OWASP NHI Top 10: what IAM teams need to fix now

TL;DR: Machine identities are a higher-volume, lower-scrutiny attack surface where secret leakage, overprivilege, and offboarding gaps drive real breach risk, especially in cloud-native and distributed systems, according to Cerbos and OWASP's NHI Top 10. The security case is no longer about adding more identities, but about proving lifecycle, authentication, and authorization controls can keep pace with them.

NHIMG editorial — based on content published by Cerbos: a guide to the OWASP NHI Top 10 and practical ways to manage non-human identity risk

By the numbers:

• Non-human identities often outnumber human users by roughly 17:1 in typical organizations.
• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.

Questions worth separating out

Q: What breaks when non-human identities are not offboarded properly?

A: Orphaned NHIs remain valid long after the workload or integration they served is gone, which gives attackers a durable access path.

Q: Why do non-human identities create so much more risk than teams expect?

A: Because they multiply faster than human accounts and are often granted broad permissions to keep automation working.

Q: How do security teams know whether NHI governance is actually working?

A: Look for evidence that identities are inventoried, scoped, rotated, and revoked on time, then verify that access decisions are denied outside intended context.

Practitioner guidance

• Build a complete NHI inventory Map service accounts, API keys, tokens, certificates, and workload identities to the workloads and owners that depend on them.
• Shorten credential lifetime everywhere possible Replace long-lived secrets with short-lived tokens and workload-bound credentials such as OIDC-based federation or SPIFFE IDs where the platform supports them.
• Tighten request-time authorization for machine identities Apply policy-as-code so every NHI request is checked against action, resource, and context rather than identity possession alone.

What's in the full article

Cerbos's full guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step mitigation guidance for each OWASP NHI Top 10 issue, including offboarding, secret leakage, and overprivilege.
• Concrete Cerbos policy examples that show how request-time authorization constrains what a compromised identity can do.
• Implementation notes on using SPIFFE IDs, OIDC federation, and audit logs in a real deployment.
• The source article's full explanation of how Cerbos positions policy-based authorization alongside secret management and cloud IAM.

👉 Read Cerbos's guide to the OWASP NHI Top 10 and machine identity risk →

OWASP NHI Top 10: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →