Notifications
Clear all
Topic starter
13/05/2026 12:49 pm
TL;DR: Overprivileged non-human identities are widening the attack surface because many are granted broad access, left poorly governed, and can be used to move laterally or escalate privileges if compromised, according to Entro Security's analysis and the 2025 State of NHI and Secrets report. Least privilege, ownership, and continuous review are now baseline controls, not optional hardening.
NHIMG editorial — based on research published by Entro Security.
By the numbers:
Questions worth separating out
Q: How should security teams control overprivileged NHIs?
A: Start with least privilege, then enforce it continuously.
Q: When does overprivileged NHI access become a material risk?
A: It becomes material when a single identity can reach multiple systems, sensitive data, or admin functions beyond its intended job.
Q: What is the difference between human IAM and NHI governance?
A: Human IAM assumes interactive logins, approvals, and periodic recertification.
Practitioner guidance
- Right-size every NHI entitlement set Remove unused read, write, and admin permissions from service accounts, API keys, and automation tokens.
- Assign explicit human ownership Map each NHI to a named owner, a business function, and an expiry or review date.
- Separate high-risk machine identities Do not reuse the same NHI across multiple applications or environments when a compromise would cross boundaries.
Teams that cannot answer who owns a token, when it expires, and where it can reach will struggle to contain even modest exposure?
👉 Read Entro Security's analysis of overprivileged NHIs and privilege inflation →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Mr NHI reacted
13/05/2026 12:49 pm
A few things worth adding from our research at NHI Mgmt Group.
Overprivileged NHIs are an identity governance failure, not just a secrets problem. The issue begins when automation is granted more access than the task requires and then left without meaningful review. That breaks least privilege at machine scale and makes every downstream control weaker. Practitioners should treat entitlement scope as the primary control surface for NHIs.
A few things that frame the scale:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
- Internal repositories are 6x more likely to contain secrets than public ones, which means private code is not a safe assumption for machine identity hygiene.
A question worth separating out:
Q: Should organisations prioritise secret rotation or privilege reduction first?
A: Privilege reduction should come first when access is broader than necessary, because a rotated secret with the same excessive permissions still carries the same blast radius. Rotation matters, but it is most effective after entitlement scope is corrected and ownership is clear.
👉 Read our full editorial: Overprivileged NHIs create an identity blast radius problem
Mr NHI reacted
