Machine Identities: A Hidden and Growing Security Threat

Most organizations have policies, procedures and tools in place to manage human identities. User privileges are provisioned, reviewed, modified and deprovisioned as a routine part of security best practices. Smart organizations follow least-privilege access principles to limit the risk of insider threats.

Machine identities are another matter. IT environments have scores if not hundreds of nonhuman users, including IoT devices, application and service accounts, APIs, scripts, and bots. Experts estimate that machine identities outnumber humans almost 50 to one.

Agentic AI is increasing that number exponentially. As we explained in a previous post, AI agents are independent systems that can gather and analyze data and act independently to achieve specific goals. Organizations are creating AI agents to perform an array of routine tasks that require access to systems and data across the IT environment.

Managing dozens or even hundreds of human identities in one thing. Managing thousands of machine identities is something else. What’s more, AI agents can be ephemeral, adding to the scale of the management effort.

Why Machine Identities Create Risk

The term “nonhuman identity,” or NHI, is applied broadly to any credential that’s not associated with a living person. Some experts prefer the term “machine identity” because it focuses on how each entity authenticates and accesses systems and data. Others prefer to break it down further because machine identities come with varying levels of access and risk.

However they’re defined, machine identities have become a huge problem. The credentials and other “secrets” associated with machine identities are scattered across the IT environment and function outside of traditional security processes. Security breaches at several large enterprises and government agencies began with compromised machine identities.

Third-party machine identities add to the threat. These are the credentials that enable an organization’s systems to interface with external systems and applications. If they’re not properly managed and secured, third-party machine identities can create significant risk. The MOVEit hack, one of the largest breaches of 2023, highlighted how vulnerabilities in third-party tools could lead to data theft. 

OWASP’s Top 10 Machine Identity Risks

Clearly, organizations should develop procedures for managing and securing machine identities to reduce this risk, but many don’t know where to begin. The OWASP Top 10 Nonhuman Identities Risks for 2025 provides organizations with a framework for understanding and addressing the threats associated with NHIs.

1. Improper offboarding. Organizations often neglect to deactivate machine identities when they’re no longer needed, leaving them vulnerable to exploitation. Effective offboarding processes are essential.
2. Secret leakage. Secrets are often hard coded into software, stored in plain text and shared in public applications, code repositories and cloud environments. Secrets should be secured to prevent exposure.
3. Vulnerable third-party NHIs. If a third-party machine identity is compromised, it can be exploited to steal credentials or misuse privileges. These identities should be vetted and properly secured.
4. Insecure authentication. Authentication methods that are obsolete or vulnerable to known attacks create significant risk. Machine identities should be authenticated using robust techniques.
5. Overprivileged NHIs. Administrators and developers often grant machine identities more privileges than they need. Least privilege access policies can reduce the scope of an attack if these identities are compromised.
6. Insecure cloud deployment configurations. Giving NHIs static credentials for authenticating with cloud services can lead to inadvertent exposure. Machine identities should be secured to prevent unauthorized privileged access.
7. Long-lived secrets. NHIs are sometimes given expiration dates too far in the future, or not set to expire at all. Machine identities should have just-in-time access to limit the amount of time hackers can exploit them.
8. Environment isolation. Developers don’t always use different NHIs for development, testing and production. Isolating these environments is a security best practice.
9. NHI reuse. Developers sometimes use the same NHI across multiple applications and services. Unique machine identities limit the scope of unauthorized access if the NHI is compromised.
10. Human use of NHI. Administrators and developers sometimes use machine identities to perform manual tasks. They should be required to use human identities to ensure appropriate privileges and full accountability.

How Cerium Can Help

The Cerium team understands the risks associated with growing numbers of machine identities and can help you take steps to mitigate them. We’re here to help you take advantage of agentic AI and other advanced applications while minimizing the risk of a security breach or data exposure. Contact one of our experts to schedule a confidential consultation.