What is a Non-Human Identity (NHI)?

Non-Human Identities Defined

A non-human identity (NHI) is any credential, account, or authentication principal that operates without direct human involvement. While human identities authenticate through usernames, passwords, and multi-factor authentication, NHIs authenticate programmatically using API keys, service account tokens, OAuth client credentials, X.509 certificates, managed identities, webhook secrets, and similar machine-to-machine authentication mechanisms.

NHIs are the connective tissue of modern software. Every microservice that calls another microservice, every CI/CD pipeline that deploys code, every monitoring tool that queries an API, and every integration between SaaS applications relies on non-human identities. They are essential infrastructure, but they are also the largest unmanaged identity attack surface in most organisations.

Types of Non-Human Identities

Service accounts are dedicated accounts used by applications and services to authenticate to other systems. In Azure Active Directory (Entra ID), these appear as service principals and managed identities. In AWS, they manifest as IAM roles and instance profiles. Service accounts often have broad permissions because they were created to "just make things work" during development and never had their privileges scoped down.

API keys are static credentials that authenticate API requests. They are the most common type of NHI and the most frequently leaked. API keys are embedded in source code, configuration files, environment variables, CI/CD pipelines, and collaboration messages. Unlike human credentials, API keys rarely have expiration dates and are almost never rotated proactively.

OAuth tokens and client credentials authenticate machine-to-machine integrations. OAuth access tokens are typically short-lived, but the client secrets used to obtain them are long-lived and frequently leaked. Refresh tokens can grant persistent access and are a high-value target for attackers.

CI/CD tokens grant pipeline systems access to source code repositories, cloud infrastructure, container registries, and deployment environments. A compromised CI/CD token can give an attacker the ability to inject code into production builds. GitHub Actions secrets, GitLab CI/CD variables, and Jenkins credentials are all NHIs.

Bot accounts operate in collaboration platforms, ticketing systems, and communication tools. Slack bots, Teams bots, Jira automation accounts, and chatbot service accounts all hold credentials that grant access to internal data and systems.

The 100:1 Ratio Problem

Research consistently shows that non-human identities outnumber human identities by a ratio of at least 100 to 1 in enterprise environments. An organisation with 1,000 employees typically has 100,000 or more NHIs spread across cloud providers, SaaS applications, CI/CD systems, and internal services.

This ratio is growing. The adoption of microservices architectures, serverless functions, and AI agents is creating new NHIs at an accelerating rate. Every new Lambda function, every new API integration, and every new AI tool connection generates additional machine credentials. Most organisations cannot even enumerate their NHIs, let alone manage their lifecycle.

The problem is compounded by the fact that NHIs receive far less security scrutiny than human identities. Human accounts get SSO, MFA, password policies, and access reviews. NHIs get none of these controls. They are created, granted permissions, and forgotten.

NHI Lifecycle Stages

Effective NHI management requires controls at every stage of the credential lifecycle. Discovery is the first and most critical stage: you cannot protect what you cannot see. Discovery involves scanning all environments, including cloud providers, identity providers, code repositories, CI/CD systems, collaboration tools, and log streams, to build a comprehensive inventory of every NHI.

Classification categorises each NHI by type, sensitivity, and risk. A production database service account with full read/write access is fundamentally different from a read-only monitoring token. Classification enables prioritised remediation and appropriate policy enforcement.

Monitoring tracks NHI usage patterns to detect anomalies. An API key that suddenly starts making requests from a new IP address, at unusual times, or to endpoints it has never accessed before may be compromised. Continuous monitoring provides early warning of credential theft or misuse.

Rotation ensures that credentials are periodically replaced to limit the window of exposure. Manual rotation is error-prone and rarely performed. Automated rotation, integrated with secret vaults like Azure Key Vault, AWS Secrets Manager, and HashiCorp Vault, ensures that credentials are refreshed on a defined schedule without disrupting services.

Decommissioning revokes and removes NHIs that are no longer needed. Orphaned service accounts, API keys for deprecated integrations, and tokens for offboarded employees' personal projects are all targets for cleanup. Without systematic decommissioning, the NHI inventory grows indefinitely, expanding the attack surface.

Why NHI Management Matters

The statistics are stark: 63% of breaches involving compromised credentials trace back to non-human identities. Attackers know that NHIs are poorly managed, rarely monitored, and often overprivileged. A single leaked API key can provide persistent access to production systems for months or years before detection. The average time to detect a compromised credential is 292 days, and for NHIs, this number is likely higher because most organisations lack visibility into NHI usage patterns.

Compliance frameworks are catching up. SOC 2 Type II audits now ask about machine identity management. The EU AI Act requires documentation of all automated system credentials. PCI DSS 4.0 explicitly addresses service account security. Organisations that cannot demonstrate NHI lifecycle management face audit findings and, increasingly, regulatory penalties.

How Netallion AI Assurance Manages NHIs

Netallion AI Assurance provides end-to-end NHI lifecycle management from a single control plane. The discovery engine enumerates NHIs across Entra ID, Azure subscriptions, GitHub organisations, GitLab groups, and collaboration platforms. Every discovered NHI is classified by type, risk level, last rotation date, and associated permissions.

The monitoring system tracks NHI activity and alerts on anomalies. When an exposed NHI is detected in a log stream, pull request, Slack message, or AI prompt, the system correlates the finding with the NHI inventory to assess blast radius: which systems can this credential access, and what damage could a compromised credential cause? One-click remediation enables immediate rotation into Azure Key Vault or revocation through the GitHub and AWS APIs, with a full audit trail for compliance.