OWASP NHI Top 10: what the machine identity gap means for teams

TL;DR: The OWASP NHI Top 10 shows how service accounts, API keys, OAuth apps, and workload identities create a governance gap that human IAM controls do not cover, especially across cloud and CI/CD environments, according to Unosecur. The central issue is not just more machine identities, but identities that persist, overreach, and evade lifecycle control.

NHIMG editorial — based on content published by Unosecur: OWASP Top 10 for Non-Human Identities (NHI): Why Securing Machine Identities Is Now Mission-Critical

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

Questions worth separating out

Q: What breaks when machine identities are not governed like first-class identities?

A: When machine identities are treated as implementation detail, ownership, review, and offboarding break down.

Q: Why do long-lived machine credentials increase breach risk?

A: Long-lived credentials create a standing access path that can survive code changes, personnel changes, and forgotten integrations.

Q: How can security teams tell whether NHI governance is actually working?

A: Look for evidence of ownership, expiry, scope, and rotation across the machine identity estate.

Practitioner guidance

• Inventory machine identities continuously Correlate service accounts, API keys, OAuth apps, bots, and workload identities across cloud, SaaS, GitHub, and CI/CD so ownership and purpose are visible in one place.
• Replace static secrets with short-lived credentials Prioritise ephemeral tokens and workload-bound credentials for high-value automation paths, especially where secrets are currently copied into code or pipeline configuration.
• Tighten privilege scope by environment Prevent one machine identity from operating across dev, test, and production unless the business case is explicit and reviewed, and validate that each role is least privileged.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• A structured breakdown of each OWASP NHI Top 10 category and the incident pattern behind it.
• Unpublished implementation detail on how the vendor correlates NHI inventory, ownership, and behaviour across cloud and SaaS environments.
• Operational examples for automated lifecycle governance, including rotation, offboarding, and expiry workflows.
• Benchmarking and reporting examples that help teams translate NHI risk into audit and programme language.

👉 Read Unosecur's analysis of the OWASP NHI Top 10 and machine identity risk →

OWASP NHI Top 10: what the machine identity gap means for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →