Sorting and minimizing NHI roles in Azure RBAC

Meet "The Monster". A 𝐯𝐞𝐫𝐲 𝐝𝐚𝐧𝐠𝐞𝐫𝐨𝐮𝐬 Non Human Identity (NHI).
We discovered The Monster in Azure when we implemented our NHI ultrametric scanner (github repo: https://github.com/labyrinthinesecurity/silhouette ).

Ultrametrics unraveled its spectral band: I of XXII, singling it out in the top 10% of the most powerful identities acting in one Azure Tenant (green stickers 2 an 3 in picture The Monster).

The band alone is not enough to determine data risk, though: we executed an additional, high resolution contour analysis of the NHI dendrogram with data perimeter calculation (green sticker 1). The large perimeter promoted the monster to the top 1% of most powerful NHIs.

Finally, we confirmed the maximum critical residual risk when we looked at the Monster's identity type in Entra ID: not a Managed Identity... Not an Application... Microsoft's brand new 𝐀𝐠𝐞𝐧𝐭 𝐈𝐃 𝐢𝐝𝐞𝐧𝐭𝐢𝐭𝐲!

So, the "Monster" turned out to be an Agentic AI polymath with life-and-death access to a large part of our production data banks.

𝘋𝘰𝘦𝘴 𝘵𝘩𝘪𝘴 𝘴𝘵𝘰𝘳𝘺 𝘴𝘰𝘶𝘯𝘥 𝘭𝘪𝘬𝘦 𝘴𝘤𝘪-𝘧𝘪? 𝘐𝘵'𝘴 𝘯𝘰𝘵. 𝘞𝘦𝘭𝘭, 𝘢𝘭𝘮𝘰𝘴𝘵...
𝘐 𝘮𝘢𝘥𝘦 𝘪𝘵 𝘶𝘱 𝘵𝘰 𝘨𝘪𝘷𝘦 𝘺𝘰𝘶 𝘢 𝘧𝘦𝘦𝘭 𝘰𝘧 𝘰𝘶𝘳 𝘴𝘩𝘰𝘳𝘵-𝘵𝘦𝘳𝘮 𝘧𝘶𝘵𝘶𝘳𝘦:
✅ 𝘈𝘨𝘦𝘯𝘵𝘪𝘤 𝘈𝘐 𝘢𝘳𝘦 𝘢𝘭𝘳𝘦𝘢𝘥𝘺 𝘥𝘦𝘱𝘭𝘰𝘺𝘦𝘥 𝘪𝘯 𝘮𝘢𝘯𝘺 𝘛𝘦𝘯𝘢𝘯𝘵𝘴, 𝘱𝘦𝘳𝘧𝘰𝘳𝘮𝘪𝘯𝘨 𝘩𝘶𝘮𝘢𝘯-𝘭𝘪𝘬𝘦 𝘴𝘦𝘯𝘴𝘪𝘵𝘪𝘷𝘦 𝘰𝘱𝘦𝘳𝘢𝘵𝘪𝘰𝘯𝘴.
✅ 𝘌𝘯𝘵𝘳𝘢 𝘐𝘋 𝘢𝘭𝘳𝘦𝘢𝘥𝘺 𝘤𝘭𝘢𝘴𝘴𝘪𝘧𝘪𝘦𝘴 𝘈𝘐 𝘢𝘨𝘦𝘯𝘵𝘴 𝘸𝘪𝘵𝘩 𝘢 𝘥𝘦𝘥𝘪𝘤𝘢𝘵𝘦𝘥 𝘪𝘥𝘦𝘯𝘵𝘪𝘵𝘺, 𝘥𝘪𝘴𝘵𝘪𝘯𝘤𝘵 𝘧𝘳𝘰𝘮 𝘰𝘵𝘩𝘦𝘳 𝘣𝘰𝘵𝘴.
✅ 𝘚𝘪𝘭𝘩𝘰𝘶𝘦𝘵𝘵𝘦 𝘱𝘳𝘰𝘷𝘪𝘥𝘦𝘴 𝘣𝘰𝘵𝘩 𝘵𝘩𝘦 𝘶𝘭𝘵𝘳𝘢𝘮𝘦𝘵𝘳𝘪𝘤 𝘴𝘤𝘢𝘯𝘯𝘦𝘳 𝘢𝘯𝘥 𝘵𝘩𝘦 𝘥𝘢𝘵𝘢 𝘱𝘦𝘳𝘪𝘮𝘦𝘵𝘦𝘳 𝘳𝘶𝘭𝘦𝘳, 𝘧𝘰𝘳 𝘢𝘭𝘭 𝘈𝘻𝘶𝘳𝘦 𝘕𝘏𝘐𝘴.

In the cloud, Smart NHI AIs are here, their identities are here, "Monster" detection tools are here.

❓ Is your SOC here? Get prepared!