Cyber beyond human security risks: what compliance teams missed

TL;DR: Cyber beyond human is a compliance and risk problem, pointing to MFA bypass research, NHI discovery gaps, and risky configuration exposure across hybrid environments, according to Oasis Security. The underlying issue is that governance for machine identities, secrets, and delegated access still lags the speed and spread of non-human access.

NHIMG editorial — based on content published by Oasis Security: Cyber beyond human: Compliance Trends & Security Risks

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.

Questions worth separating out

Q: How should security teams handle non-human identities in compliance programmes?

A: Security teams should treat non-human identities as governed assets, not implementation leftovers.

Q: Why do service accounts and API keys create audit risk?

A: Service accounts and API keys create audit risk because they often persist without clear ownership, consistent review, or visible user login events.

Q: What breaks when machine credentials are not rotated?

A: When machine credentials are not rotated, stale access accumulates and the organisation loses confidence that the secret still reflects the intended scope.

Practitioner guidance

• Map every non-interactive access path Inventory service accounts, API keys, tokens, certificates, and delegated application access separately from human identities.
• Attach lifecycle controls to each NHI Require an explicit owner, business purpose, rotation schedule, and retirement trigger before a machine identity is allowed to persist in production.
• Treat MFA as incomplete for machine governance Use MFA improvements for human authentication, but do not let them substitute for discovery of secrets, service accounts, and application-level trust paths.

What's in the full article

Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:

• A closer walkthrough of the Microsoft Azure MFA research and the bypass condition that allowed access without user interaction.
• The integration details for discovering NHIs in Active Directory, including ownership and consumer activity insights.
• The remediation workflow for risky configurations, stale accounts, and unrotated credentials in hybrid environments.
• The surrounding blog context on compliance and security risk trends beyond the summary points covered here.

👉 Read Oasis Security's blog on cyber beyond human compliance trends and security risks →

Cyber beyond human security risks: what compliance teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →