Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Machine identity attack surface: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Machine identities now sit at the centre of several recent breach paths because service accounts, API keys, and tokens often carry broad, always-on access, according to Token Security's analysis of recent attacks. The governance problem is not simply credential volume, but the assumption that machine access behaves like human access and can be managed the same way.

NHIMG editorial — based on content published by Token Security: The Machine Identity Attack Surface and MITRE ATT&CK redefined

By the numbers:

Questions worth separating out

Q: How should security teams govern machine identities that are embedded in applications?

A: Security teams should govern embedded machine identities through inventory, ownership, scope, and retirement, not just password rotation.

Q: Why do machine identities increase lateral movement risk in cloud environments?

A: Machine identities increase lateral movement risk because they often carry persistent access into storage, source code, admin consoles, and automation systems.

Q: What do teams get wrong about rotating API keys and service accounts?

A: Teams often treat rotation as a complete fix, but rotation only shortens exposure if the credential is already well-scoped and fully owned.

Practitioner guidance

  • Inventory every machine identity and its dependencies Build a complete inventory of service accounts, API keys, tokens, certificates, and managed identities, then map each one to the applications, pipelines, and cloud services that depend on it.
  • Reduce privilege before rotating secrets Review the permissions attached to each machine identity first, then rotate credentials after the access scope is trimmed to the minimum required for the workload.
  • Track secret location outside the vault Search code, config files, CI/CD variables, support systems, and storage buckets for embedded secrets, because the vault is only part of the trust surface.

What's in the full article

Token Security's full blog covers the operational detail this post intentionally leaves for the source:

  • Detailed walkthrough of the Sisense, Microsoft, and Cloudflare cases with the access paths involved
  • Token-to-system attack-path mapping tied to MITRE ATT&CK techniques for machine identities
  • Practical handling guidance for exposed credentials, including what to reset first and how to triage scope
  • Vendor-specific machine identity detection and prioritisation workflow examples

👉 Read Token Security's analysis of the machine identity attack surface and breach paths →

Machine identity attack surface: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Machine identity attack surface is now an identity governance problem, not just a cloud hygiene problem. The article shows that service accounts, API keys, and tokens can bypass the traditional human identity lifecycle because they are embedded, shared, and always on. That means the attack surface is defined less by how many identities exist than by how many of them cannot be seen, owned, or retired with confidence. Practitioners should treat machine identity governance as part of core IAM design, not an afterthought.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

A question worth separating out:

Q: How do organisations know if machine identity controls are actually working?

A: Controls are working when the organisation can answer three questions quickly: who owns the identity, where the secret is stored, and which systems depend on it. If those answers require manual detective work, the programme is still operating at discovery rather than control. Measurable visibility and clean offboarding are stronger signals than raw secret counts.

👉 Read our full editorial: The machine identity attack surface is widening faster than controls



   
ReplyQuote
Share: