What is a non-human identity?

Machine or programmatic identities, such as services, apps, scripts, bots, and other automated agents, are all working behind the scenes to automate workflows. In other words, machines and systems are talking to other machines without human involvement.

These non-human identities (NHIs) automatically authenticate using API keys, tokens or certificates. They are designed to automate and streamline workflows, but they open the door to potential risks. If one such system or machine is compromised, it can have a ripple effect across other systems.

Common non-human identities

While the list is long, the most common types of NHIs include:

• Service accounts: Special-purpose accounts used by applications or scripts to access systems or resources without human intervention
• API keys: Tokens used to authenticate applications or services when calling APIs, often hard-coded or poorly managed
• OAuth clients/bearer tokens: Credentials used by applications to obtain access tokens and interact with other systems under delegated authority
• Certificates and private keys: Cryptographic credentials used to verify and secure communication between machines or services
• IoT device identities: Unique credentials assigned to connected devices to authenticate and interact with cloud services or networks
• Robotic process automation (RPA) bots: Software bots that perform repetitive tasks and require access to applications or data using stored credentials
• Container or pod identities: Machine identities assigned to containers or pods (e.g., in Kubernetes) to securely access other cloud-native resources

The explosion of NHIs over the past few years is significant. On most systems, the number of non-human identities outnumbers human users. For example, NHI secrets such as service accounts in Kubernetes outnumber human identities by a factor of 45:1 in DevOps environments. Many of these secrets are exposed and remain that way. A study by GitGuardian showed that 70% of the secrets detected in public repositories in 2022 are still active today.

The potential problems appear to be even more acute with the adoption of AI for code development. While this can enhance code production, credentials are often exposed in ways that do not typically occur using traditional development practices.

The OWASP NHI Top 10 Risks

Because of the prevalence of non-human identities, Open Web Application Security Project (OWASP) launched a comprehensive list of the most pressing security risks and vulnerabilities from NHI use. The OWASP Top 10 Non-Human Identities Risks – 2025 includes potential exploits to help developers better manage and protect resources.

1. Improper offboarding

Failing to deactivate or remove non-human identities — like service accounts or access keys — after they're no longer needed can leave systems exposed. These dormant credentials can be hijacked by attackers to gain unauthorized access to sensitive environments.

2. Secret leakage

Sensitive credentials such as API keys, tokens or certificates may be stored accidentally in unprotected places like code, config files or chat tools. If these secrets leak, attackers can use them to impersonate services or access restricted systems.

3. Vulnerable third-party NHIs

Many development tools and cloud services rely on third-party components that introduce non-human identities into your ecosystem. If a third-party service or plugin is compromised, it could lead to the theft or misuse of credentials and permissions.

4. Insecure authentication

Non-human identities often rely on outdated or weak authentication methods to connect services and systems. Using deprecated protocols or poor authentication hygiene can make it easier for attackers to impersonate trusted components.

5. Overprivileged NHIs

Sometimes non-human identities are given more access than they need, just for convenience. If one of these identities is compromised, attackers can exploit the excess permissions to move laterally or escalate their attacks.

6. Insecure cloud deployment configurations

Cloud-based CI/CD tools often require credentials to deploy software, but misconfigurations, like storing credentials in plain text, can expose those secrets. If attackers get access to these credentials, they could gain control over production environments.

7. Long-lived secrets

Secrets that never expire or are valid for extended periods are especially dangerous if compromised. An attacker with access to a long-lived secret could exploit it for months or years without detection.

8. Lack of environment isolation

Reusing the same non-human identities across environments (e.g., dev, staging, production) increases risk. A compromise in a lower-risk environment could lead to unauthorized access to critical systems if identity boundaries aren't enforced.

9. NHI reuse across systems

Using the same non-human identity for multiple systems or services may seem efficient, but it creates a single point of failure. If one system is breached, all other systems using the same identity may also be exposed.

10. Misuse of NHIs by humans

Sometimes developers use non-human identities to manually access systems, bypassing the controls meant for human users. This practice makes activity hard to trace and eliminates accountability, creating blind spots in security monitoring.

Real-world attacks

With the significant size of the NHI threat surface, it’s not surprising that bad actors and nation-states would exploit security gaps. They can be especially difficult to detect because the NHIs interacting with systems have built-in authentication to bypass threat detection.

Here are a few recent breaches that have been traced back to non-human identity issues.

GitHub Actions

A supply chain attack on GitHub Actions produced widespread credential exposure. Attackers compromised a maintainer's privileged account, enabling them to modify package tags and redirect users to a malicious payload that scraped secrets from server members using publicly accessible CI/CD workflows.

U.S. Treasury

The U.S. Treasury Department suffered a major security breach when Chinese state-sponsored hackers exploited a compromised API key from BeyondTrust, a third-party cybersecurity provider, to access employee workstations and unclassified documents.

AWS

More than 230 million cloud environments were compromised by exploiting insecurely stored AWS credentials. AWS keys, API tokens and database passwords were exposed, which attackers used to escalate privileges.

The New York Times

The New York Times GitHub breach in January 2024 occurred when attackers exploited an exposed GitHub token, allowing them to steal 270GB of internal source code and IT documentation, which was later leaked on 4chan.

Snowflake

Sensitive data from more than 165 companies was exposed using unsecured credentials lacking multifactor authentication (MFA) and credential rotation. Stolen credential keys were used to access Snowflake accounts without human interaction.

Dropbox

Attackers abused a service account, leveraging API keys and OAuth tokens to breach Dropbox Sign’s production environment. Customer data, user names and hashed passwords were exposed.

Securing your environment

In nearly every case, NHI breaches are the result of a failure to properly secure secrets, credentials or environments by users. The most common non-human identity attack results from human error, underscoring the critical need for security measures to protect sensitive information regardless of where it’s stored or the form it’s in.