The Hacker News | The Hidden Threat in Your Stack: Why NHI is the Next Cybersecurity Frontier
Quick Hit: Non-human identities (NHIs | aka service accounts, API keys, tokens, et al) now outnumber humans in enterprise environments by as much as 50-to-1. While they've become essential for automation and cloud connectivity, they're riddled with risk like hardcoded secrets to excessive permissions and poor governance. With nearly half of organizations already experiencing NHI compromises, it’s clear CISOs must shift focus. Visibility, risk reduction and lifecycle governance are now top priorities in defending the expanding machine identity attack surface.
Just the Bits:
- Machine Mayhem: Some enterprises have a 50:1 ratio of NHIs to humans. Some reporting says as much as 83:1, but in any case, their scale outpaces traditional identity governance. No wonder we can’t keep up
- Secret Spillage: 46% of organizations experienced NHI-related security incidents in the past year; another 26% suspect they did. 27M secrets leaked on GitHub last year. Hope yours weren’t among them.
- The John Cena Problem: Most orgs don’t know where all their NHIs are. Without an inventory, nothing else works. Without actual visibility, your inventory is your best guess.
- Perms Are Too Damn High: Many NHIs are sitting on way more access than they need. That’s a blast radius waiting to happen.
- Zombie Governance Gap: NHIs are created fast and forgotten faster. Without clear ownership and lifecycle controls, NHIs quietly sprawl and accumulate dangerous access.
*I know we have nomenclature issues in identity but disagreeing on terms shouldn't include disagreeing on risk
🔐 Spot on, Jesse Minor. At APIDynamics, we're seeing exactly what you described—non-human identities are exploding, but the controls around them are lagging behind. API keys and tokens now drive most automation, yet they’re rarely evaluated in real time, and almost never challenged. That’s why we’re bringing adaptive authentication and MFA to API calls—to apply the same scrutiny we give human users to machines that often have more power and fewer checks. Machine-to-machine trust needs continuous validation. Inventory is the start, but enforcement is the future. Learn more at https://www.apidynamics.com/
Gary Longsine - HA! So true -- A device can’t own responsibility, but a person can. We have to shift—transferring responsibility to the actual owner—eliminates risk for the platform. It breaks the fraud loop. What’s verified stays so, what’s not remains uncertain, and the service no longer has to guess.
"The John Cena Problem" made me laugh out loud! Thanks for sharing Jesse Minor!
Double Click: https://thehackernews.com/2025/06/the-hidden-threat-in-your-stack-why-non.html