Identity is becoming the control center for system access, making it a single point of failure and a lucrative target for cybercriminals. In most companies, non-human identities (NHIs) outnumber people. These machine identities carry trusted credentials, including API keys, tokens, authentication artifacts, service accounts and application identities. A single exposed credential can give attackers persistent access to both internal and third-party systems.
In 2025, SpyCloud observed 13.2 million malware infections that exposed 642 million credentials. Hackers recently injected credential-stealing malware into an open-source vulnerability scanner that had implicit trust. The code got pushed to thousands of organizations’ build pipelines and stole all those credentials. Experts don’t know exactly how many projects are compromised, but they estimate the downstream victims could go into the thousands.
Organizations must make identity security a core feature of supply chain trust. That will require a multi-provider identity plan and continuous verification.
NHIs are higher risk and more difficult to monitor
The volume of machine identities is quickly expanding with the increasing adoption of GenAI, cloud services and automation. NHIs create a much larger attack vector because they operate on a large scale in the background, spread across cloud platforms, SaaS tools, developer pipelines and vendor integrations. They carry powerful, long-lived permissions, make high-volume requests and access systems continuously. This activity blends into normal automation, so it’s hard to detect malicious activity.
These identities are often created outside of core IT, making it difficult to know who owns them or even how many exist. According to Gartner, identity and access management (IAM) teams are only responsible for 44% of an organization’s NHIs.
These characteristics give NHI compromises a bigger blast radius. As in the case of the vulnerability scanner hack mentioned above, the attackers now have access to multiple systems across many organizations. A company’s infrastructure is only as safe as its weakest vendor.
Securing the identity ecosystem
Companies must abandon assumed trust and demand auditable, real-time proof of security from users and vendors alike.
Zero-trust should be the standard for security across people and machines. Most companies already follow this protocol for their human users, requiring multifactor authentication, limiting access and monitoring suspicious activity.
For NHIs, zero trust means implementing:
- Inventory and ownership
- Classification of risk
- Short-lived credentials
- Least-privilege access
- Secret rotation
- Workload identity verification
- Review and monitoring
- Align identity to business context
- Automation and lifecycle management
Today’s threat landscape necessitates ongoing identity validation for both internal and external NHIs.
Unmanaged service accounts create identity debt. Much like technical debt, this represents the security “interest” organizations pay on unmonitored machine identities that have outlived their original purpose but still retain high-level system access. IT teams need to get a handle on existing NHIs. Who owns each identity? What is its purpose? What permissions and credentials does it have? Implementing lifecycle management keeps credentialed services from silently accumulating.
Because organizations do not fully control third-party identities, they must demand stronger security assurances from vendors, including software bills of materials, regular integrity audits and stricter incident-reporting requirements.
Decoupling functions to reduce blast radius
In the past, identity strategy often centered on choosing one trusted provider and standardizing everything around it. That approach is efficient, but it also creates a dangerous dependency. If a bad actor compromises that platform, they can turn the organization’s trusted identity layer into an attack path across all users and systems. Essentially, they obtain the master key.
Organizations should use a primary identity provider for workforce access while strategically decoupling high-risk functions. From our security team’s experience, the separation is less about adding complexity and more about reducing concentration risk.
Decoupling has helped us think differently. Privileged access management, secrets management, machine identities, break-glass accounts, independent logging and backup authentication all deserve additional separation.
The practical benefit? Blast radius reduction. If credentials get exposed, or if a vendor has an outage or security incident, the damage stays more limited. An attacker can’t move freely across the entire environment. They have to cross multiple independent controls, which gives the security team more time to detect, contain and respond.
We’ve also learned that decoupling doesn’t mean duplicating every tool or building unnecessary redundancy everywhere. The goal is selective separation around the systems that would cause the greatest harm if they were compromised or unavailable. Done well, I think decoupling strengthens resilience without overwhelming the organization.
Ultimately, our experience has been that identity security should assume failure somewhere in the chain. Some credentials will eventually be exposed, some vendors will have incidents, and some systems will experience downtime.
Looking ahead: Agentic AI will multiply the number of trusted access paths. Every agent is a high-privilege identity that can reason, act, and pivot across systems. Businesses can’t safely give these systems a license to operate if they haven’t secured the credentials agents use to operate. Creating a modular, resilient identity infrastructure will protect current credentials and provide the capability to adopt and manage these more complex NHIs.
Related News:
Exposure Management Meets Machine Learning: Shrinking Attack Surfaces Faster
