Notifications
Clear all
Topic starter
08/06/2026 4:31 pm
TL;DR: User activity is creating persistent machine identities through OAuth apps, browser-stored credentials, SaaS tokens, and shadow IT, and Clutch Security says many enterprises underestimate the resulting attack surface. The governance problem is not just visibility, but controlling user-generated NHI sprawl without breaking productivity.
NHIMG editorial — based on content published by Clutch Security: The user domain where human productivity meets machine identity risk
Questions worth separating out
Q: How should security teams govern user-created OAuth applications?
A: Start by classifying OAuth applications as delegated identities rather than lightweight conveniences.
Q: Why do user-generated NHIs increase enterprise risk?
A: They extend access beyond the user’s immediate session and often keep working after the original business need has ended.
Q: What breaks when browser-stored credentials are not controlled?
A: Browsers become an unmanaged credential vault, which means tokens and API keys can be stolen from many endpoints instead of from one central store.
Practitioner guidance
- Inventory user-generated NHIs at scale Scan endpoints, SaaS logs, and connected app registries for OAuth grants, browser-stored secrets, and shadow IT integrations.
- Tighten consent on high-risk scopes Require approval for applications that request mail, file, or directory access, and separate low-risk productivity apps from broad delegated access.
- Treat browser secrets as governed credentials Block storage of sensitive API keys and tokens in unmanaged browsers where possible, and monitor for credential extraction signals on user endpoints.
What's in the full article
Clutch Security's full blog post covers the operational detail this post intentionally leaves for the source:
- A domain-by-domain breakdown of where user activity generates non-human identities across SaaS, browsers, and collaboration tools
- The four-factor risk assessment used to rate the user domain as moderate but growing
- Specific attack pattern examples for OAuth consent abuse, credential harvesting, and shadow IT proliferation
- The strategic recommendation set for visibility, approval workflows, and automated risk assessment
👉 Read Clutch Security's analysis of the user domain and hidden NHI risk →
User domain NHI sprawl: what IAM teams are missing now?
Explore further
08/06/2026 6:12 pm
User-generated machine identities are a governance class, not an edge case. The user domain is not merely where people consume SaaS. It is where authorised users continually create delegated credentials, tokens, and application access that behave like standalone non-human identities. That means IAM programmes that only track human accounts are missing a large part of the effective identity estate. The practitioner conclusion is simple: the user domain must be governed as an NHI-producing environment, not just an access surface.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how far governance still trails identity sprawl.
A question worth separating out:
Q: What should organisations do when a user leaves but their app integrations remain active?
A: Revoke the integrations as part of offboarding, not as a separate cleanup task that happens later. User exit should trigger review of every OAuth grant, token, and personal automation the person created. If those machine identities stay alive, accountability has already broken.
👉 Read our full editorial: The user domain is creating hidden NHI risk across enterprises
