Notifications
Clear all
Topic starter
06/06/2026 1:59 am
TL;DR: Credential enrichment, password spraying, and exposed source code are used to target non-human identities and create operational disruption, even when attacks fail, according to Oasis Security. Frequent targeting means NHI governance now has to account for continuous external pressure, not just internal lifecycle hygiene.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- The Threat Center starts with data from 20 threat actors observed in action.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: What breaks when service account credentials are reused across cloud services?
A: Reuse turns one exposed credential into a multi-system access path.
Q: Why do NHIs complicate credential stuffing and password spraying defenses?
A: NHIs complicate these attacks because they often rely on static, reusable secrets rather than user-centric sign-in patterns.
Q: How do security teams know if NHI exposure is creating operational risk?
A: Look for repeated authentication failures, lockouts, and sudden spikes in access attempts against the same identities.
Practitioner guidance
- Map every secret exposure path Inventory code repositories, configuration files, CI/CD systems, collaboration tools, and public-facing assets for service-account credentials, API keys, and tokens.
- Reduce reuse across authentication paths Replace shared or long-lived credentials with unique, scoped identities and rotate exposed secrets immediately after discovery.
- Treat repeated lockouts as threat telemetry Correlate account lockouts, bursts of failed logins, and unusual geographic spread to identify credential-stuffing and password-spraying campaigns early.
What's in the full announcement
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The live Threat Center structure and how actor profiles are updated as new observations arrive
- The radar chart scoring model for evasive, aggressive, persistent, global spread, and inner spread behaviour
- Examples of how the experimental threat feed program is intended to deliver ongoing updates
- The OasisScout and AuthPrint description for authentication-phase fingerprinting and early remediation
👉 Read Oasis Security’s introduction to the NHI Threat Center and live threat data →
NHI threat center data: what it means for IAM teams?
Explore further
06/06/2026 3:23 am
External pressure on NHIs is now a standing governance condition, not an occasional incident pattern. The article’s 20 observed actors show that cloud identities are being probed continuously, often by opportunistic adversaries looking for whatever is easiest to reuse. That changes the baseline for identity governance: NHI programmes have to assume repeated credential testing as part of normal operating reality. Practitioners should treat attacker persistence as a control design input, not a surprise.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when exposed NHI credentials cause repeated lockouts?
A: Accountability usually sits with the team that owns the credential lifecycle, because lockouts expose a failure in discovery, rotation, and containment. Security operations may detect the issue, but identity, platform, and application owners must each answer for why the credential remained valid and reachable.
👉 Read our full editorial: NHI threat intelligence is now a governance problem, not just a feed
