The OWASP NHI Top 10 identifies the most critical security risks related to non-human identities. These include:
● NHI1:2025 – Improper Offboarding
– When NHIs like service accounts, API keys, or machine identities are no longer needed but remain active, they become orphaned identities.
– These outdated credentials are often missed during offboarding, leaving unused but still functional NHIs in the system.
– Attackers can exploit these orphaned NHIs as “backdoor” access points, bypassing regular security controls.
● NHI2:2025 – Secret Leakage
– Secrets like API keys, tokens, or certificates used by devices and workloads sometimes get left in public places like code repositories or logs.
– Once these secrets are exposed, attackers can exploit them to impersonate NHIs, gaining unauthorized access to systems and sensitive data.
● NHI3:2025 – Vulnerable Third-Party NHIs
– Integrating with 3rd party services with insecure management of NHIs within their systems can expose your environment to risks.
– This occurs when third-party NHIs are not properly secured or monitored.
– A weak link in 3rd party services gives attackers an easy entry point into your system.
● NHI4:2025 – Insecure Authentication
– Many NHIs rely on weak or misconfigured authentication mechanisms, such as easily guessable passwords or weak authentication protocols, leaving them vulnerable to exploitation.
– Weak authentication allows attackers to easily bypass security controls, gaining unauthorized access to NHIs and potentially compromising the systems they manage.
● NHI5:2025 – Overprivileged NHIs
– NHIs are often given far more permissions than they need, violating the principle of least privilege.
– If attackers compromise that NHI, they’ll have access to everything the NHI does, leading to greater harm.
● NHI6:2025 – Insecure Cloud Deployment Configurations
– NHIs used in the cloud are often left exposed due to misconfigurations.
– Attackers can easily find these misconfigurations and exploit them to gain access to sensitive resources.
● NHI7:2025 – Long-Lived Secrets
– It’s like using the same password for years without changing it.
– NHIs often rely on long lived secrets, like API keys or passwords, that don’t get rotated or updated frequently.
– If those secrets are compromised, attackers can use them for a long time before anyone notices.
● NHI8:2025 – Environment Isolation
– NHIs often have access to multiple environments when they should only be limited to one.
– If an NHI is compromised in one environment, attackers can leverage it to move laterally and cause damage in other environments.
● NHI9:2025 – NHI Reuse
– NHIs are often reused across multiple systems or applications, which can lead to a single identity being used for various tasks, breaking the principles of least privilege and segregation of duties.
– If one NHI is compromised, attackers can gain access to all systems where that NHI is used, escalating the impact of the attack.
● NHI10:2025 – Human Use of NHIs
– When human users leverage NHIs to perform routine tasks, it bypasses control mechanisms in place for human identities e.g. PAM controls.
– These activities can be challenging to properly log and monitor, making it hard to tell who’s actually responsible for an action, causing repudiation issues.
– Many NHI incidents are actually caused by humans.
