The Ultimate Guide to Non-Human Identities Report
The OWASP Non-Human Identity (NHI) Top-10 Risks

The OWASP NHI Top 10 identifies the most critical security risks related to non-human identities. These include:

● NHI1:2025 – Improper Offboarding

– When NHIs like service accounts, API keys, or machine identities are no longer needed but remain active, they become orphaned identities. 
– These outdated credentials are often missed during offboarding, leaving unused but still functional NHIs in the system.
– Attackers can exploit these orphaned NHIs as “backdoor” access points, bypassing regular security controls.

● NHI2:2025 – Secret Leakage

– Secrets like API keys, tokens, or certificates used by devices and workloads sometimes get left in public places like code repositories or logs.
– Once these secrets are exposed, attackers can exploit them to impersonate NHIs, gaining unauthorized access to systems and sensitive data.

● NHI3:2025 – Vulnerable Third-Party NHIs

– Integrating with 3rd party services with insecure management of NHIs within their systems can expose your environment to risks. 
– This occurs when third-party NHIs are not properly secured or monitored.
– A weak link in 3rd party services gives attackers an easy entry point into your system.

● NHI4:2025 – Insecure Authentication

– Many NHIs rely on weak or misconfigured authentication mechanisms, such as easily guessable passwords or weak authentication protocols, leaving them vulnerable to exploitation. 
– Weak authentication allows attackers to easily bypass security controls, gaining unauthorized access to NHIs and potentially compromising the systems they manage.

● NHI5:2025 – Overprivileged NHIs

– NHIs are often given far more permissions than they need, violating the principle of least privilege.
– If attackers compromise that NHI, they’ll have access to everything the NHI does, leading to greater harm. 

● NHI6:2025 – Insecure Cloud Deployment Configurations

– NHIs used in the cloud are often left exposed due to misconfigurations. 
– Attackers can easily find these misconfigurations and exploit them to gain access to sensitive resources.

● NHI7:2025 – Long-Lived Secrets

– It’s like using the same password for years without changing it. 

– NHIs often rely on long lived secrets, like API keys or passwords, that don’t get rotated or updated frequently.

– If those secrets are compromised, attackers can use them for a long time before anyone notices.

● NHI8:2025 – Environment Isolation

– NHIs often have access to multiple environments when they should only be limited to one.

– If an NHI is compromised in one environment, attackers can leverage it to move laterally and cause damage in other environments. 

● NHI9:2025 – NHI Reuse

– NHIs are often reused across multiple systems or applications, which can lead to a single identity being used for various tasks, breaking the principles of least privilege and segregation of duties.

– If one NHI is compromised, attackers can gain access to all systems where that NHI is used, escalating the impact of the attack.

● NHI10:2025 – Human Use of NHIs

– When human users leverage NHIs to perform routine tasks, it bypasses control mechanisms in place for human identities e.g. PAM controls.

– These activities can be challenging to properly log and monitor, making it hard to tell who’s actually responsible for an action, causing repudiation issues.

– Many NHI incidents are actually caused by humans.

IDAC Podcast – Mr. NHI, Lalit Choda, on Securing the Exploding World of NHI

Join Jim McDonald and Jeff Steadman on the Identity at the Center podcast as they welcome Lalit Choda, founder and CEO of the Non-Human Identity Management Group.

Lalit, also known as “Mr. NHI,” shares his journey from investment banking to becoming a leading expert in non-human identities.

This episode delves into the critical and often overlooked world of NHI, exploring why it’s such a hot topic now, the challenges practitioners face in managing these identities, and how to approach the problem from a risk-based perspective.

Lalit discusses the limitations of traditional PAM and IGA tools for NHI, the importance of foundational controls, and the alarming implications of AI on non-human identity management.

Plus, hear a fun segment about vinyl records and some surprising finds!

Chapter Timestamps:

00:00:00 – Introduction to Lalit Choda and the NHI Community

00:02:31 – Welcome to the Identity at the Center Podcast & IdentiVerse Discussion

00:06:18 – Lalit Choda’s Identity Origin Story: From Mr. SOX to Mr. NHI

00:12:03 – Why Non-Human Identities Are a Big Deal Right Now

00:15:37 – Defining NHI and the Practitioner’s Framework

00:19:13 – The Scale and Challenges of NHI Management

00:23:01 – New Types of NHI and Tooling Limitations

00:27:12 – The Lack of a Single Source of Truth for NHI

00:33:57 – Prioritizing NHI Management and the Role of PAM

00:38:58 – A Risk-Based Approach to NHI and Foundational Controls

00:48:15 – What Scares Lalit Most About NHI (and AI)

00:50:54 – Lalit’s Impressive Vinyl Collection

00:56:38 – Jim and Jeff’s First, Best, and Favorite Albums

01:01:15 – The Intersection of Music and Non-Human Identities

01:02:00 – Wrapping Up & Where to Find More Information

Connect with Lalit:   / lalit-choda-5b924120  

Non-Human Identity Management Group: https://www.nhimg.org/

Connect with us on LinkedIn:

Jim McDonald: jimmcdonaldpmp

Jeff Steadman: jeffsteadman

Visit the show on the web at http://idacpodcast.com

A Practitioners Guide To Managing Non-Human Identity (NHI) Risks

Lalit Choda (Mr. NHI) founder of the NHI Mgmt Group, gives a talk on “A Practitioners Guide to Managing Non-Human Identity Risks” at Identiverse, Mandalay Bay, Las Vegas June 5th.

Lalit shares details of an event where an NHI was inappropriately used causing operational impact, it then took 3 weeks to cycle one password – this event was the trigger for starting a huge NHI program.

Lalit then shares his experience running one of the largest regulatory NHI programs in the financial industry, dealing with over 100,000 NHIs and developing from the ground up, end-to-end NHI lifecycle processes including Inventory, Claiming, Scanning, Classification, Hygiene, Securing NHIs, Monitoring Controls and Prevent Controls.

NHI Workshop at Identiverse

Our NHI Mgmt Group hosted the biggest ever Non-Human Identity Workshop at Identiverse, Mandalay Bay, Las Vegas on Tuesday 3rd June 2025. The half day workshop had close to 250 participants and an amazing 24 guest speakers covering 7 great topics.

Opening Remarks

Lalit Choda (Mr. NHI) founder of the NHI Mgmt Group, opens up proceedings, outlines the agenda and asks the audience 3 questions :

  1. How concerned are you about NHI Risks
  2. Do you know how to fully address NHI Risks
  3. Are you actively addressing NHI Risks

Full summary here.

Panel Session – What Are NHIs, Criticality, Risks and Challenges

Hosted by Lalit Choda (Mr. NHI) founder of the NHI Mgmt Group with :

  • Kirby Fitch from SailPoint
  • Shashwat Sehgal from P0 Security

Full summary here.

Panel Session – Why The Urgency Now

Hosted by Dwayne McDaniel from GitGuardian with :

  • Jobson Andrade from MARS
  • Kamal Muralidharan from Andromeda Security
  • Anusha Iyer from Corsha

Full summary here.

Session – How Attackers Compromise NHIs

  • Vincenzo Iozzo from SlashID provides insights examples of how attackers compromise NHIs

Full summary here.

Session – NHI Compromise Demo

  • Michael Silva from Astrix Security shares a great demo of how NHIs can be easily discovered and used to compromise organisations.

Full summary here.

Panel Session – The NHI Maturity Model: A Risk Based Approach to Implementing an NHI Program

Hosted by Jesse Minor with :

  • Sriram Santhanam from GAP
  • Rich Dandliker from Veza
  • Anthony Viggiano from Cigna

Full summary here.

Panel Session – Agentic AI and the Intersection with NHIs

Hosted by Henrique Teixeira from Saviynt with :

  • Idan Gour from Astrix Security
  • Ido Shlomo from Token Security
  • Paresh Bhaya from Natoma

Full summary here.

Panel Session – How to Convince C-Level Decision Makers to Invest in a NHI Program

Hosted by Troy Wilkinson Fortune 500 CISO with :

  • Eli Erlikhman from Sprinklr
  • Danny Brickman from Oasis Security

Full summary here.

Panel Session – The Market Landscape – Solutions to Manage NHI Risks and Market Trends

Hosted by Nirit Icekson from Entro Security with :

  • Rom Carmel from Apono
  • Ehud Amiri from Saviynt
  • Steven Rennick from Ciena

Full summary here.

Closing Remarks

Lalit Choda (Mr. NHI) founder of the NHI Mgmt Group, shares closing remarks, including details of the huge NHI Pavilion being hosted at Identiverse with 17 vendors offering NHI Risk Management Capabilities as well as a talk Mr. NHI is doing on “A Practitioners Guide To Managing NHI Risks

Full summary here.

Webinar – The Expanding Identity Attack Surface: Beyond Human Users

GitGuardian SecDays brings together leading experts and practitioners to share the knowledge and strategies needed to tackle the growing “Identity Problem.” We’ll delve into the challenges of secrets sprawl, the explosion of NHIs, and the evolving threat landscape amplified by AI, providing actionable insights and practical solutions to build a robust identity program.

Join us to explore how forward-thinking companies are addressing the identity attack surface with real-world solutions and best practices for 2025.

NHIs are everywhere, outnumbering humans 100 to 1, yet are often overlooked. Legacy IGA/SIEMs fail to provide continuous authentication in decentralized environments. We’ll dissect the modern identity stack, expose where tech fails, and deliver actionable strategies to secure your hyperconnected NHI landscape.

Webinar: Top Use Cases & Trends in Machine & Workload Identity

As infrastructure becomes increasingly automated, the systems that deploy, manage, and scale it—CI/CD pipelines, service agents, orchestration tools—rely on a growing class of non-human identities (NHIs). These machine actors often operate with persistent credentials, excessive privileges, and limited visibility—leaving critical trust gaps in modern environments.

This session explores three high-impact use cases where addressing NHI is both urgent and achievable:

  • CI/CD Pipeline Security: CI/CD platforms frequently use static secrets and over-permissioned service accounts to deploy infrastructure. We’ll walk through how to apply strong identity controls—short-lived credentials, just-in-time access, and session-level auditing—to harden these systems without slowing down delivery.
  • Infrastructure-as-Code Workflows: Provisioning and orchestration tools often authenticate with long-lived credentials and execute plans with sweeping access. Learn how to introduce scoped, ephemeral identities into your automation flows—without disrupting developer velocity.
  • Federated Workload Identity: Multi-cloud and hybrid services need to authenticate and authorize without relying on shared secrets or brittle one-off integrations. This talk will outline patterns for issuing verifiable, short-lived credentials across environments, enabling secure service-to-service trust without sacrificing velocity.

These use cases establish a clear model for managing non-human identity risk—one rooted in Zero Trust, built for automation, and grounded in real-world implementation.

Webinar – Emerging Trends In Non-Human Identity Management

Emerging Trends in Non-Human Identity Management

From Agentic AI Security to Secretless Machine Authentication

Join us for a power-packed discussion with three thought leaders in the industry :

  • Lalit Choda, Founder of the Non-Human Identity Management Group
  • Oded Hareven, CEO & Co-Founder of Akeyless Security
  • Suresh Sathyamurthy, CMO of Akeyless Security

In addition to understanding the fundamentals and risks associated with Secrets and Non-Human Identities, you will also learn about future trends including identity security needs for AI Agents, Workload Identity Federation and Secretless Machine Authentication.

Webinar – How AI Agents Impact NHIs and the Attack Surface

Webinar - How AI Agents Impact Non-Human Identities and the Attack Surface

Non-Human Identities are a hot topic in 2025, and Agentic AI is exploding across tech, quickly impacting cybersecurity.

It’s critical for security teams to understand how NHIs and AI agents impact each other, because more agents from increasing adoption rates means larger attack surfaces…ultimately making cybersecurity responsibilities more challenging.

This webinar will give you:

  • A walkthrough of AI agents and their impact on NHIs
  • A practical look at how AI adoption is driving NHI growth and complexity
  • A personal testimony from a security leader impacted by attack surface growth
  • A plan of action to control the chaos that can follow AI Agents and NHIs and more!

Webinar – Securing NHI And The Rise Of Agentic AI

Securing NHI, Human Identity and the Rise of Agentic AI

Join Lalit Choda (#MrNHI) and Andromeda Security Chief Product Officer, Ashish Shah for this top-level discussion that will unpack the most pressing issues organizations face today with Non-Human Identities (NHI) and AgenticAI – and how they’re becoming the new frontline in cybersecurity defense.

We will cover the latest research, real-world challenges, and breaches tied to unmanaged NHIs and the future with AgenticAI:

– Why securing NHI is now mission-critical for enterprise resilience

– The growing interplay between human users and NHIs — and what that means for access governance

– Best practices for managing NHI at scale

– A look at Agentic AI: how to secure it, and why it changes the game

EIC Non-Human Identity Workshop

Our NHI Mgmt Group hosts the massive NHI Workshop and NHI Pavilion at KuppingerCole’s EIC Conference, Berlin, May 6 – 9, with hundreds attending our NHI workshop, covering 8 sessions and 15 guest speakers and our NHI Pavilion, with our sponsors GitGuardian, Teleport and Astrix Security.

Opening Remarks

Lalit Choda (Mr. NHI) founder of the NHI Mgmt Group, shares opening remarks and outlines the agenda for the NHI Workshop.

A Practitioners Guide To Managing NHI Risks

Lalit Choda founder of the NHI Mgmt Group, gives a keynote talk, sharing his experience running one of the largest NHI programs in the financial industry.

The State Of Secrets Sprawl 2025

Soujanya Ain, Senior Product Marketing Manager @ GitGuardian talks about their research on The State Of Secrets Sprawl 2025.

How Attackers Compromise NHIs

Vincenzo Iozzo, CEO @ SlashID talks about How Attackers Compromise NHIs.

How To Approach Implementing An NHI Programy

Panel session hosted by Alejandro Leal – Senior Analyst @ KuppingerCole

Panelists :

  • Martin Sandren – IAM Product Lead @ Ikea
  • Stephanus Reiger – IAM Product Owner @ BMW AG
  • Alon Jackson – CEO & Co-Founder @ Astrix Security

Will Agentic AI Tip NHI Risks Over The Edge

Panel Session hosted by Heiko Klarl – CEO @ Nexis

Panelists :

  • Mathias Reinwarth – IAM Practice Director @ KuppingerCole
  • Klaus Hild – Manager Solution Engineering @ Sailpoint
  • Hed Kovetz – CEO & Co-Founder @ Silverfort
  • Henrique Teixeira – Senior VP of Strategy @ Saviynt

Can Traditional IGA / PAM Solutions Address NHI Risks

Panel Session hosted by Alon Jackson – CEO & Co-Founder @ Astrix Security

Panelists :

  • Arkadiusz Krowczynski – Senior Soluition Engineer @ Okta
  • Lisa Kuo – Senior Product Manager @ Rabobank
  • Santosh Jayaprakash – CEO @ Unosecur

Closing Remarks

Lalit Choda (Mr. NHI) founder of the NHI Mgmt Group, shares closing remarks.

EIC Non-Human Identity Pavilion – Closing Remarks

Lalit Choda (Mr. NHI) founder of the NHI Mgmt Group, shares closing remarks on the amazing event at EIC, Berlin, where 100s of participants attended our NHI Workshop and there were many amazing discussions at the NHI Pavilion.

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.