[Sticky] The Top 10 NHI Issues

About a year ago the Non-Human Identity Management Group published it's view on the Top-10 Non-Human Identity Issues including an amazing animated video.

Since then, in 2025 the OWASP community published their NHI Top-10.

What do you think about our top-10 and how this has evolved to the OWASP Top-10? 

Are there any items missing from these Top-10s that we think should be added?

The NHI Mgmt Group Top 10 :

1. Plain-Text / Unencrypted Credentials – organisations will find that many NHIs have been hard-coded into source-code repositories and therefore can be easily discovered by both External and Internal Threat Actors.
2. Full Inventory of Non-Human Accounts – obtaining an inventory of all NHIs is very challenging, as there could be many platforms, end-points, directory services, cloud integrations where these NHIs exist.
3. Stale / Inactive Accounts – due to weak lifecycle process, a lack of visibility of usage information and a lack of inventory, many NHIs end up inactive. This increases the attack surface area. We have found orgs where some accounts have not been used for 20+ years and in excess of 50% of the accounts are stale / inactive.
4. Lack of Account Ownership – after addressing inventory issues, the next key thing that needs to be done is ensuring we identify an owner for each NHI, so we know who to contact to drive hygiene/remediation activities or when an NHI account get’s compromised
5. Humans Using Non-Human Accounts – humans using NHIs has always been a problem, as it has been very easy to bypass controls and use a NHI account to access assets/data. With the focus on Privilege Access Management (PAM), humans have started to lose permanent access to environments, in particular production – rather than use PAM controls they have shifted to using NHI accounts.
6. Excessive Privileges – NHIs in general are highly privileged accounts, but we see in many cases NHIs are given excessive privileges, when much lower permissions would suffice.
7. Lack of Credential Cycling – cycling / rotating NHIs is a very challenging for a number of reasons e.g. lack of passwordLastChange information, unknown dependencies that could cause operational impact, changes required to application code/config, lack of vaulting of credentials, lack of end-point cycling capabilities.
8. Lack of Environment Segregation – we see many cases where the same NHI is used in product and non-production environment, increasing the risk of lateral movement.
9. Sharing of Credentials across Apps – we see many examples where NHIs are shared across applications, which breaks principles of need-to-have and least-privilege. This also makes things like password cycling much more complex.
10. Non-Complex Passwords – NHI passwords have been found to be non-complex and therefore prone to password guessing attacks.

The OWASP NHI Top 10 :

1. Improper Offboarding: Failure to deactivate or remove NHIs when no longer needed, leaving them vulnerable to exploitation.

2. Secret Leakage: Exposure of sensitive credentials like API keys and tokens through insecure practices, such as hardcoding or storing in plain text.

3. Vulnerable Third-Party NHIs: Risks from compromised third-party tools or services integrated into workflows.

4. Insecure Authentication: Use of outdated or weak authentication methods for NHIs, increasing susceptibility to attacks.

5. Overprivileged NHIs: Assigning excessive permissions to NHIs, which can be exploited if compromised.

6. Insecure Cloud Deployment Configurations: Mismanagement of credentials and tokens in cloud environments, leading to unauthorized access.

7. Long-Lived Secrets: Use of static, long-term credentials that are more prone to compromise.

8. Environment Isolation: Lack of proper isolation between environments, allowing attackers to move laterally across systems.

9. NHI Reuse: Reusing NHIs across multiple applications or environments, increasing the attack surface.

10. Human Use of NHIs: Misuse of NHIs by humans, such as sharing credentials or using them inappropriately.