Cyber hygiene and NHI sprawl: what IAM teams need to fix

TL;DR: Cyber hygiene is still the baseline for reducing common attacks, but Entro Security’s analysis shows that basic practices now have to include non-human identities, secrets, logging, and lifecycle control across human and machine accounts. The old assumption that hygiene is mostly patching and passwords no longer holds when service accounts and API keys carry permanent access.

NHIMG editorial — based on content published by Entro Security: Cyber hygiene importance and best practices

By the numbers:

• Global cybersecurity spending is projected to reach $87 billion by the end of 2024.

Questions worth separating out

Q: How should security teams manage non-human identities as part of cyber hygiene?

A: They should treat service accounts, API keys, tokens, and certificates as first-class identities with owners, scope, review dates, and retirement rules.

Q: Why do service accounts often create more risk than human users?

A: Service accounts often carry broad permissions, operate without direct human oversight, and persist long after the original need changes.

Q: What do organisations get wrong about secrets management?

A: They often treat secrets management as a vault problem instead of a lifecycle problem.

Practitioner guidance

• Inventory machine identities with ownership attached Build and maintain a complete register of service accounts, API keys, tokens, and certificates, and require each one to have a named business and technical owner.
• Rotate and retire secrets on a defined lifecycle Set rotation and expiry rules for credentials that are embedded in applications, pipelines, and integrations.
• Apply least privilege to service accounts and automation paths Review the permissions attached to machine identities and reduce them to the narrowest set needed for the workload.

What's in the full article

Entro Security's full blog covers the operational detail this post intentionally leaves for the source:

• A step-by-step cyber hygiene checklist that maps controls to devices, networks, data, users, and security tooling.
• A practical CIS Controls overview that shows how account management, access control, and service provider management fit together.
• A measurement framework for cyber hygiene that includes asset inventory completeness, anti-malware coverage, and patch timing.
• A detailed breakdown of how Entro positions NHI and secrets management inside day-to-day hygiene operations.

👉 Read Entro Security's analysis of cyber hygiene and NHI best practices →

Cyber hygiene and NHI sprawl: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →