Non-Human Identities: The Silent Attack Surface No One Is Monitoring

#ai #identity #security #cloud

Most organizations know exactly how many employees they have.

Far fewer know how many non-human identities currently have access to their cloud environment.

That blind spot is becoming one of the fastest-growing attack surfaces in modern security.

For years, enterprise security focused primarily on protecting human identities. We deployed Single Sign-On (SSO), enforced Multi-Factor Authentication (MFA), and implemented Conditional Access policies. And it worked — human identities have become significantly harder to compromise.

Meanwhile, another class of identities has quietly exploded across cloud environments: service principals, workload identities, OAuth applications, CI/CD runners, and AI service roles.

Today, these Non-Human Identities (NHIs) often outnumber human users by a factor of 10 to 50. As organizations accelerate cloud adoption and integrate AI into daily operations, this imbalance continues to grow.

Defining the Non-Human Identity Landscape

Unlike human users, machine identities rarely appear in HR systems or organizational charts. Yet they frequently hold some of the most privileged access in the environment.

Common high-risk categories include:

OAuth Applications and Third-Party Integrations —

Apps granted broad access to Microsoft 365, Salesforce, Google Workspace, or Slack via delegated permissions.

Service Principals and Managed Identities —
AWS IAM roles, Azure Managed Identities, and GCP service accounts used by Lambda functions, EC2 instances, or Bedrock agents.
Workload Identities —
Kubernetes Service Accounts (e.g., Amazon EKS) and GitHub Actions OIDC roles.
CI/CD Pipeline Identities —
Tokens used by automation platforms to deploy infrastructure.
AI Service Roles —
Dedicated identities for Amazon Bedrock agents, model invocation, vector stores, and retrieval pipelines.

Every new AI workflow creates additional machine identities.

Why Attackers Are Targeting NHIs

Attackers follow the path of least resistance. While human accounts are now heavily protected, machine identities often suffer from:

Privilege Creep

Broad permissions granted during development frequently remain in place long after they are needed.
Lack of Visibility

Many organizations have no complete inventory of active service roles, OAuth grants, or workload identities.
Long-Lived Credentials

Static access keys and unrotated refresh tokens create persistent backdoors.

Real incidents like the 2025 Drift/Salesloft OAuth compromise have shown how dangerous this can become.

Building a Machine Identity Security Strategy

Securing NHIs requires treating them as first-class citizens in your security program:

Enforce Workload Identity Federation

Replace long-lived access keys with short-lived tokens using OpenID Connect (OIDC). AWS, Azure, and GCP all support this natively.

Continuous Monitoring and Discovery

Use tools like AWS IAM Access Analyzer, CloudTrail, Security Hub, and third-party NHI platforms to maintain visibility and detect anomalous behavior.

Automate Least Privilege

Regularly review and tighten policies. Unused permissions should be removed automatically.

Govern AI Identities Explicitly

AI services like Amazon Bedrock create powerful new identities. These must be inventoried, monitored, and restricted from the start.

The New Security Frontier

Enterprise security has evolved through multiple eras:

Networks → Endpoints → Human Identities.

The next frontier is Non-Human Identities

In the age of AI agents, serverless architectures, and autonomous cloud workflows, attackers no longer need to compromise an employee. Sometimes all they need is a single token.

The firewall is no longer the perimeter.

Identity is the perimeter.

And increasingly, that identity is not human.