human identities.
Michael Silva – Director Solution Engineering at Astrix Security, with 20 years of experience in offensive and defensive security, focuses on threat actor behavior, emphasizing real-world attack techniques rather than management strategies.

Evolution of Identity Attacks

Since 2019, the prevalence of identity-based attacks has increased significantly.
In 2019, about 40% of attacks involved direct, hands-on keyboard methods without malware.
Currently, this figure has risen to between 75% and 83%, indicating a shift towards attacks that rely on stolen credentials and lateral movement.
Attackers increasingly avoid traditional breaches, favoring credential theft and reuse to access systems.

Key Statistics on Breaches and Credential Leaks

Approximately 31% of all breaches involve credential storage, based on Verizon data spanning 10 years.
Recent reports from CrowdStrike indicate a six-fold increase in credential stuffing attacks.
66% of AWS breaches involve leaked or valid credentials, making credential compromise the primary attack vector.

Typical Attack Lifecycle

Initial breach often occurs via phishing or credential leaks, which can involve human or organizational credentials.
Attackers then use identity-based techniques to move laterally within the network, often harvesting tokens or credentials.
The attacker’s goal may be persistence or executing ransomware campaigns.

Common Attack Vectors

Phishing – Evolved with AI-generated deepfakes and convincing campaigns, including sophisticated OAuth flows and MFA fatigue tactics.
Credential Leaks – More advanced than simple API key leaks, involving private keys stolen from sources like crash dumps (e.g., Microsoft breach in 2023). Attackers forge valid tokens to move laterally.
Supply Chain Attacks – Compromising third-party packages (e.g., NPM) to harvest credentials and infiltrate production environments.

Post-Compromise Techniques

Once inside, attackers typically:

Register secondary MFA factors to maintain persistence.
Create fake identity providers for impersonation.
Use token forging techniques such as Kerberos token hijacking.

Detection and Response Challenges

The average time from initial compromise to breach is about 62 minutes.
Breaches often go undetected for approximately 10 days.
Over half (54%) of breaches are not detected internally, especially in identity-based attacks, which tend to have longer dwell times.
High-profile breaches, like Cloudflare, are exceptions where internal detection occurs.

Why Are Identity Attacks Increasing?

Endpoint protections have improved, making identity attacks more attractive.
Core issues with identity security include:

Stateless tokens – Once stolen, tokens can be used freely without device binding.
Complex authentication protocols – Protocols like OAuth have corner cases that can be exploited.
Over-permissioned identities – Large privilege sets (e.g., 15,000 entitlements in AWS) make privilege escalation easier.

Security Challenges and Recommendations

Full coverage of human and non-human identities is crucial, as attackers often move between these.
Existing identity providers often generate partial logs; comprehensive logging is necessary.
MFA and FIDO2 have improved security but are insufficient alone; additional detection (ITDR) is needed.
Moving towards device-bound tokens can reduce the attack surface.
Regularly and automatically resizing permissions helps prevent privilege escalation.

Future Outlook and Final Notes

The speaker hints at future predictions but emphasizes the importance of ongoing vigilance.
Encourages continued discussion and awareness of evolving attack techniques.
The session concludes with an invitation for further engagement and questions.

NHI Workshop – The NHI Maturity Model & Risk Based Approach

Introduction to Panel and Session Overview

The session was thoughtfully hosted and facilitated by Jesse Minor, Identity Security Consultant, who humorously described himself as a meme enthusiast and recovering identity chaos addict.

The panel was composed of distinguished experts in the field, including Anthony Viggiano, Former Identity Governance Director at Cigna, Rich Dandliker, Chief Strategy Officer at Vesa and Sriram Santhanam, Senior Director, InfoSec at GAP Inc.

The primary focus of this session was to delve into the complexities of understanding, assessing, and effectively managing the risks associated with non-human identities.

Emphasis was placed on adopting a risk-based approach, which involves prioritizing security efforts based on the potential impact and likelihood of threats related to these identities.

Key Perspectives from Panelists

Anthony Viggiano – Supports enhancing user experience while maintaining security. Believes that reducing friction can improve policy compliance for NHIs.
Rich Dandliker – Highlights misconceptions about NHIs, noting some companies wrongly believe NHIs mean no humans involved. Stresses the importance of hard work and realistic automation efforts.
Sriram Santhanam – Emphasizes that managing NHIs isn’t just an upgrade of traditional identity management but requires specialized strategies and a solid understanding of core principles.

90-Day Cleanup Strategy for NHI Chaos

Keep – Engage knowledgeable personnel and utilize existing tools like spreadsheets and scanning tools.
Kill – Avoid aggressive “kill and scream” tactics initially; focus on risk assessment.
Convert – Implement a risk-based approach by:
Discovering all NHIs through scans and Active Directory.
Prioritize high-risk accounts, e.g., those vulnerable to Kerberoasting.
Focus on accounts linked to critical business applications and their entitlements.
Most critical risk – Ignoring NHIs can break business operations, so balance security with business continuity.

Challenges and Best Practices in NHI Management

Ownership and Lifecycle

Clearly assign ownership for NHIs, starting from provisioning.
Shift organizational culture from a purely technical focus to one emphasizing process and accountability.
Proper ownership facilitates improved security and lifecycle oversight.

Access Review Strategies

Use access reviews as a foundation but tailor them for NHIs.
Ask straightforward questions like “Is this account still necessary?” and “Who is responsible for this account?”
Move away from spreadsheets; utilize automation and distributed workflows.
Adopt an iterative, risk-based review process.

Common Misconceptions and Technical Hurdles

Keys vs. Passwords – Keys are more complex, can have many-to-many relationships, and are more dangerous than passwords.
Maturity vs. Compliance – Many companies engage in superficial compliance activities, like vaulting accounts without proper rotation or oversight.
Visibility – Knowing what NHIs exist is a critical first step; without it, security efforts are ineffective.
Credentials and Secrets – Hard-coded credentials and secrets are major vulnerabilities; secret scanning tools help but must be complemented by downstream security controls.

Automation – Most organizations overestimate their automation maturity; true automation is hard and often incomplete, especially with legacy systems.
False Sense of Security – Relying solely on automation can be risky if foundational inventories and controls are lacking.

Effective Triage and Prioritization

Given the vast number of NHIs that may exist, organizations should focus their efforts on high-value, high-risk identities first. This involves:

Addressing orphaned accounts, those with no clear owner or purpose, closing or revalidating them to reduce attack surface.
Identifying and filling process gaps that may allow NHIs to persist unnoticed or unmanaged.
Prioritizing remediation based on risk level rather than striving for perfection across all identities. Establishing a risk threshold helps determine which issues require immediate attention and which can be deferred.
Accepting that some trade-offs are permissible if they do not significantly elevate organizational risk, thereby enabling more pragmatic and achievable security improvements.

Panel’s “Yes or BS” Statements and Insights

You can’t secure what you can’t see – Agree. Visibility into NHIs is a fundamental prerequisite for security; however, visibility alone is insufficient. It must be coupled with active risk mitigation strategies.
Hard-coded credentials are a breach waiting to happen – Agree. Hard-coded credentials pose significant security risks, especially if they are unprotected or embedded in code, making them prime targets for attackers.
The CI/CD pipeline is the most neglected NHI attack surface – Disagree. The CI/CD pipeline is a critical attack surface, it is just one among many, including cloud environments, APIs, and legacy systems.
If no one owns it, it won’t get fixed – Agree. Clear ownership is essential for accountability, timely remediation, and ongoing management of NHIs.
Secret scanning tools catch more than they break – Agree. These tools are vital for identifying secrets and credentials, but their effectiveness depends on proper integration with downstream security controls and response processes.
API keys are the new passwords and are often mishandled – Agree. API keys are frequently stored insecurely in code repositories, accessible to unauthorized users, and often possess high privileges, making their mishandling particularly dangerous.
Zero trust is meaningless without NHI – Agree. Implementing zero trust principles without considering NHIs is incomplete; NHIs are integral to defining trust boundaries and access controls.
Most companies are overestimating their NHI maturity – Disagree. Many organizations are aware of their limited visibility and capabilities regarding NHIs and are candid about their current state, recognizing the need for improvement.

Final Recommendations for NHI Risk Management

Prioritize Risks – Focus on identifying and mitigating those risks that have the potential to cause the most significant damage or disruption in the shortest amount of time. This targeted approach ensures efficient use of resources and maximum impact.
Establish Clear Ownership – Assign definitive responsibility for each NHI to specific individuals or teams. Clear accountability is crucial for ongoing management, security, and timely remediation efforts.
Master the Fundamentals – Before attempting complex automation or advanced strategies, organizations must first understand where their accounts are located, how they are used, and their basic operational characteristics. Building a solid foundation is essential for effective security management.

Focus on Reducing Inherent Risk – Progress in NHI management is not merely about achieving compliance or ticking boxes; it is about continuously lowering the inherent risks associated with NHIs. Maturity is a journey of ongoing improvement aimed at minimizing potential vulnerabilities.

Closing Remarks

The session concluded with a strong emphasis on the importance of adopting a risk-based mindset when managing NHIs. Establishing clear ownership, mastering foundational practices, and understanding that true maturity involves actively reducing risks rather than just fulfilling compliance requirements are key takeaways. The panelists expressed gratitude for the engaged participation and insightful questions from attendees, reinforcing the collective need to approach NHI management with diligence, strategic thinking, and a focus on continuous improvement.

NHI Workshop – NHI Compromise Demo

Introduction
This session emphasizes the ease of breach through simple methods like credential theft. Michael Silva, with 20 years of experience in offensive and defensive security, aims to showcase real-world attack techniques and the importance of understanding vulnerabilities.

Overview of Attack Methodology

The attack simulation follows a typical cyberattack lifecycle steal, conceal, and persist. The attacker’s goal is to extract valuable data, hide their activities, and establish backdoors for future access.

Steal – Obtain credentials and source code.
Conceal – Hide traces of activity to avoid detection.
Persist – Create backdoors to maintain ongoing access.

Initial Access via Public Repositories

Michael begins by searching GitHub repositories for leaked credentials. This involves:

Cloning repositories identified with leaked secrets.
Using open-source tools like git leaks to scan for secrets such as AWS keys and webhooks.
Identifying secrets in different branches, not just the main branch, highlighting the importance of scanning all branches.

Analyzing Found Secrets

After scanning the GitHub repository, Michael found some secrets, such as:

AWS access keys (denoted by AKIA prefixes).
Secrets stored in specific commit histories, even if not present in the current branch.

He verified whether these credentials are active by configuring AWS CLI profiles and using STS caller identity to confirm their validity and permissions.

Gaining Cloud Access

With valid AWS credentials, Michael explored the scope of access:

Identified the user or service account associated with the credentials.
Discovered permissions, such as access to S3 buckets, RDS, and other cloud resources.
Found sensitive data stored in S3 buckets, including customer information and internal JSON files.

He also found a GitHub personal access token (PAT), which he tested for further access to private repositories.

Exploiting GitHub Repositories

Michael listed all repositories, and examined their contents for source code and secrets. He Found:

Source code with embedded secrets or sensitive information.
Potential for downloading entire repositories for further analysis or exploitation.

This step demonstrates how internal code leaks can lead to significant breaches, especially when secrets are hardcoded or not properly secured.

Data Exfiltration and Concealment

Using the access to cloud resources, Michael simulated data exfiltration by:

Listing S3 buckets containing sensitive data like customer payments and internal agreements.
Accessing JSON files with customer connection details, revealing cross-cloud integrations .
Using GCP credentials to access projects and services, escalating the attack to a supply chain level.

Michael emphasized the danger of cloud misconfigurations, such as overly permissive roles like “Editor” in Google Cloud, which can lead to full control over cloud environments.

Pivoting to Customer Environments

Michael demonstrated how internal credentials can be used to access customer environments, turning a breach into a supply chain attack. He:

Identified GCP service account credentials with owner-level permissions.
Accessed multiple customer projects.
Highlighted the risk of attackers embedding malicious service accounts or keys within customer environments.

Lessons Learned

The demonstration underscores several critical security lessons:

Leaking credentials in public repositories is a common and dangerous mistake.
Scanning all branches and commits is essential for comprehensive security assessments.
Active credentials can be exploited to access cloud resources, source code, and sensitive data.
Internal code and secrets often get exposed unintentionally, emphasizing the need for strict access controls and secret management.
Cloud permissions should be tightly controlled; overly permissive roles can lead to full compromise.
Supply chain attacks can escalate from initial breaches, affecting multiple organizations and customers.

Closing Remarks

The session concludes with a warning about the ease of compromise through simple credential leaks and misconfigurations. It advocates for proactive security measures, including secret scanning, role-based access controls, and continuous monitoring to prevent such breaches.

NHI Workshop – What Are NHIs, Criticality, Risks and Challenges

Introduction to NHIs and Industry Terminology

The session begins with Lalit Choda ‘MrNHI’ introducing the speakers, Kirby Fitch, Sr Product Manager at Sailpoint and Shashwat Sehgal, Co-Founder and CEO at P0 Security, who are experts in identity management and security. They emphasize the importance of understanding what NHI entails, including its criticality and associated risks.

Key points include

Terminology varies across the industry: non-human identities, machine identities, workload identities, etc.
There is no industry-wide consensus on terminology, leading to multiple terms being used interchangeably.
Common terms discussed include machine identities, workload identities, service accounts, system accounts, and non-human identities.

Understanding these terms is crucial for establishing a common language and effective security practices.

Definitions and Categorization of NHIs

Kirby and Shashwan outline their group’s definition of NHIs, focusing on machines, devices, and software workloads used in automation without human intervention.

Types of non-human identities include

Service accounts (used by services to communicate with other services).
Technical accounts and admin accounts.
System accounts (e.g., in cloud environments like AWS, Azure, GCP).
Device identities (e.g., IoT devices).
Software workloads (containers, virtual machines, APIs).

These identities are critical because they facilitate automation and system interactions but pose security challenges if not managed properly.

Importance of a Holistic NHIs Program

Both speakers stress the need for comprehensive programs that secure both identities and credentials, which include:

Identity management (who owns what)
Credential security (tokens, API keys, certificates)
Lifecycle management (creation, rotation, decommission)

Such programs should be capable of understanding attack paths, lateral movement risks, and providing a holistic view of NHIs security posture.

Risks and Challenges of NHIs

Shashwan shares real-world examples illustrating the challenges:

Cloud Migration Risks – During left-and-shift migrations, security often takes a backseat, leading to proliferation of service accounts, static keys, and credentials without governance. Post-migration, organizations realize the need for better NHIs governance.
Lateral Movement Risks – Attackers can exploit NHIS to move across systems, accessing sensitive data via compromised credentials stored in repositories like GitHub or through misconfigured service accounts.
Visibility and Ownership Issues – Organizations struggle to inventory NHIs, identify owners, and determine if accounts are still needed. Turning off accounts temporarily (brownouts) helps identify owners and reduce overprivileged access.

Kirby highlights that a common initial challenge is the lack of visibility, leading to manual, error-prone inventory processes, and excessive privileges that increase lateral movement risks.

Differences Between Managing Human and Non-Human Identities

While there is an overlap in managing human and non-human identities, key differences include:

Volume – NHIs can number in the hundreds of thousands or millions, especially with AI and automation growth.
Lifecycle Management – Human identities have well-established lifecycle controls like HR systems, which are often missing for NHIs.
Form Factor and Integration – NHIS are diverse, coming from various sources like logs, standards, and environments, making management more complex.

Despite similarities in use cases (inventory, ownership, privilege management), the scale and form factor of NHIs require different tools and approaches.

Security Risks: External and Internal Threats

External threats include hackers exploiting exposed API keys or credentials. However, internal threats are often overlooked but equally dangerous:

Employees or contractors may bypass controls using NHIs, especially if PAM (Privileged Access Management) solutions slow them down.
Internal misuse can lead to data leakage, operational disruptions, or security breaches.
Organizations often see increased NHIs usage internally as a workaround for security controls, which can undermine security policies.

Effective internal controls and monitoring are essential to prevent misuse of NHIs by staff or contractors.

Management and Governance Challenges

Key issues include:

Weak controls and the tendency to treat NHIs as an afterthought.
Fragmentation across cloud environments and exponential growth in NHIs volume.
Lack of authoritative sources for lifecycle management and review processes.

Organizations need to develop governance frameworks similar to those for human identities, including regular reviews, ownership assignments, and lifecycle policies.

Overlap and Differences in Managing Human vs. Non-Human Identities

Similarities

Use cases like inventory, ownership, privilege management, and lifecycle control.
Require visibility and security controls.

Differences

Scale – NHIs are far more numerous and diverse.
Form factor – Different sources, standards, and integration points.
Lifecycle management – Less mature for NHIs, often lacking authoritative sources and review processes.

Kirby emphasizes that managing NHIs volume and establishing lifecycle controls are major challenges compared to human identities.

Final Thoughts and Recommendations

Lalit called out that Internal threats from staff using NHIs to bypass controls are significant and often underappreciated. Organizations should:

Implement strict governance and lifecycle management for NHIs.
Monitor internal usage and privilege escalation.
Develop holistic security programs that include automation, credential rotation, and regular reviews.

Understanding and managing NHIs is critical for organizational security, especially as environments become more complex and automated.

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

Legal & Policies