Notifications
Clear all
Topic starter
03/06/2026 7:24 pm
TL;DR: Phishing is increasingly used as a pivot into non-human identities such as service accounts, PATs, API keys, and OAuth tokens, letting attackers move laterally while blending into legitimate machine traffic, according to Entro Security. Static secrets, elevated privileges, and poor visibility turn one human compromise into a broader identity and data exposure problem.
NHIMG editorial — based on content published by Entro Security: The silent victims, how phishing targets non-human identities
Questions worth separating out
Q: How should security teams stop a phishing incident from turning into NHI compromise?
A: Treat the phishing event as an identity-chain incident.
Q: Why do service accounts and tokens make phishing damage worse?
A: Because they often persist longer than human sessions and hold broader rights than the original user.
Q: What do teams get wrong about rotating NHI secrets after compromise?
A: They often rotate on a fixed schedule and assume that is enough.
Practitioner guidance
- Inventory every machine identity linked to privileged users Map service accounts, PATs, API keys, OAuth tokens, and pipeline credentials back to human owners, workloads, and systems.
- Reduce standing privilege for CI/CD and service accounts Replace broad, persistent access with task-scoped permissions and narrow resource boundaries.
- Trigger rotation on abnormal identity behaviour Rotate or revoke secrets when usage patterns shift, such as unexpected locations, unusual hours, or new service-to-service destinations.
What's in the full article
Entro Security's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step discussion of how phishing pivots from a human account into service accounts, PATs, and API keys.
- Examples of real-world identity exposure patterns across development, CI/CD, and cloud environments.
- Vendor framing on automated lifecycle management and context-based secrets rotation for NHIs.
- The article's own data points on discovery and detection gains from its platform perspective.
👉 Read Entro Security’s analysis of phishing-driven NHI compromise →
Phishing, NHIs, and the governance gap security teams are missing?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
03/06/2026 7:28 pm
Phishing now functions as an NHI discovery mechanism, not just a human account theft problem. Once a user account is compromised, the attacker’s real objective is often the machine identity layer attached to that user’s environment. Service accounts, PATs, API keys, and OAuth tokens become the path to persistence because they are embedded in operations and rarely reviewed with the same discipline as human access. Practitioners should treat human compromise as the opening move in an NHI governance failure, not the final incident.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The state of non-human identity security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why phishing-to-machine-identity pivots remain so effective.
A question worth separating out:
Q: How do organisations know whether NHI controls are actually working?
A: They should measure how many credentials are owned, inventoried, and tied to a specific workload or human sponsor, then test whether unusual use is detected before it becomes lateral movement. If the team cannot identify a token’s purpose and reach quickly, the control environment is still too opaque.
👉 Read our full editorial: Phishing-driven NHI compromise exposes hidden enterprise blast radius
