How do you secure non-human identities?

A new class of identities has emerged across the digital landscape: non-human identities (NHIs), which exist alongside human users. In a new guide, identity security firm Permiso has dug into the world of NHIs to help security leaders understand how they’re created, how they’re managed, and how they’re intertwined with human identities.

How are non-human identities created?

NHIs include service accounts, API keys, and machine identities. According to Permiso, they’re created and managed by human actions in order to enable automated processes, cloud services, and system-to-system communications. 

But because NHIs are emerging on such a large scale and so rapidly, they’re now frequently outpacing the human identities within IT ecosystems – and this demands that organisations change their understanding of identity security. Instead of focusing on human identities, it’s critical that we include NHIs in security management; because if we neglect them, they have the potential to become a widespread vulnerability. 

NHIs created by a human identity can exist in a system even after that human has been removed. For example, an employee is made redundant and their human identity is scrubbed from your network; but the NHIs that person left behind remain in the network, unmanaged and unsecured. 

What are the critical gaps in NHI security? 

Permiso identified four critical gaps in NHI security that are putting organisations at risk: 

1. Inadequate inventoriesMaintaining identity inventories is increasingly difficult, as NHIs are created and then discarded constantly – often leaving minimal trace. The constant shifting of identity assets means that when an inventory is updated, it has changed again before that update has even been completed.
2. Visibility in cloud environments Trying to track non-human identities in cloud environments is incredibly difficult, with the dynamic nature of those environments outpacing traditional security tools. This means that new gaps in visibility are emerging all the time.
3. Lack of communication between humans and NHIsHumans follow predictable patterns – easily traceable by security systems. This means that anomalies in the behaviour of human identities are relatively easy to monitor. NHIs, on the other hand, operate around the clock and can create and discard identities constantly (and fast).
4. Lifecycle management challenges Human identities have clear lifecycle stages, so their existence in a system can be tracked and managed accordingly. NHIs often don’t have such a clearly defined lifecycle or end point, with no clear system for regularly reviewing their existence on a network, or offboarding them when they’re obsolete.

Best practices for security in a complex identity landscape

Permiso’s researchers urge security leaders to implement least privilege principles across all identities – both human and non-human. This ensures that all identities can only access areas of a network that are essential for their specific function, and can significantly reduce the risks associated with neglected NHIs. 

Real-time monitoring of all identity types is also critical to enable an organisation’s security team to establish baselines for behaviours around the clock – so anomaly detection can become more effective for NHIs. 

Finally, organisations should conduct regular and comprehensive audits of their identity landscape in order to uncover hidden NHIs, detect behavioural anomalies, and identify NHIs that are violating identity security policy. 

All security leaders should expand their knowledge of non-human identities and work to develop clear policies and security systems that recognise the potential risks of NHIs in their networks.

Join us at Black Hat MEA 2025 to share your perspective and meet potential partners – and shape the future together.