In the tug of war between human and non-human identities, the bots are winning.
These non-human identities—also known as NHIs—are rapidly increasing in use throughout organizations as artificial intelligence (AI) investments increase and enterprises seek to automate more functions within IT, application development and infrastructure management.
NHIs are digital identities for applications, services or devices, used to execute automatic machine-to-machine operations, according to a definition published by security firm CrowdStrike. As organizations adopt more cloud computing and DevOps practices, these NHIs can ensure secure communication across distributed cloud services, support automated workflows in DevOps, as well as manage thousands of IoT devices.
Studies are demonstrating how some organizations are growing reliant on these technologies. One recent estimate finds that non-human identities currently outnumber their human counterparts by a ratio of one hundred to one.
As with other issues surrounding the increased interest in AI and automation, NHIs are raising significant cybersecurity concerns, especially as they proliferate on a vast scale and gain access to sensitive systems, networks and data. As the CrowdStrike research shows, NHIs expand the attack surface and can hold privileged access, making every service account, API token or machine identity a potential target for attackers.
For cybersecurity professionals, consider the findings of a September 2024 report published by the Enterprise Strategy Group and security firm AppViewX. When looking at NHIs, the researcher noted:
- NHIs outnumber human identities by a factor of 20, but only one in five NHIs are inadequately protected.
- About 66 percent of organizations surveyed record a successful cyber incident or intrusion related to a compromised NHI.
- Additionally, approximately 46 percent of the surveyed organizations reported a breach related to non-human identities. The report also found that the average enterprise suffered 2.7 incidents in the past year.
“NHIs are essential for scale. NHIs power automation, integrations and infrastructure. But they also introduce a unique set of risks,” Rom Carmel, co-founder and CEO of security firm Apono, recently told Dice. “Unlike employees, NHIs don’t go through standard joiner-mover-leaver processes. They're rarely monitored closely and often overlooked, leading to a buildup of forgotten, overprivileged accounts that become prime targets for attackers.”
What’s clear is that cybersecurity professionals will be increasingly called upon to better secure NHIs and assess their risk to the overall organization. What’s more, about eight in 10 of the organizations surveyed by Enterprise Strategy Group and AppViewX report that they plan to spend more on NHI security, which opens up more opportunities for security pros with the right skills.
Understanding NHIs in a Still Human World
Security professionals face an increasingly complex attack surface as non-human identities surpass humans in cloud environments and attackers take advantage of lax security protocols related to NHIs. For security teams, these changes require cyber pros to go beyond traditional perimeter and human-centric defenses to ensure comprehensive protection of every interaction point, said Eric Schwake, director of cybersecurity strategy at Salt Security.
This shift demands that security professionals understand details about vulnerabilities within APIs, as well as architectures such as Retrieval-Augmented Generation (RAG) systems, which allow large language models (LLMs) to deliver more relevant responses at a higher quality.
“Consequently, there is a significant skills gap in applying stringent API posture governance, which is essential for ensuring that these non-human identities utilize least privilege API access while their API activities are continuously monitored for unusual behavior,” Schwake told Dice. “Training should emphasize secure API design, effective API authentication and authorization methods for automated systems, and utilizing platforms that grant complete visibility and runtime protection for API-driven interactions, effectively broadening identity and access management to the core APIs that support modern applications.”
With the growing use of NHIs, Carmel added that security organizations need to stop treating human and non-human identities as separate and treat these risks equally.
“Securing this complex landscape requires a shift in mindset… We must take a unified, risk-centric approach that focuses on access itself—who or what is requesting it, under what context, and for what purpose,” Carmel noted. “This means consolidating visibility across environments, applying least privilege by default, and continuously evaluating access in real time. It’s not about locking everything down. It’s about enabling speed safely. That’s the only way to keep pace with today’s threats without holding back the business.”
Creating Skills That Secure NHIs
As NHIs increase in use, security professionals need to develop skills that help put identity, whether it’s a machine or a person, at the center of the control plane, said Vijay Dilwale, principal security consultant at Black Duck.
From a security team perspective, this shift includes:
- A need for upskilling around cloud-native identity governance, especially in environments like Kubernetes or serverless platforms, where NHIs—service accounts, workload identities—are spun up dynamically and are over-permissioned by default.
- Secrets and key management are no longer an afterthought. NHIs rely heavily on tokens, API keys and service accounts, and without strong rotation policies, scoping and monitoring, they become an easy target.
- LLM and RAG-based systems introduce a new layer of risk. It’s not enough to secure the agent; there is a need to tie activity back to the initiating user. That attribution layer is critical if security teams want any real control or auditability. Every data fetch, prompt or action should be traceable to a specific user or process, not just logged under a generic “agent” identity.
- Monitoring needs to evolve. Traditional tools often miss NHI behavior. There is a need for better visibility into machine interactions—what they access, how often and whether that behavior deviates from established baselines.
“Dynamic, identity-aware access controls combined with strong monitoring and traceability are going to be key,” Dilwale told Dice. “That means security needs to work closely with DevOps, engineering and AI and machine learning teams to build these controls from the ground up and deliver development velocity with trust.”
Cyber professionals can also upskill by studying the Payment Card Industry Data Security Standard (PCI DSS) 4.0 guidelines, which place significant emphasis on managing NHIs, particularly system and application accounts with elevated privileges. This can help security pros working in the financial services industry, said Danny Brickman, CEO and co-founder of Oasis Security.
As NHIs proliferate, financial institutions risk security breaches and regulatory penalties if they fail to adopt a robust strategy for NHI management. Organizations must address these challenges now to strengthen their compliance standards and enhance their security posture, Brickman added.
“The cybersecurity field is increasingly demanding professionals who combine technical expertise with a strong understanding of business objectives. As the threat landscape grows more complex, organizations will prioritize candidates with a hybrid skill set—deep cybersecurity knowledge paired with expertise in risk management and regulatory compliance,” Brickman told Dice. “This shift will be driven by the need for cybersecurity to be seamlessly integrated into broader enterprise strategies, shifting away from a siloed approach to one that aligns directly with overall business goals.”
