Blog
/
WTF are NHIs (Non-Human Identities)?
CYBERSECURITY

WTF are NHIs (Non-Human Identities)?

Feb 5, 2025
5min
Contents
Text Link

OWASP recently published their TOP 10 risks related to Non-Human Identities (NHIs), recognizing these as one of the most important threats to our systems.

This is no trivial threat, and we’re glad OWASP is helping raise awareness about NHI-related security challenges. However, as the word gets out, there seems to be some skepticism and even confusion about what NHIs really are, and whether this topic is truly important.

We heard you, CodeCompost.

No, NHIs Are Not Aliens

We know your mind might wander to extraterrestrial invasions, but no: “non-human” does not refer to aliens—it refers to machines. “Machine identities” has long been a common term, but it was eventually renamed to “non-human identities” because it sounded cooler and covered more situations.

Concretely, NHIs are identities that are not controlled or directly owned by a human. Like aliens, they might be hard to describe, but you'll recognize one when you see it!

OWASP lists a few examples:

  • API keys and access tokens
  • Service accounts
  • Roles used to access cloud resources

At Zygon, we've seen some of these in the wild, along with other types of NHIs:

  • App-to-app integrations: API keys are so 2010 when OAuth is everywhere. Good luck finding an actual access token in your interface.
  • Shared accounts: Yes, your accounting@mycompany.com account is an NHI, especially if it has admin rights to manage billing in your apps.
  • Bot accounts: Initially created by a human, these accounts have since become automated to perform tasks.

They should now be simple to identify in the wild. If you're unsure whether an account is a human identity or an NHI, who really cares? The key is to assign an owner, maintain an inventory, and move on.

Is this just more AI buzzwords?

Are NHIs just another trendy topic in cybersecurity meant to keep up with AI? We don't think so. Here's why:

  1. Pre-AI Existence: API key security and many shared or service accounts existed long before AI and will continue to do so. It’s primarily an organizational issue.
  2. AI Integration: AI is often distributed through applications that request access to data stored in your systems. For example, an AI app integrating with your Google Drive is still an NHI.

So NHIs aren’t just a way to ride the AI marketing wave, but we can make an educated guess that AI apps will increase the number of NHIs in your organization in the near future, if they haven't already.

Who Cares?

IT and Security folks should care because NHIs typically carry inherent risks for your security posture:

  • Zero governance: NHIs are usually poorly tracked. Everyone has a reason to create them, yet they are often hidden in the background without an assigned owner, rotation policy, access reviews or deprovisioning workflows. Often, they aren’t even visible alongside your regular application users.
  • Zero monitoring: While you might monitor for unauthorized logins by human users, NHIs are generally under-monitored, making them a prime spot for attackers to establish a foothold.
  • Tons of permissions: In practice, least privilege is often ignored when tinkering with APIs. You try so many things at once that you end up granting maximum permissions. But when it's time to push to production, did you really reassess how many permissions you ended up using? Developers may overlook this, and neither marketing ops nor IT ops are likely to review these permissions when connecting two apps.

On its Introduction to NHI page, OWASP lists three examples of high-visibility data breaches where NHIs played a major role:

Microsoft's Midnight Blizzard Breach (January 2024): A nation-state actor, Midnight Blizzard, initiated an attack against Microsoft's tenant. After gaining access to a non-production Microsoft 365 test tenant, they exploited a legacy OAuth application—an unmanaged non-human identity—with full privileges to access Microsoft's production environment. This led to unauthorized access to corporate email accounts and exfiltration of sensitive communications and documents.
https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

Okta's Support System Breach (November 2023): Okta experienced a security breach involving a compromised service account. An employee saved the credentials for this service account to their personal Google account after signing in on an Okta-managed device. When the employee's personal Google account was compromised, attackers obtained these credentials, granting unauthorized access to Okta's customer support system. Files related to 134 customers—including sensitive HTTP Archive (HAR) files with session tokens—were accessed.
https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause

Internet Archive's Zendesk Support Platform Breach (October 2024): Attackers exploited unrotated access tokens tied to the Internet Archive's Zendesk support platform, leading to unauthorized access and potential data exposure. This incident underscores the importance of regularly rotating and securing non-human identity credentials.
https://www.bleepingcomputer.com/news/security/internet-archive-breached-again-through-stolen-access-tokens/

How Zygon Can Help

You can read our direct response to these new threats in our (upcoming) article Secure Your Organization Against OWASP NHIs Top 10 with Zygon, but here are a couple of examples we've observed in the wild:

  • Unchecked OAuth Permissions: Remember that application you granted full access to your Google Drive or Gmail three years ago? Zygon remembers it for you and lets you revoke the token with one click.
  • Application Bots: Do you have a review process that disables unused bots in your systems? Zygon puts this at the forefront of your access reviews, alongside privileged accounts.
  • Shared Mailboxes with Access to Critical Systems: Did you know that to retrieve past invoices, the accounting@mycompany.com inbox is registered with five different applications and has admin rights on three of them?
  • Closing User Accounts Instead of Just Deactivating Their Login: When you offboarded John, you ensured he could not log in to any of the critical apps behind your SSO. But if you haven't completely closed his account on third-party apps, how can you be sure that his account doesn't still have an API key registered or an app integration running in the background.

We hope this primer on NHIs has helped you see their threat more clearly. Feel free to drop us a line if you’d like to discuss it further!

Kevin Smouts
Cofounder at Zygon
Need an access management security check up ?
Get your audit now

FAQ

All the questions you can have

No items found.