As cybersecurity professionals, we dedicate significant time and effort to managing human identities. During a recent engagement with a customer, Ravi Karthick, CC and Kanna Sekar, CISSP, CCSP, saw how quietly and dangerously non-human identities (NHIs), such as service accounts, automation scripts and APIs can grow across a production environment without clear governance or visibility.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
This is a firsthand account of where things went wrong, what we learned and how others in our field can avoid similar risks.
A Hidden Risk, Uncovered
Our engagement began as a standard review of access logs for a critical production database. What stood out immediately wasn’t who was accessing it, but what: for every human administrator, there were dozens of non-human interactions. In fact, overall NHIs outnumbered human identities by more than 50 to 1.
The IAM policy for employees was mature and well-structured. However, these digital entities were operating independently and without oversight, consistent auditing or assigned owners. The result was an invisible and unmanaged layer of access across key systems that exposed the organization to real risk.
Resolution became urgent when a development team, under pressure to release a new feature, hardcoded an API key with elevated privileges into a configuration file. That file was unintentionally pushed to a public-facing code repository.
Fortunately, an internal scan caught it before any damage occurred. If criminals had found the exposed key, they would have had direct access to customer data. This was a wake-up call; the organization realized that traditional IAM approaches were never designed for identities that operate independently of users, persist indefinitely and – often – have elevated access.
A New Approach
In response, we worked with the customer to build a dedicated Non-Human Identity Management (NHIM) program that brought these digital identities into full view and under control. We structured the process of doing so around five core phases:
- Discovery and Inventory: We began with a full inventory of NHIs across cloud platforms, automation tools and internal systems. This involved using automated discovery tools and conducting interviews with DevOps, cloud and security teams. What we expected to complete in two weeks ended up taking nearly five months. The sprawl of identities was far greater than initially estimated.
- Classification and Context: Once identified, each NHI was classified based on its function and level of access. We mapped its relationships with resources and systems, which helped prioritize the highest-risk identities for immediate review.
- Access Control: We applied the principle of least privilege. Service accounts were audited and excessive permissions were removed. High-risk operations were placed behind Just-In-Time (JIT) access controls, which granted short-lived permissions only when needed. Secrets were rotated regularly, while segmentation was introduced to reduce potential lateral movement.
- Lifecycle Management: We assigned a clear owner to each identity, with automated credential rotation based on risk and usage. A formal decommissioning workflow ensured identities tied to retired projects were removed and orphaned accounts were eliminated. We also closed a critical loophole: password resets were previously allowed for inactive accounts, inadvertently reactivating them. We enforced that only active accounts are eligible for resets, making reactivation a deliberate, auditable process.
- Monitoring and Detection: We integrated NHI activity logs into the existing SIEM and configured alerts to flag anomalies such as unexpected access patterns, usage outside business hours, or behavior from unusual IP addresses. This gave the team near real-time visibility and response capability.
Key Lessons From Our Project
Of course, not everything worked (at least the first time) and we learned some good lessons on our journey. Here are the key ones:
- Start Small and Scale Up: Our initial attempt to fix everything at once proved unsustainable. It overwhelmed the team and created resistance. Shifting to a phased approach helped show early wins and gain buy-in.
- Inventory is the Foundation: We underestimated the time required to build an accurate inventory. Yet it was essential; without it, every other step would have been based on assumptions.
- Tailor Rotation Policies: Our first round of credential rotation caused unexpected service outages. We adjusted frequency based on each identity’s risk level and operational importance.
Our Recommendations
Automating credential rotation, enforcing least privilege and monitoring NHIs with the same attention as human accounts is no longer optional. NHIs are not background noise; they are critical infrastructure and must be treated that way. So, if you are managing production systems today, we recommend asking some important questions:
- Do you know how many non-human identities are active in your environment?
- Are they monitored?
- Who owns them?
- Are their privileges appropriate?
Our experience showed us how quickly these identities can grow out of control and how important it is to bring them into the center of our identity security strategy.
Ravi Karthick, CC is an IAM and cybersecurity architect with over 14 years of experience securing human and non-human identities across cloud and enterprise environments. His work focuses on zero trust, identity governance and advancing security in the age of AI and automation.
Kanna Sekar, CISSP, CCSP is a cybersecurity leader with over 14 years of experience across SOC operations, cloud security, threat detection and AI-driven security transformation. He works with organizations ranging from high-growth startups to Fortune 500 enterprises.