Why NHIs Are Already Your Biggest Attack Surface

Published May 8, 2026
Why NHIs Are Already Your Biggest Attack Surface Image
LinkedIn Facebook Twitter Copy link
arrow icon Explore more insights

Insight summary and table of contents

Summary

Non-human identities now outnumber human users across most enterprise environments, yet many remain ungoverned and invisible to security teams. This article explains why NHIs have become one of the biggest attack surfaces in modern IAM.

Contents

  1. What We Mean By Non-Human Identity
  2. The Numbers are Hard to Ignore
  3. Why Your Existing IAM Program Has a Blind Spot Here
  4. Where This Goes Wrong: A Pattern We See Repeatedly
  5. The Starting Point Is Inventory

Ask the average enterprise security leader how many user identities are active in their environment. They'll have a reasonable answer, probably pulled from their IGA platform or directory.

Now ask how many non-human identities they have.

Silence.

A spreadsheet someone is going to find. An estimate that's probably off by an order of magnitude.

That gap between what organizations know about their human identities and what they know about everything else is where attackers are operating right now.

Not in theory. In production.

Let's look at why NHIs are already your biggest attack surface.

What We Mean By Non-Human Identity

Non-human identities (NHIs) are any digital credential that authenticates and operates without direct human control. That covers a lot of ground:

  • Service accounts, which are the accounts your applications use to talk to each other and to backend systems
  • API keys, the strings of characters that act as credentials for programmatic access to cloud services, SaaS platforms, and internal APIs
  • OAuth tokens, which are authorization grants that let one application act on behalf of another, often with broad scopes and long lifespans
  • Digital certificates, the cryptographic identities that authenticate servers, encrypt communications, and establish machine-to-machine trust
  • CI/CD pipeline credentials, the secrets baked into your build and deployment automation
  • AI agents, the newest and fastest-growing category, which we'll address in depth in Blog 3

None of these are new. Service accounts and API keys have existed for decades.

What's new is the scale, the proliferation rate, and the growing gap between how organizations govern human identities versus everything else.

The Numbers are Hard to Ignore

"There are now 45 non-human identities for every human identity in the average enterprise, a ratio that is accelerating as AI agent adoption scales."

That figure, cited by the Cloud Security Alliance, is not a worst-case projection. It's the current reality in most organizations IDMWORKS works with. In cloud-native environments with active SaaS portfolios, the ratio can be dramatically higher.

Cloud migrations alone can multiply NHI creation by 10X. Each new service spins up new identities, auto-scaling creates dynamic credentials, and hybrid environments maintain duplicates across platforms.

The result is an identity population that dwarfs your human user base and receives a fraction of the governance attention. Most organizations can tell you exactly who provisioned a human employee's Active Directory account. They have no idea who owns a service account created three years ago for an integration that may or may not still be in use.

Why Your Existing IAM Program Has a Blind Spot Here

The identity governance frameworks most enterprises operate under were designed around a set of assumptions that don't hold for non-human identities:

  • Joiner-mover-leaver lifecycle: Human IAM programs are built around employment events. Someone joins, their access is provisioned. They change roles, access is adjusted. They leave, access is revoked. NHIs don't have employment records. They don't have managers to certify their access. They persist long after the application or integration they were created for has been decommissioned.
  • Multi-factor authentication: MFA is the cornerstone of modern human identity security. NHIs can't complete an MFA challenge. They authenticate with tokens, keys, and certificates. Those credentials, if stolen, grant persistent access with no second factor to break the chain.
  • Behavioral baselines: UEBA tools catch anomalies by learning what normal looks like for a human user: typical hours, typical access patterns, typical geography. A service account might authenticate thousands of times per minute at 3 AM from multiple locations. That's not an anomaly; that's normal. Standard behavioral analytics produces noise, not signal.

This isn't a criticism of how IAM programs were built.

They were built for the problem that existed.

The problem has changed.

Where This Goes Wrong: A Pattern We See Repeatedly

In practically every enterprise IAM environment we assess, the same patterns surface. Service accounts with no documented owner.

API keys that were created for a proof-of-concept three years ago and still have production-level permissions. OAuth grants that were approved once and never reviewed again. Certificates that expired months ago and were silently rotated by automation, or weren't, causing outages nobody anticipated.

These aren't edge cases. They're the baseline. And they represent exactly the kind of ungoverned, persistent access that makes NHIs the preferred target for sophisticated attackers.

The identity attack surface hasn't shifted. It's expanded. Every major identity-related breach of the last three years involved compromised non-human credentials at some point in the kill chain.

We'll get into the forensics of those attack patterns in Blog 2. But the point here is simpler: you can't defend what you can't see, and most organizations are not seeing most of their identity attack surface.

The Starting Point Is Inventory

Before governance, before controls, before any tooling conversation, the prerequisite is knowing what you have. A complete NHI inventory means being able to answer:

  • Every service account active in your environment, the system it belongs to, the owner responsible for it, and when it was last reviewed
  • Every API key in use, where it's stored, what scope it carries, and when it was last rotated
  • Every OAuth application with an active grant, what it's authorized to do, and whether that grant is still appropriate
  • Every certificate, its expiration date, its owner, and whether it's enrolled in automated renewal

Most organizations have partial answers in partial places. The work is integrating those signals into a coherent picture and then maintaining it. That's not a one-time project; it's an ongoing operational practice.

It's also not optional. The 2025 GitGuardian report found nearly 24 million new leaked credentials on GitHub in a single year, with 70% of the secrets leaked in 2022 still valid years later. The attack surface doesn't get smaller on its own.

What This Means for Your IAM Roadmap

If your current IAM program centers on SailPoint, Saviynt, or any other IGA platform, you likely have strong coverage of human identity lifecycle. That coverage doesn't extend automatically to non-human identities.

The platforms are evolving to address this gap. SailPoint's Non-Human Identity module is one of their fastest-growing products in 2026, but the technology alone doesn't solve the governance problem.

The organizations getting ahead of this are treating NHI governance as an extension of their existing identity program, not a separate initiative. They're applying the same principles to non-human credentials: inventory, ownership, least privilege, lifecycle management, and periodic certification.

The mechanics are different. The discipline is the same.

Ready for the next step in your NHI evolution? Message us now; our team will contact you about next steps.

LinkedIn Facebook Twitter Copy link