Sprawling Non-Human Identities Are the Next Big Cyber Risk

Uploaded on 2025-08-20 in TECHNOLOGY--Resilience, FREE TO VIEW

They say necessity is the mother of invention. As our reliance on digital infrastructure has grown, we’ve demanded more from our networks – seamless access, automated processes, uninterrupted user journeys, and effortless interoperability.

Each improvement has pushed us further toward a hyper-connected, “smarter” enterprise, but at a cost that rarely registers on the risk scale.

In the background, however, facilitating all of this, is a new type of workforce - an army of AI bots and agents that keep the wheels greased and automate our enterprise environments. 

Identity has long since been the cornerstone of network security. We verify users with passwords, credentials, biometrics, and tools like multi-factor authentication to make sure that the only people our network are those that should be there.

Now, validating non-human identities (NHIs) is just as important – if not more so – than validating human ones.

These include the service accounts that run applications, the scripts that move data, the APIs that knit together systems, and the machine agents that act on instructions without human intervention. In most large organizations, NHIs already outnumber human users by as many as 50:1, yet they are treated as background infrastructure rather than active participants in the network. They don’t get offboarded when a developer leaves. They don’t receive login alerts or multi-factor authentication challenges. They often live and die entirely outside of the processes that govern human accounts.

The result is a blind spot that keeps expanding as automation and AI gain speed. NHIs are created in seconds by build pipelines, duplicated for convenience, or forgotten in legacy code. Once spun up, they often persist indefinitely, even when their original purpose has long expired. And unlike human users, their existence isn’t always documented, making it difficult to even quantify the scale of the problem. It’s one thing to see these non-human entities, but who’s governing them? Who or what is leveraging them? What access do they have? Are they still needed? In the rush to AI adoption, those questions will determine whether NHIs remain a silent force for efficiency, or become the next major vector for a wave of cyberattacks. 

An Exponential Threat

NHIs multiply quickly, but they also multiply unpredictably. A single developer can create dozens of service accounts during a project sprint, each tied to a specific function or integration, and then leave them untouched for months or years. In continuous integration and deployment (CI/CD) pipelines, accounts may be automatically generated for every new environment, test, or container, with zero central oversight.

Some NHIs can even create others, as upstream systems or AI agents spawn new credentials to complete tasks.

Deleted accounts may be reintroduced when old code is redeployed, creating “ghost” identities that resurface without warning. This self-reinforcing cycle means that the NHI population in many organizations is compounding with every automation, every system update, and every AI-driven process adding to a hidden identity sprawl that no one fully owns.

In 2024, The New York Times had its source code stolen – not from a carefully orchestrated cyberattack or some advanced malware that was deployed on the network, but using a redundant, over-privileged access token. The token had a much longer expiry period that it needed, as was most likely left and forgotten on a compromised endpoint. No humans, other than the ones who found and abused the NHI, were involved. 

Playing Catch-Up

Traditional identity governance was designed for a network environment where every account had a human behind it – a name, a role, and a predictable lifecycle. NHIs break that model entirely. They often have privileged access far beyond what most employees receive, yet lack the guardrails applied to human users: no HR-triggered offboarding, no regular access reviews, no adaptive authentication based on behavior.

While many Identity and Access Management (IAM) tools can discover these accounts, discovery alone doesn’t solve the accountability gap.

There’s no “chain of custody” or ownership of NHIs. True governance means being able to answer in real time what each NHI is doing, why it exists, and who is responsible for it. Without that, these “invisible” accounts become prime targets for attackers, who know that a compromised service credential can quietly open the door to critical systems without raising alarms.

NHIs are here to stay, and their population will inevitably grow. They will shape how systems talk, transact, and behave – but whether they’re a force for good or ill will depend entirely on how we govern them

Nicolas Fort is Director of Product Management at One Identity

Image: Ideogram

You Might Also Read: 

Understanding Identity & Access Management:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« BlackSuit Ransom Gang Taken Down
Mobile Devices: A Growing Target For Cyber Attacks »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

RSA Insurance Group

RSA Insurance Group

RSA is one of the world’s leading multinational quoted insurance groups. Commercial services include cyber risk insurance.

Miller Group

Miller Group

Miller Group is an IT managed service provider. We proactively monitor and manage your entire business computer network. Services include backup & recovery and cyber security.

Security Research Labs (SRLabs)

Security Research Labs (SRLabs)

Security Research Labs is a Berlin-based hacking research collective and consulting think tank.

Government Communications Headquarters (GCHQ) - UK

Government Communications Headquarters (GCHQ) - UK

GCHQ defends Government systems from cyber threat, provide support to the Armed Forces and strive to keep the public safe, in real life and online.

Northwave

Northwave

Northwave offers an Intelligent combination of cyber security services to protect your information.

SecuTech Solutions

SecuTech Solutions

SecuTech is a global leader in providing strong authentication and software licensing management solutions.

Subgraph

Subgraph

Subgraph is an open source security company, committed to making secure and usable open source computing available to everyone.

ecsec

ecsec

ecsec is a specialized vendor of security solutions including information security management, smart card technology, identity management, cloud computing and electronic signature technology.

Ingenio Global

Ingenio Global

Ingenio is a specialist recruitment business for SaaS companies. Our purpose is to source exceptional talent in areas including cyber security for leading SaaS companies in the UK and Ireland.

CoreStack

CoreStack

CoreStack helps enterprises overcome cloud challenges such as ever growing security risks, stringent regulatory compliance needs and operational complexities.

Wing Security

Wing Security

Wing fosters a stronger security culture by engaging SaaS end-users and enabling easy communication with security teams.

Techsolidity

Techsolidity

Techsolidity is an emerging e-learning platform that offers a wide range of upskilling programs worldwide in areas including cybersecurity.

PointWire

PointWire

PointWire offers a range of cybersecurity solutions and services including Penetration Testing on various levels, as well as Intrusion Detection and Prevention Systems.

Iron Mountain

Iron Mountain

Iron Mountain Incorporated is a global business dedicated to storing, protecting and managing, information and assets.

SecuLore

SecuLore

An innovator in public-safety-focused cybersecurity, SecuLore is dedicated to protecting critical infrastructure from cyber attacks.

Cybermate

Cybermate

Cybermate is the first affordable, gamified ‘Psybersecurity’ awareness training platform that reduces behavioural risk and achieves compliance with Australian cybersecurity standards.