The Ten Commandments of Non-Human Identity Security

I. Thou Shalt Know Every Identity in Thy Domain

"A shadow identity is a breach waiting to happen"

Maintain a complete and living inventory of all service accounts, API keys, certificates, bots, and machine identities. For what is unknown cannot be protected, and what is untracked cannot be secured. Deploy automated discovery tools that scan across cloud providers, containers, and SaaS applications to maintain real-time visibility of all non-human identities.

II. Thou Shalt Not Create Immortal Credentials

"Eternal access is the root of all compromise"

Every non-human identity shall have an expiration date. No credential shall live forever. Implement automatic rotation policies, for even machines must prove their continued worthiness. Set maximum lifespans of 90 days for keys and certificates, with automated renewal workflows that generate new credentials before expiration.

III. Honor the Principle of Least Privilege

"Grant only what is needed, when it is needed"

A service account that can do everything will eventually be made to do everything, including harm. Excessive privileges are the root of all breaches, and power corrupts even the most faithful automation. Scope permissions precisely to the task at hand, nothing more. Start with zero permissions and add only what fails, using policy simulators to test minimum required access before deployment.

IV. Thou Shalt Not Share Secret Keys

"One key, one purpose, one identity"

Each non-human identity shall have its own unique credentials. Shared secrets are shared vulnerabilities. When many hands hold one key, accountability dies. Issue unique identifiers even for identical services, enabling precise audit trails and immediate revocation without collateral damage.

V. Remember the Lifecycle, to Keep It Holy

"From creation to decommission, every identity must be governed"

Birth, life, death - even digital identities must follow this sacred cycle. Provision with purpose, monitor with vigilance, and decommission with certainty. Provision with purpose, monitor with vigilance, and decommission with certainty. Tie service account lifecycles to infrastructure deployments, automatically removing identities when their associated resources are destroyed.

VI. Thou Shalt Not Trust Without Verification

"In zero trust we believe"

Every request, every action, every connection must be authenticated and authorized. Yesterday's trusted service is today's potential threat vector. Implement continuous verification using short-lived tokens that require re-authentication every hour, treating internal traffic with the same suspicion as external.

VII. Keep Thy Logs and Monitor Them Faithfully

"The unobserved identity is the adversary's favorite"

All actions of non-human identities shall be logged, analyzed, and anomalies investigated. For in the patterns of the machines, we find the fingerprints of intruders. Configure centralized logging that tracks every API call, establishing baseline behavior patterns and alerting on statistical deviations.

VIII. Thou Shalt Segregate Thy Environments

"Production is sacred ground"

Development keys shall not touch production systems. Test accounts shall not access real data. Each environment shall have its own identities, properly isolated. Use color-coded naming conventions and separate secret stores, making it impossible to accidentally use development credentials in production systems.

IX. Thou Shalt Not Hardcode Secrets

"Secrets in code are secrets exposed"

Credentials shall live in vaults, not in configuration files. Use secure secret management systems, for what is written in code is written for the world to see. Replace all hardcoded values with environment variables that pull from encrypted vaults at runtime, scanning code repositories daily for exposed secrets.

X. Thou Shalt Plan for Compromise

"Not if, but when"

Assume breach. Design your systems so that the compromise of one non-human identity cannot bring down the entire infrastructure. Implement break-glass procedures, practice incident response, and prepare for rapid remediation. Maintain a "kill switch" registry that can revoke all credentials within minutes, testing recovery procedures quarterly.