What Are Non-Human Identities (NHIs) and Why They Matter in Cyber Security (and AI)

What are Non-Human Identities and why are these an urgent focus these days in cybersecurity?  

Non-Human Identities (NHIs) are digital identities used by machines, not people.They allow applications, bots, scripts and systems to access data, APIs and infrastructure.

Put simply: humans log in with usernames and passwords; machines log in with keys and tokens.

source: microsoft, Amazon, Reco.ai, media reports. Infographic created by my own prompt.

NHIs are everywhere in modern tech stacks:

• API keys used by apps to talk to each other

• Service accounts running background jobs

• Automation scripts and bots

• Cloud workloads such as VMs, containers and serverless functions

• DevOps tools like CI/CD pipelines

• IoT devices and sensors

In most enterprises today, non-human identities vastly outnumber human users! 

Unlike humans, NHIs don’t use passwords or MFA. They rely on:

• API tokens

• OAuth tokens

• Certificates

• SSH keys

• Cloud IAM roles

These credentials are often long-lived, shared and rarely rotated. 

NHI can be a risk for four reasons: increased attack surfaces because of high use of cloud / IOT. Failure of authentication which is designed for humans, and not faceless bots; bots gain access where they shouldn't without human review, and by virtue of their omnipresence, a prime target for hackers, as these are non-traditional surfaces not easily monitored. 

This is the simple summary of HI vs NHI: 

source: microsoft, Amazon, Reco.ai,  IBM, media reports. Infographic created by my own prompt.

AI agents have a deep impact- even transformational- on NHI and security. We will explore this in next posts.