Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

OWASP NHI Top 10: what IAM teams need to fix now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Machine identities are a higher-volume, lower-scrutiny attack surface where secret leakage, overprivilege, and offboarding gaps drive real breach risk, especially in cloud-native and distributed systems, according to Cerbos and OWASP's NHI Top 10. The security case is no longer about adding more identities, but about proving lifecycle, authentication, and authorization controls can keep pace with them.

NHIMG editorial — based on content published by Cerbos: a guide to the OWASP NHI Top 10 and practical ways to manage non-human identity risk

By the numbers:

Questions worth separating out

Q: What breaks when non-human identities are not offboarded properly?

A: Orphaned NHIs remain valid long after the workload or integration they served is gone, which gives attackers a durable access path.

Q: Why do non-human identities create so much more risk than teams expect?

A: Because they multiply faster than human accounts and are often granted broad permissions to keep automation working.

Q: How do security teams know whether NHI governance is actually working?

A: Look for evidence that identities are inventoried, scoped, rotated, and revoked on time, then verify that access decisions are denied outside intended context.

Practitioner guidance

  • Build a complete NHI inventory Map service accounts, API keys, tokens, certificates, and workload identities to the workloads and owners that depend on them.
  • Shorten credential lifetime everywhere possible Replace long-lived secrets with short-lived tokens and workload-bound credentials such as OIDC-based federation or SPIFFE IDs where the platform supports them.
  • Tighten request-time authorization for machine identities Apply policy-as-code so every NHI request is checked against action, resource, and context rather than identity possession alone.

What's in the full article

Cerbos's full guide covers the operational detail this post intentionally leaves for the source:

  • Step-by-step mitigation guidance for each OWASP NHI Top 10 issue, including offboarding, secret leakage, and overprivilege.
  • Concrete Cerbos policy examples that show how request-time authorization constrains what a compromised identity can do.
  • Implementation notes on using SPIFFE IDs, OIDC federation, and audit logs in a real deployment.
  • The source article's full explanation of how Cerbos positions policy-based authorization alongside secret management and cloud IAM.

👉 Read Cerbos's guide to the OWASP NHI Top 10 and machine identity risk →

OWASP NHI Top 10: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

NHI sprawl is a governance failure before it is a security failure. When machine identities outnumber humans, the problem is no longer isolated access management, it is programme design. The OWASP NHI Top 10 correctly treats these identities as a distinct control surface, because lifecycle, secrets, PAM, and authorization all fail differently once workloads hold credentials at scale. Practitioners should stop treating NHIs as exceptions and govern them as a core identity population.

A few things that frame the scale:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
  • 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.

A question worth separating out:

Q: Who should own machine identity risk when IAM, PAM, and secrets management overlap?

A: Ownership should sit with the identity programme, not with a single platform team. Machine identity risk crosses lifecycle, authorization, and secret management, so accountability has to span the teams that issue access, govern privileges, and retire credentials. Otherwise, the gaps between them become the attack path.

👉 Read our full editorial: OWASP NHI Top 10 exposes where machine identity controls fail



   
ReplyQuote
Share: