OWASP NHI Top 10: what it means for IAM teams now

TL;DR: OWASP’s first NHI Top 10 maps the biggest non-human identity risks to familiar failure modes such as long-lived secrets, overprivileged accounts, insecure authentication, and poor offboarding, with examples spanning public repositories, cloud workloads, and third-party access. The core issue is that NHI governance still assumes credentials behave like managed user access, but many do not.

NHIMG editorial — based on content published by Aembit: OWASP NHI Top 10 breakdown and governance implications

By the numbers:

• Research from Entro Security puts the ratio at 144 non-human identities for every human user.
• GitGuardian’s 2026 report on secrets sprawl found that nearly 29 million new hardcoded secrets were exposed on public GitHub in 2025 alone.
• 64% of secrets exposed as far back as 2022 remained valid in early 2026.

Questions worth separating out

Q: What breaks when non-human identities are left with static credentials?

A: Static NHI credentials break the assumption that access can be reviewed before it is abused.

Q: Why do service accounts with standing privilege increase lateral movement risk?

A: Standing privilege expands the blast radius of one compromised identity.

Q: How should security teams handle third-party NHI access offboarding?

A: Treat third-party NHI access as a lifecycle event with an owner, expiry condition, and revocation test.

Practitioner guidance

• Inventory every standing NHI credential path Map API keys, tokens, certificates, service accounts, and OAuth app credentials to their owning system, business purpose, and expiry condition.
• Replace static secrets with short-lived identity flows Use workload identity federation or equivalent identity-based authentication where possible so credentials are issued for the session, not stored indefinitely in code or pipelines.
• Right-size permissions by application, not by team habit Review service accounts and automation roles for privileges that exceed the minimum required function.

What's in the full article

Aembit's full analysis covers the operational detail this post intentionally leaves for the source:

• Step-by-step mitigation guidance for each of the ten NHI risk categories, including offboarding, secret leakage, and overprivilege.
• Breach examples linked to specific control failures, useful when you need to brief engineering teams on why each risk matters.
• OWASP NHI Top 10 mappings to compliance expectations such as least privilege and account review, beyond the high-level governance framing.
• Practical workload IAM considerations for replacing static secrets with identity-based access in production environments.

👉 Read Aembit’s analysis of the OWASP NHI Top 10 and its breach patterns →

OWASP NHI Top 10: what it means for IAM teams now?

Explore further

View Full Forum →  |  NHI Foundation Course →