The Ultimate Guide to Non-Human Identities Report

Non-Human Identity Global Summit

History was created as our NHI Mgmt Group co-hosted the first ever Global NHI Summit at the iconic Nasdaq Marketsite venue in NY on 27th Feb 2025 with Entro Security.

We also used the event to launch our new Logo and Branding, including replacing our iconic t-shirt.

We had 20 industry leading speakers, 11 sponsors and over 200 participants in attendance from all industries, with an amazing agenda, that on the whole, providing thought provoking insights around Non-Human Identities.

Opening Remarks by Itzik Alvas and Lalit Choda (Mr. NHI)

It was a huge honour and privilege to share opening remarks, to kick-off the historic, first of it’s kind #NHIGlobalSummit.

After introducing #MrNHI and our NHI Mgmt Group, I welcomed everyone to the event, thanked our sponsors :

and our guest speakers :

and finally thanks our NHI Mgmt Group and Entro Security teams, that worked tirelessly over the last 3 months to plan the event, including all the logistics, marketing etc that resulted in massive interest within the industry, with approx. 300 folks registering for the event.

I shared insights on what to expect during the day and explained why this is the hardest risk you will probably tackle in your career, given the very weak controls around NHIs and that it impacts all your IT processes and teams.

I went on to cover “Why Now”, due to Hyper Fragmentation, with Multi-Cloud, On-Prem, SaaS, Microservices, Containerisation, GenAI we have a huge Secrets Sprawl problem, NHIs are easy to discover, Breaches occurring on a regular basis. I also share that this is not just a external Cyber threat, but a huge Internal threat also.

Finally I asked the audience 3 questions

  1. how many are very concerned about NHI risks?
  2. how many know how to fully address NHI risks?
  3. how many are actively pursuing a NHI program currently?

Watch the full video here of my opening remarks.

Panel: 2024 – 2025 NHI Stats that will Blow your Human Mind

Moderated by: Lalit Choda, Founder, Non-Human Identity Management Group

Panellists:

  • Daniel Cohen, Senior Vice President, Enterprise Security Architecture & Capabilities, Paramount
  • Itzik Alvas, CEO & Co-founder, Entro Security
  • Rahul Bhardwaj, Vice President – Cyber and Data Privacy, Head Information Security – Americas, EXL
  • Itay Mesika, CEO and Co-founder, Axiom

Lalit Choda introduces the session by highlighting the most comprehensive ground-breaking research report that he published in January 20205 “The Ultimate Guide To Non-Human Identities“, where in one chapter there was a deep dive on major research and surveys conducted by the Non-Human Identity Mgmt Group and other organisations. Four mind blowing NHI were pulled out of this report and discussed by the panel :

  1. Stat 1 – Secrets Sprawl – A staggering 12.8 million occurrences of secrets were detected on GitHub.com in 2023
  2. Stat 2 – NHI Breaches – 66% of enterprises enduring a successful cyber attack from compromised NHUIs
  3. Stat 3 – Addressing NHI Risks – 68% of respondents said they don’t know how to fully address Non-Human Identity risks
  4. Stat 4 – Mismanaged NHIs – 97% of NHIs have excessive privileges increasing unauthorised access and broadening the attack surface

Some great insights from the panel that brought home to the audience the huge exposure and challenges around managing and securing NHIs.

This is due to :– many NHIs being static in nature; huge secrets sprawl problem from hyper fragmentation; weak or non-existent lifestyle processes; easy discovery and compromise- excessive privileges; breaches seen on a regular basis including 3rd party supply chains.

You can view the full presentation here.

Best Practices for NHI Security: What do I Prioritize


Kamal Congevaram Muralidharan (Co-founder and Chief Technologist, Andromeda Security) delivered a talk on Best Practices for NHI Security, highlighting the importance of entitlements for non-human security.

He recommended the following NHI Security best practices:-

  • Use short-lived credentials whenever possible to reduce risk
  • Dynamically evaluate and right size entitlements to least privilege to minimize the attack surface
  • Use behavioural analysis to detect anomalies and identity compromises
The VC Perspective: Why We Decided to Invest in an NHI Company


Nathan Shuchami (Managing Partner, Hyperwise) shared fascinating insights on how a VC firm operates, how it evaluates companies to invest in and why they chose to invest in a NHI company.

In terms of 5 leading investment criteria :

  • The CEO
  • Organic sales skills from day zero
  • Solving real material and immediate problem
  • MVP in 8 months from seed funding
  • High barrier to entry, yet feasible solution

What they look for in Cybersecurity Founders

  • Deep Domain Expertise
  • Hands On Practitioner Experience
  • Vision and Adaptability
  • Ability to Execute
  • Market Validation and Seamless Adoption
  • Relentless Passion and Persistence
Defending Against Identity Breaches: A Comprehensive Taxonomy of Attacker TTPs and How to Stop Them


Vincenzo Iozzo (Founder & CEO, SlashID) shared amazing insights on attackers tactics, techniques and procedures (TTPs) and how you can stop them

  • 79% of attacks today are malware free
  • 31% of all breaches involve stolen credentials
  • +583% increase in kerberoasting attacks YoY
  • 66% of AWS breaches are caused by leaked/stolen credentials

Vincenzo explained the anatomy of a breach

  • Phishing or Credential Lead -> Initial Compromise -> Credential Harvesting -> Data Exfiltration

and the root causes

  • Stateless tokens
  • Complex protocols
  • Broken permission models

Finally he spoke about how to defence against these attacks

  1. Identity attacks don’t target only NHIS -> need to cover human identities also
  2. Posture, lifecycle management and PAM are not enough -> ITDR capabilities are key to reduce dwell time
  3. IdP audit logs have partial visibility -> need a comprehensive view of your environment
  4. MFA and FIDO are not enough – attackers get around both -> ITDR + device bound tokens
  5. Over-permissioned and long-lived identities make lateral movement trivial -> migrate to JIT access
Fireside chat: Managing the full-lifecycle of Secrets & Non-Human Identities


Oded Hareven (CEO and Co-founder, Akeyless) and James J Azar (CISO at AP4 Group & Host of the CyberHub Podcast) highlighted how reducing secrets and leveraging #SPIFFE, #SPIRE, and #OIDC tokens helps shrink the attack surface.

Less secrets, more security!

One great discussion was around the different generations or maturity of NHI Management – Oded shared that with most clients at the moment the focus is protecting the credentials (secrets)

  • 1st Gen – Static secrets are the core issue at most orgs and the initial focus is the need to get them secured e.g. in a secrets vault, to reduce discovery etc.
  • 2nd Gen – Rotation tends to be the next generation or focus, however it isnot bring implemented as much as it should have been, even though regulators and auditors expect this to happen – why because it’s very hard to rotate without potentially causing operational impact.
  • 3rd Gen – moving on from rotation, and using Just-In-Time (JIT) credentials and temporary identities
The Human Journey to Managing NHIs: Lessons from a CISO on the Frontline


Mario Duarte (Chief Information Security Officer, Aembit & Former CISO of Snowflake) gave fascinating insights, having previously been CISO at Snowflake.

  • 60% of CISOs in publicly traded companies state that IAM is a function owned by their team
  • 65% of CISOs in privately held companies state that IAM is a function owned by their team
  • Human errors are the cause of the majority of major security breaches in the past 20 years – from weak passwords and poor credential management, phishing attacks, misconfigured system and security settings, unpatched software, unauthorised software and shadow IT
  • Human IAM solutions like MFA FIDO2, Zero Trust etc have created more secure access and made users lives better and more productive
  • Same goals required for Non-Human Identities – find solutions that improve the overall security posture; help everyone become more productive
  • What were the root causes from a huge breach : found issues/anomalies with software accessing the most sensitive systems (and there were a lot of them); monitoring and alerting wasn’t good enough; Devs were left with a terrible experience managing secrets
  • By deploying Non-Human IAM you will achieve : proactive practices with automation; better developer experience, multiplier effect when integrating NHI IAM with existing security tools
Fireside chat: When AI Agents Manage NHI’s


Omri Green (Co-founder and GTM, Twine Security) hosted a fireside chat on the main stage with Yuval Malisov (Chief Information Security Officer, BHI), where we discussed the opportunities in #AgenticAI for the #cybersecurity industry for the financial sector and beyond.

With Deloitte’s forecasts that 25% of enterprises will deploy AI agents by 2025, growing to 50% by 2027, the message is clear: adapt or fall behind.

For financial institutions, this means:

  • Building clear operational boundaries with AI
  • Balancing productivity gains against regulatory requirements
  • Implementing governance before deployment, not after
  • The next step in evolution is AI employees that mimic human problem-solving abilities.

For CISOs and cyber teams, this means:

  • Shifting entire workloads to AI systems
  • Finally taking the strategic view they’ve been too overburdened to achieve
  • Focusing on high-value decision making instead of routine operations
  • When thinking about Identity, AI employees are set to augment the teams with:
  • Handling day to day tasks, like Access Requests
  • Finding missing owners of Non Human Identities
  • Making sense of the complex entitlements, so humans can make informed decisions.

Are you developing your strategy around AI, and embrace the wave, or will you be playing catch-up when your competitors gain the advantage?

Panel: The Challenges and Opportunities of Securing NHIs in the Modern Enterprise

Moderated by: Larry Whiteside Jr., Co-founder and President Confide

Panellists:

  • Olivia Phillips, Business Information Security Officer, Amtrak
  • Harnit Singh, Founding Product Manager, P0 Security
  • Art Poghosyan, CEO & Co-Founder, Britive


Larry Whiteside Jr. hosted an entertaining discussion with Olivia Phillips , Artyom Poghosyan and Harnit Singh on the challenges and opportunities of securing NHIs in the modern enterprise.

Case Study: I Was Breached and Lived to Tell – How to Handle an NHI Attack


John Remo (CEO and Co-founder, Arbitium) spoke shared fascinating insights about a major breach, that left an organisation with unauthorised data access, extended breach duration and regulatory and legal consequences.

What Went wrong :

  • Inadequate Monitoring of NHIs
  • Lack of Secure credential management
  • Absence of Least Privilege
  • Insufficient Lifecyle Management

Why Non-Human Identity Management matters so much?

  • Expanding Attack Surface
  • Complexity of Access Controls
  • Automation and Scale
  • Regulatory Compliance
  • Reputation and Trust

Breach Implications

  • Cost of reimbursement for any damages / class action lawsuits
  • Crisis communication and public relations
  • Legal & Regulatory Compliance – inside and outside USA (more strict)
  • 3rd Party Supply Chain Risks
  • Internal & External Customer / Stakeholder Trust
Why I Implemented a Solution: Lessons from a Security Engineer on the Frontlines


Christopher Cutajar (Principal Information Security Engineer, Elastic) shared lessons learned :

  • Get Leadership Onboard – need executive buy in
  • Finding Owners is Hard and very time consuming
  • Take a Data Driven Approach to get visibility
  • Automation Helps at Scaling
  • Create User Empathy e.g. through pilot groups
  • Work as a Team to help with this huge challenge that spans all IT groups/processes
NHI Analyst Review: Market Trends, Risks & Opportunities


Francis Odum (Founder Software Analyst Cybersecurity Research) shared key market trends :

  • Vendor Proliferation
  • Cloud NHIs & Microservices
  • Machine PKI & Certificates Mgmt
  • API Explosion
  • Compliance & Regulatory Drivers
Drinks & Networking
  • The most important part of the day

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.