For years, CIOs and CISOs have hardened defenses around the human user. Multi-factor authentication, phishing-resistant credentials, and identity-aware access controls have meaningfully raised the cost of credential theft and social engineering. The result is real: attacks that target users alone are harder than they used to be.
Attackers have responded by shifting focus to a target class with far weaker controls, often lumped together as “non-human identities” or simply NHIs. Service accounts, bots, workload identities, certificates, and keys for servers, applications, and network devices typically outnumber human identities by an order of magnitude or more, and they underpin nearly every part of modern digital operations.
NHIs can authenticate strongly. mTLS, signed JWTs, workload identity federation, and hardware-backed keys can be very robust, if implemented properly. In practice, however, most organizations don’t use those primitives at scale. They rely on long-lived static secrets – API keys, service account passwords, hardcoded tokens – that sit outside the controls applied to human users and rarely rotate.
When those secrets are exposed, they hand attackers a quiet path into the enterprise. According to SpyCloud’s 2026 Identity Exposure Report, our researchers recovered 18.1 million NHI-associated credentials circulating in the criminal underground last year. The real problem isn’t just that these credentials get exposed; it’s that most organizations don’t have an authoritative inventory of which NHIs they have, where the credentials live, or who owns them.
The NHI Visibility Gap is a Real and Growing Threat
NHI credentials sit everywhere — code repositories, configuration files, CI/CD pipelines, container images, developer laptops. Developers spin up API keys constantly and occasionally commit them to public repos, where automated scrapers find them in minutes.
Meanwhile, infostealer malware running on a single developer endpoint can exfiltrate .env files, cloud CLI credential files (~/.aws/credentials, kubeconfig), and IDE-stored tokens in one shot. SpyCloud’s in-house research team, SpyCloud Labs, sees the downstream of this constantly: enterprise NHI credentials moving through criminal markets weeks or months after the initial endpoint compromise, often without the owning organization realizing they’ve been exposed.
DevOps teams use NHIs to automate pipelines. Cloud services generate NHI tokens for machine-to-machine communication. The result is a rapidly expanding web of credentials, many untracked, most overprivileged, and almost none rotated on a meaningful schedule. A single exposed key can give an attacker broad, persistent access, enough to move laterally and run automated activity well below the threshold that triggers traditional alerting.
NHI compromises often unfold outside the visibility of security teams, given the scale and complexity of the environments these identities operate in. Even when organizations attempt to assess their exposure, sprawl makes it difficult to know what exists, what privileges it holds, or what the blast radius would be if it were compromised.
Also Read: CIO Influence Interview with Gihan Munasinghe, CTO of One Identity
How to Close the NHI Visibility Gap
Closing the visibility gap requires more than awareness. Organizations must take a structured and proactive approach to managing NHIs, from discovery and ownership to access control and ongoing, automated monitoring. This requires consistent governance across the full lifecycle of NHIs. The following best practices provide a foundation for getting started.
1. Create a comprehensive inventory.
Organizations must establish a baseline inventory by discovering all NHIs across cloud, on-premises, and hybrid environments. The inventory should be consolidated into a unified view that can be easily managed and monitored.
2. Assign ownership and governance.
Every NHI should have a clearly defined owner responsible for its use, oversight, and eventual decommissioning. NHIs should also be treated like any other software asset, with clear lifecycle processes from creation to retirement. These are essential to preventing orphaned or forgotten credentials.
3. Enforce least privilege.
Many NHIs are overprivileged by default so that they can operate as efficiently and autonomously as possible. Organizations should restrict permissions to only what is necessary for each function, and review access regularly to reduce risk exposure.
4. Eliminate static secrets where you can; rotate aggressively where you can’t.
Move away from hardcoded secrets toward centralized secrets management, short-lived credentials, and automated rotation. Each rotation cycle is a chance to invalidate something an attacker may already have.
5. Continuously monitor for exposure.
Visibility isn’t something that teams should “set and forget.” Continuous monitoring is essential to detecting and proactively responding to exposed credentials, particularly those that might be circulating outside an organization’s security perimeter.
6. Eliminate silos between engineering, security, and DevOps.
Without shared accountability for where NHIs originate and who owns them, these identities will keep proliferating unchecked.
NHIs Present a Real Threat That Requires Immediate Attention
The threat is concrete. In July 2025, a DOGE staffer committed a script to a public GitHub repository that contained a private API key for xAI, granting access to dozens of large language models underpinning Grok. The key was flagged by GitGuardian within hours, but reportedly was not revoked even after the repo came down; a textbook example of an NHI credential exposed by accident and persisting because no one owned the cleanup. More recently, researchers at XM Cyber documented privilege escalation paths in Google Cloud’s Vertex AI Agent Engine that allowed an attacker with minimal permissions to hijack high-privileged service accounts, turning “invisible” managed identities into pivots for accessing sensitive data. These aren’t edge cases; they’re the shape of the next several years.
As organizations accelerate cloud adoption, automation, and AI initiatives, NHIs will continue to multiply. And increasingly, AI agents themselves will operate as NHIs with broad delegated access. Meeting the challenge means redefining what “identity security” covers. It is no longer enough to protect users alone. Organizations must secure the full spectrum of identities operating in their environments, human and non-human. Failure to do so leaves a critical and increasingly targeted portion of their infrastructure exposed.
About SpyCloud
SpyCloud is a cybersecurity company that automates identity threat protection by recapturing and analyzing stolen darknet data
Catch more CIO Insights: CIO as Orchestrator of Cross-Functional Digital Strategy
[To share your insights with us, please write to psen@itechseries.com ]
