Non-Human Identity Security: The Attack Surface Security Teams Underestimate

Human identity security has matured substantially over the past decade. Modern IAM programs manage the human identity lifecycle with automated provisioning, regular access reviews, MFA enforcement, and UEBA-based anomaly detection. Non-human identity management has not kept pace, for structural reasons.

NHIs are created by developers, DevOps teams, and automation pipelines, not by IAM administrators. A developer creating a GitHub Actions workflow needs a secret to authenticate against a cloud provider. They generate a long-lived API key with broad permissions because scoping it correctly requires understanding IAM policy syntax they may not know. They store it in a GitHub secret, sometimes in a .env file that gets committed, sometimes in an environment variable that is logged during debugging. Six months later, the developer who created it has moved to a different team. The key still exists, still has broad permissions, and no one is monitoring it.

This pattern, repeated at scale across thousands of developers, automation tools, and microservices, produces the NHI sprawl problem that most enterprise security teams have not fully quantified. HashiCorp's 2025 State of Infrastructure Security report found that 68% of organizations cannot inventory all non-human identities in their environment. You cannot secure what you cannot see.

The first step in NHI security is understanding the scope of the problem. Discovery must cover four categories: secrets stored in code repositories and CI/CD systems; service accounts and workload identities in cloud providers and identity platforms; machine certificates and SSH keys; and OAuth and API tokens issued to third-party integrations.

For code repositories, tools like GitHub Advanced Security (secret scanning), GitGuardian, and Trufflehog scan repositories for secrets committed in code, configuration files, and git history. Git history scanning is important because a secret deleted from the current branch may still exist in prior commits. GitGuardian's 2025 State of Secrets Sprawl report found over 12 million secrets detected in public GitHub repositories in 2024 alone.

For cloud environments, IAM Access Advisor (AWS), Permissions Management (Azure), and Policy Analyzer (GCP) identify service accounts, their permission scopes, and their last-used dates. Cloud Security Posture Management (CSPM) tools including Wiz, Orca, and Prisma Cloud can flag over-privileged identities across multi-cloud environments. For centralized secrets management, platforms like HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault provide inventories of managed secrets with access audit logs, but they only cover secrets that have been onboarded to the system.

The discovery output should produce a classification by sensitivity: credentials with admin or owner-level access to production systems are Tier 1 and require immediate remediation; credentials with broad read access to sensitive data are Tier 2; all others are Tier 3.

Applying least privilege to NHIs requires understanding what each identity actually needs to do, then constructing the minimum permission set that enables it. In practice, this requires collaboration between security engineers and the development teams who build and operate the systems using these identities.

For cloud IAM, use resource-scoped permissions rather than account-wide policies. An S3 access key that needs to read one specific bucket should have a policy scoped to that bucket ARN, not s3:* on all resources. AWS IAM Access Analyzer generates least-privilege policies based on actual access history, which eliminates the guesswork. For GCP and Azure, equivalent tools exist in their IAM policy analysis capabilities.

For service accounts in Kubernetes, use RBAC with namespace-scoped roles rather than ClusterRoles where possible. Avoid mounting service account tokens in pods that do not require API access. Enable projected token volumes with bounded lifetimes rather than using long-lived service account tokens.

For CI/CD systems, use short-lived OIDC tokens rather than long-lived API keys where the CI/CD platform and cloud provider support it. GitHub Actions OIDC federation with AWS IAM, GCP Workload Identity Federation, and Azure Managed Identities enables CI/CD workflows to assume cloud roles without storing any long-lived credential in GitHub Secrets. This eliminates an entire category of secret sprawl risk for cloud operations.

Manual rotation of secrets does not scale. The average enterprise has thousands of NHIs; a security team that manually rotates credentials is doing so infrequently, under pressure, and with high error risk. The goal is automated rotation with zero-downtime credential handoff.

Centralized secrets management platforms handle rotation in two models: managed rotation (the platform rotates the credential directly, such as AWS Secrets Manager rotating an RDS database password by calling the RDS API and updating the secret) and application-assisted rotation (the application checks for a new secret version on each use, allowing the platform to rotate without requiring a deployment). Both models require application code to retrieve secrets at runtime from the secrets manager rather than reading them from environment variables or configuration files at startup.

For credentials that cannot be rotated automatically, establish a maximum credential age policy enforced by tooling rather than human discipline. HashiCorp Vault supports lease-based credentials that expire and must be renewed; expired credentials that are not renewed are automatically revoked. This is preferable to relying on humans to remember to rotate credentials on a schedule.

Rotation events should be logged in your SIEM with alerts for rotation failures. A credential that cannot be rotated (because an application is hardcoded to a specific key and cannot accept a new one) is a remediation target, not a rotation exception.

Most SOC detection logic is calibrated for human identity behavior: logins at unusual hours, impossible travel, new device authentication. NHI attacks look different: service accounts accessing resources they have never accessed before, API keys used from unexpected IP addresses, tokens used at rates inconsistent with their normal automation patterns.

Core detection rules for NHI attacks include: service account access to resources outside its historical baseline (requires per-identity behavioral baselining, not just alert-on-admin-access rules); API key usage from IP addresses not associated with the application's normal infrastructure (requires infrastructure IP inventory); token usage rate anomalies (a CI/CD token used 1,000 times in an hour is suspicious if its normal pattern is 10 times per hour); and lateral access chains where a single NHI accesses multiple distinct systems in a short time window.

For cloud environments, AWS CloudTrail, Azure Monitor, and GCP Cloud Audit Logs provide the raw telemetry for NHI detection. Feeding this into a SIEM with entity-level analytics (Splunk ES, Microsoft Sentinel, Chronicle) enables per-identity behavioral baselining. UEBA platforms like Varonis and Securonix increasingly include NHI behavioral modeling as a distinct analytics category.

The most valuable single detection rule is flagging any use of a credential from a git repository scan finding. GitGuardian and similar tools identify exposed secrets; correlating those credential identifiers against your authentication logs tells you whether the exposed credential has already been used by an attacker.