They say necessity is the mother of invention. As our reliance on digital infrastructure has grown, we have demanded more from our networks: seamless access, automated processes, uninterrupted user journeys, and effortless interoperability. Each improvement has pushed us further toward a hyper-connected, “smarter” enterprise, but at a cost that rarely registers on the risk scale. In the background, facilitating all of this is a new type of workforce, an army of AI bots and agents that keep the wheels greased and automate our enterprise environments.[1]
Identity has long since been the cornerstone of network security. We verify users using passwords, credentials, biometrics, and tools like multi-factor authentication to ensure that only authorized individuals are on our network. Now, validating non-human identities (NHIs) is just as important as validating human ones.
These include the service accounts that run applications, the scripts that transfer data, the APIs that integrate systems, and the machine agents that execute instructions without human intervention. In most large organizations, NHIs already outnumber human users by as many as 50:1, yet they are treated as background infrastructure rather than active participants in the network. They don’t get offboarded when a developer leaves. They don’t receive login alerts or multi-factor authentication challenges. They often live and die entirely outside of the processes that govern human accounts.
The result is a blind spot that continues to expand as automation and AI accelerate. NHIs are created in seconds by building pipelines, duplicated for convenience, or forgotten in legacy code. Once spun up, they often persist indefinitely, even when their original purpose has expired. And unlike human users, their existence isn’t always documented, making it difficult to even quantify the scale of the problem. It’s one thing to see these non-human entities, but who’s governing them? Who or what is leveraging them? What access do they have? Are they still needed? In the rush to AI adoption, those questions will determine whether NHIs remain a silent force for efficiency or become the next major vector for a wave of cyberattacks.
NHIs multiply quickly, but they also multiply unpredictably. A single developer can create dozens of service accounts during a project sprint, each tied to a specific function or integration, and then leave them untouched for months or years. In continuous integration and deployment (CI/CD) pipelines, accounts may be automatically generated for every new environment, test, or container, with zero central oversight. Some NHIs can even create others, such as upstream systems or AI agents that spawn new credentials to complete tasks.
Deleted accounts may be reintroduced when old code is redeployed, creating “ghost” identities that resurface without warning. This self-reinforcing cycle means that the NHI population in many organizations is compounding with every automation, every system update, and every AI-driven process, adding to a hidden identity sprawl that no one fully owns.
In 2024, The New York Times had its source code stolen, not from a carefully orchestrated cyberattack or some advanced malware deployed on the network, but through the use of a redundant, over-privileged access token. The token had a much longer expiration period than it needed, as it was most likely left and forgotten on a compromised endpoint. No humans, other than the ones who found and abused the NHI, were involved.
Traditional identity governance was designed for a network environment where every account had a human behind it; a name, a role, and a predictable lifecycle. NHIs break that model entirely. They often have privileged access far beyond what most employees receive, yet lack the guardrails applied to human users: no HR-triggered offboarding, no regular access reviews, no adaptive authentication based on behavior. While many Identity and Access Management (IAM) tools can discover these accounts, discovery alone doesn’t solve the accountability gap.
There’s no “chain of custody” or ownership of NHIs. True governance means being able to answer in real time what each NHI is doing, why it exists, and who is responsible for it. Without that, these “invisible” accounts become prime targets for attackers, who know that a compromised service credential can quietly open the door to critical systems without raising alarms. NHIs are here to stay, and their population will inevitably grow. They will shape how systems talk, transact, and behave, but whether they are a force for good or ill will depend entirely on how we govern them. Or how do they govern themselves?
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/why-sprawling-non-human-identities-are-the-next-big-cyber-risk-8659.html
Comments