Notifications
Clear all
Topic starter
27/06/2026 1:38 pm
TL;DR: Attackers are using compromised accounts to pivot through service accounts and OAuth grants, bypassing detection logic built for human behavior, according to Abnormal AI. The core problem is an identity governance model that can see NHI authentications but cannot judge whether they are normal, so runtime baselines matter as much as permissions.
NHIMG editorial — based on content published by Abnormal AI: NHI lateral movement bypasses human-centric detection logic
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams detect lateral movement through service accounts and OAuth grants?
A: Security teams should detect lateral movement by building identity-specific baselines for each service account and grant, then alerting on deviations in source system, target system, access timing, and request sequence.
Q: Why do service accounts with valid permissions still create lateral movement risk?
A: Service accounts create lateral movement risk because valid permissions can be reused by attackers without triggering obvious policy violations.
Q: What breaks when organisations rely only on posture checks for NHI security?
A: Posture-only checks break because they tell you whether an identity is configured correctly, not whether it is being abused in real time.
Practitioner guidance
- Build identity-specific behavioural baselines Track normal authentication hours, source infrastructure, target systems, and request patterns for each high-value service account and OAuth grant so that anomalous use stands out before lateral movement completes.
- Map delegated access paths end to end Inventory which applications, APIs, and service accounts are connected by OAuth grants and long-lived tokens, then identify where those relationships create hidden pivot routes for attackers.
- Separate posture checks from runtime detection Keep permission review and misconfiguration scanning, but add live monitoring for identities that suddenly access new systems, new geographies, or new infrastructure patterns.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- How the vendor distinguishes normal from anomalous NHI behaviour in live environments
- Examples of service-account activity patterns that evade human-centric detection logic
- Operational context on how OAuth grants and API tokens create lateral movement paths
- Additional detail on where posture-only security approaches fail during active movement
👉 Read Abnormal AI's analysis of NHI lateral movement through service accounts →
NHI lateral movement through service accounts: what teams miss?
Explore further
27/06/2026 3:03 pm
Human-behaviour detection does not scale to non-human identity movement. The article is correct that defenders can see an NHI authentication event and still miss the compromise, because the question is not whether access happened but whether it fit the identity’s normal operating pattern. That makes the problem one of runtime identity interpretation, not simple visibility. Practitioners should treat NHI behavioural context as a first-class governance requirement, not a secondary telemetry layer.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should own response when a non-human identity starts behaving unusually?
A: Ownership should sit with the team that governs the identity lifecycle and the service or application it supports, not only with the SOC. Security, IAM, and platform owners need a shared response path because the incident is both a detection event and an access-governance event. The right question is who can validate legitimacy fastest and revoke trust before movement spreads.
👉 Read our full editorial: NHI lateral movement bypasses human-centric detection logic
