The Open Web Application Security Project (OWASP) recently unveiled its latest initiative—the Non-Human Identity (NHI) Top 10. Over the years, OWASP’s various Top 10 lists, including the widely adopted API and Web Application security rankings, have become essential tools for developers and cybersecurity professionals.
Now, the focus shifts to an emerging domain in cybersecurity: Non-Human Identity security. This involves managing risks tied to API keys, service accounts, OAuth apps, SSH keys, IAM roles, secrets, and other machine identities. While OWASP already offers robust frameworks for security risks, the pressing question is: Do we really need the NHI Top 10?
The answer is a resounding yes—and here’s why.
Why the NHI Top 10 Is Essential
Although some existing OWASP projects touch on vulnerabilities like secrets mismanagement, they fail to fully address the unique risks posed by NHIs. NHIs play a pivotal role in connecting systems, services, data, and AI agents across development and runtime environments. However, they introduce vulnerabilities that traditional security frameworks don’t fully cover, such as:
- Excessive privileges
- OAuth phishing attacks
- IAM role exploitation for lateral movement
With cyberattacks targeting NHIs on the rise, a dedicated guide to these risks has become indispensable for developers and security teams.
How OWASP Top 10 Ranks Risks
OWASP uses a standard framework to prioritize risks based on:
- Exploitability: How easily can attackers exploit the vulnerability?
- Impact: What level of damage can the risk inflict on systems and operations?
- Prevalence: How common is the issue across different environments?
- Detectability: How difficult is it to identify the weakness with current tools?
These criteria underpin the NHI Top 10 and its critical risks, detailed below.
Breaking Down the OWASP NHI Top 10 Risks
1. Improper Offboarding (NHI1:2025)
Failure to decommission unused NHIs (e.g., service accounts or API keys) creates security blind spots. Research reveals that 50%+ of organizations lack formal offboarding processes, leaving dormant NHIs susceptible to insider threats and external exploitation.
2. Secret Leakage (NHI2:2025)
Hardcoded secrets, such as API keys, are a common attack vector. Studies indicate that 37% of organizations embed sensitive credentials within their applications, exposing them to breaches.
3. Vulnerable Third-Party NHI (NHI3:2025)
Development pipelines often integrate with third-party tools like CircleCI or GitHub using NHIs. Breaches involving these vendors force emergency credential rotations, underscoring the importance of monitoring external NHIs.
4. Insecure Authentication Methods (NHI4:2025)
Legacy mechanisms like implicit OAuth flows or app passwords lack MFA support and remain widespread, leaving systems vulnerable to modern attack techniques.
5. Overprivileged NHI (NHI5:2025)
Many NHIs operate with excessive permissions due to lax provisioning practices. A recent CSA report found that 37% of NHI-related incidents stemmed from overprivileged identities.
6. Insecure Cloud Deployment Configurations (NHI6:2025)
Misconfigured CI/CD pipelines and overly permissive OIDC settings create backdoors for attackers to exploit critical resources.
7. Long-Lived Secrets (NHI7:2025)
Secrets that remain active for years increase the risk of exploitation. For instance, Microsoft AI unintentionally exposed a token valid for over two years, granting access to 38 TB of internal data.
8. Environment Isolation (NHI8:2025)
Poor isolation practices can allow test NHIs to infiltrate production environments. The Midnight Blizzard attack on Microsoft exemplified this risk when a test OAuth app retained high production privileges.
9. NHI Reuse (NHI9:2025)
Reusing NHIs across applications violates the principle of least privilege and amplifies damage in the event of a breach.
10. Human Use of NHI (NHI10:2025)
Repurposing NHIs for manual tasks instead of personal credentials can lead to privilege misuse and accountability issues in exploits.
Standardizing NHI Security with OWASP
The OWASP NHI Top 10 fills a critical gap by offering a standardized framework to address these vulnerabilities. Tools like Astrix Security have already integrated the framework into their compliance dashboards, enabling organizations to:
- Visualize NHI-related security gaps
- Prioritize remediation efforts
- Track progress over time
By adopting the NHI Top 10, organizations can ensure robust NHI governance, reduce attack surfaces, and build more secure development pipelines.
Conclusion
Non-human identities are at the heart of modern digital ecosystems, yet they remain one of the least understood and most underprotected elements of cybersecurity. The OWASP NHI Top 10 empowers security professionals with actionable insights to safeguard these critical assets.
As the threat landscape evolves, embracing frameworks like the NHI Top 10 is not just recommended—it’s necessary.