Ethical Hacking News
Non-Human Identities (NHIs) pose a significant security threat to organizations due to their increasing presence in modern tech stacks. NHIs authenticate using secrets, which are highly sought after by attackers and often lack proper management, leading to breaches. Understanding the growth of NHIs and their authentication methods is crucial for securing sensitive information.
NHIs pose a significant threat to organizations' security due to their authentication using secrets, which are sensitive information used to grant access to systems and data. The exponential growth of NHIs has led to a lack of understanding about their management and the consequences of not securing them properly. Most companies have no idea about the number of secrets they have, where they are stored, or who is using them, making it difficult to detect compromised NHIs. The reason behind this problem lies in the way NHIs authenticate using secrets, with many developers creating tokens with wider access than needed and expiration dates often optional. Detecting compromised NHIs is much harder than with human identities due to their decentralized nature and lack of visibility. Legacy identity governance and PAM tools are not designed to handle NHIs, leading to secrets sprawl, overprivileged access, and breaches. A complete solution for machine identity management is needed to secure digital assets and prevent breaches.
Non-Human Identities (NHIs) have become a pressing concern in the cybersecurity world, as they pose a significant threat to organizations' security. NHIs are not human identities and include service accounts, service principals, Snowflake roles, IAM roles, and other platform-specific constructs. These entities authenticate using secrets, which are sensitive information used to grant access to systems, data, and critical infrastructure.
The exponential growth of NHIs has led to a lack of understanding about their management and the consequences of not securing them properly. Most security teams immediately think of service accounts when discussing NHIs, but they do not realize that these entities have varying characteristics and authentication methods. Understanding this diversity is essential for effective NHI governance.
One of the primary concerns with NHIs is how they authenticate using secrets. Secrets are highly sought after by attackers, as they provide access to sensitive information. However, most companies have no idea about the number of secrets they have, where they are stored, or who is using them. This lack of awareness can lead to breaches and compromised security.
A study from 2024 revealed that 23.7 million new secrets were leaked on public GitHub alone in 2024. Another disturbing statistic is that 70% of the secrets leaked in 2022 are still valid today. These numbers highlight the severity of the issue and the need for effective NHI governance.
The reason behind this problem lies in the way NHIs authenticate using secrets. Most developers create tokens with wider access than needed, just to ensure things work smoothly. Expiration dates are often optional, and some secrets are created with 50-year validity windows. This creates a massive blast radius if one of these secrets leaks, as it can unlock everything from production databases to cloud resources.
Detecting compromised NHIs is much harder than with human identities. Since machines communicate 24/7 from all over the world, malicious activity blends in seamlessly. Many of these secrets act like invisible backdoors, enabling lateral movement, supply chain attacks, and undetected breaches.
A notable example is the Toyota incident, where one leaked secret can take down a global system. Attackers love NHIs because their permissions are often high, visibility is low, and the consequences can be huge.
The shift to cloud-native, microservices-heavy environments has introduced thousands of NHIs per organization. These digital workers connect services, automate tasks, and drive AI pipelines – and every single one of them needs secrets to function. However, unlike human credentials, secrets are hardcoded in codebases, shared across multiple tools and teams, lying dormant in legacy systems, and passed to AI agents with minimal oversight.
The result is secrets sprawl, overprivileged access, and one tiny leak away from a massive breach. Legacy identity governance and PAM tools were built for human users, but they do not work well with NHIs. These tools often rely on MFA, which is designed for human identities, not machine-based authentication.
NHIs break this model completely, as they are decentralized and created by developers across teams outside of any central IT or security oversight. Many organizations run multiple vaults, with no unified inventory or policy enforcement.
Secrets Managers help store secrets but do not detect, remediate, or investigate exposure. CSPM tools focus on the cloud, but secrets are everywhere – in source control management systems, messaging platforms, developer laptops, and unmanaged scripts.
NHIs do not follow traditional identity lifecycles, as there is often no onboarding, no offboarding, no clear owner, and no expiration. This lack of visibility leads security teams to chase shadows manually trying to piece together where a secret came from, what it accesses, and whether it's even still in use.
GitGuardian NHI Governance has come up with a complete governance layer for machine identities and their credentials. The platform provides an end-to-end visual graph of the entire secrets landscape, connecting dots between where secrets are stored, which services consume them, what systems do they access, who owns them, and whether they have been leaked internally or used in public code.
The platform also includes a policy engine that helps teams enforce consistent controls across all vaults and benchmark themselves against standards like OWASP Top 10. You can track vault coverage across teams and environments, secrets hygiene metrics (age, usage, rotation frequency), overprivileged NHIs, and compliance posture drifts over time.
In conclusion, non-human identities pose a significant security threat due to their increasing presence in modern tech stacks. Understanding the growth of NHIs and their authentication methods is crucial for securing sensitive information. Effective NHI governance can help organizations prevent breaches by providing an end-to-end visual graph of the entire secrets landscape, connecting dots between various entities.
GitGuardian's platform provides a complete solution for machine identity management, ensuring consistent controls across all vaults and benchmarking teams against industry standards. By adopting this approach, security teams can sleep better at night, knowing that their organization is taking proactive measures to secure its digital assets.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Lurking-Threat-of-Non-Human-Identities-A-Growing-Security-Hazard-ehn.shtml
https://thehackernews.com/2025/04/why-nhis-are-securitys-most-dangerous.html
Published: Fri Apr 25 07:14:21 2025 by llama3.2 3B Q4_K_M
