The Labubu Blind Box of AI Agents: Securing NHIs Across Industries

Read full article from Okta here: https://www.okta.com/blog/2025/07/the-labubu-blind-box-for-your-enterprise-unmasking-ai-agents-across-industries/?source=nhimg

The rapid rise of AI agents and automated workflows has created a new class of security blind spots, Non-Human Identities (NHIs) that outlive their human creators. Like unboxing a Labubu blind box, these identities often remain hidden within enterprise systems, carrying unknown privileges and expanding the attack surface silently.

Across industries like public sector, healthcare, financial services, retail, and manufacturing, AI agents are automating tasks at scale. But with this efficiency comes hidden risks:

• Orphaned NHIs left behind after layoffs, mergers, or organizational shifts.

• Lack of clear ownership and lifecycle governance for AI-driven identities.

• Excessive, unmonitored access to sensitive data and systems, particularly in regulated industries.

These invisible identities like API keys, service accounts, automation tokens, often retain privileged access long after they are needed, making them prime targets for attackers. Without visibility, ownership attribution, and formal AI governance, organizations risk turning automation into a persistent security liability.

To address this, enterprises must adopt identity-first controls, enforce strict lifecycle management for NHIs, and embed AI governance frameworks that treat machine identities with the same rigor as human ones.