OWASP Top 10 for Securing Non-Human Identities (NHIs) | Saviynt

In today’s AI-driven, fast-evolving software landscape, Non-Human Identities (NHIs) have become essential. They have also become a growing target for cyberattacks. Throughout 2024 and in the first quarter of 2025, saw an alarming increase in high profile NHI attacks, culminating in the breach of the U.S. Treasury’s network, exposed secrets in DeepSeek, and other high profile incidents. We can expect this trend to continue and see the number of attacks continue to rise throughout 2025. Building a robust identity security management strategy for NHIs has become an urgent priority for many organizations.

The OWASP Non-Human Identity Top 10 list provides a familiar framework and methodology to help security practitioners assess and quantify NHI-related risks. By leveraging this resource, security practitioners that may be new to identity security or NHI threats can better understand and compare these emerging risks with more traditional security issues.

In this article, I’ll break down the OWASP Top 10 for NHI, share my own perspective on each point, and suggest how you can integrate these insights into your broader identity security program.

What Are Non-Human Identities (NHIs)?

Non-Human Identities (NHIs) are digital identities utilized by software entities such as AI Agents, applications, APIs, bots, and automated systems to access secured resources. Unlike human identities, NHIs operate autonomously and are not directly controlled by individuals. They establish a trusted relationship between machines and the resources they interact with, ensuring secure and seamless operations within digital infrastructures. Common examples include:

• Customer Support Chatbots: AI-driven chatbots handle customer inquiries, accessing user data and support systems to provide timely assistance.
• Autonomous Decision-Making Systems: AI agents analyze data to make decisions in areas like finance or healthcare, necessitating secure access to various databases and applications.
• Machine Identities in AWS: A virtual machine running on AWS EC2 utilizes its Amazon Resource Name (ARN) as a unique identifier to authenticate and authorize interactions with other AWS services.
• Automated System Roles: An automated deployment system uses a specific role to provision and manage cloud resources during the continuous integration and deployment (CI/CD) process.

NHIs typically rely on a set of supporting security constructs to facilitate their access and interactions across systems. These include:

• Service Accounts: Accounts assigned to machines or software processes that enable them to access other applications, platforms, services, or assets. These accounts often represent the NHI in identity systems.
  
  
• Credentials: Mechanisms used to authenticate NHIs reliably. Common examples include API access keys, X.509 certificates, security tokens, and other forms of machine-authenticating secrets.
  
  
• Entitlements: Access policies that define what an NHI is allowed to do. These include roles, permissions, and policy statements that determine the scope and boundaries of access for a given machine identity.

NHIs and their related accounts, credentials, and entitlements, are essential for the seamless automation and interoperability of modern software, but they also introduce unique security challenges that must be addressed to protect your digital infrastructure.

What Is OWASP?

The Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to improving the security of software. They are best known for their widely adopted OWASP Top 10 lists for web applications and mobile applications, which highlight the most critical security risks based on real-world data and consensus among security professionals. OWASP’s risk-rating methodology revolves around four main factors: Prevalence (“how common is this vulnerability?”), Exploitability (“how easy is it to exploit this vulnerability?”), Detectability (“how easy is it to detect the presence of this vulnerability?”), and Impact (“what is the effect on the application, data, or business if the vulnerability is exploited?”). One of the advantages of this risk-rating methodology is that it’s consistent across different domains, giving security practitioners a common taxonomy to compare security risks in web applications, mobile applications, and now NHIs.

The OWASP Top 10 for NHI

The “OWASP Top 10 for NHI” extends OWASP’s proven methodology of identifying and categorizing critical security risks into the realm of Non-Human Identities. As a first-year publication, we can expect it to evolve as new threats emerge and the nature of attacks changes. Although it’s not an exhaustive list of every possible NHI risk, it highlights the most prevalent and pressing security issues, supported by both real-world exploitation data and consensus among security experts.

Key Benefits:

• Enhanced Security Posture: By qualifying a range of NHI-related risks, organizations can prioritize effort to mitigate these risks and fortify their overall system defenses.

• Consistency: A proven methodology that adds a standardized approach to NHI security across different teams and projects, mirroring the OWASP methodology used for web and mobile applications.

• Identity-Centric Focus: Ensures that vulnerabilities are addressed from a holistic identity security perspective, covering both human and non-human identities.

Main Takeaways About the OWASP Top 10 for NHI

The OWASP Top 10 for NHI covers many of the “usual suspects,” such as NHI1:2025 Improper Offboarding, NHI2:2025 Secret Leakage, NHI5:2025 Overprivileged NHI, NHI7:2025 Long-Lived Secrets, and other top risks. You can find the full list here.

However, beyond these top risk factors, there are a few overarching themes worth highlighting:

1. Interdependency Between Human and Non-Human Identities

• Explanation: While NHIs operate independently, their security is intrinsically linked to human identities. A compromised NHI can grant unauthorized access to systems that human users also utilize. A person changing roles or leaving the company may still keep access to highly privileged machine accounts or machine secrets, exposing the organization to unnecessary additional risks. 

• Implication: Integrating humans and their machines to holistic analysis and end-to-end process may be a critical aspect of maintaining the overall security environment that the business depends on.

2. Challenges of Implementing Traditional Centralized Controls in a Decentralized NHI Environment

• Explanation: Traditional security controls are typically built around human identities, relying on a single or limited set of authoritative sources with a relatively slow changing human population. However, NHIs tend to be inherently highly decentralized and highly dynamic—scattered across third-party services, CI/CD pipelines, AI agents, and more that may exist for minutes, and even seconds—which means there is often no single source of record and governance needs to be done close to real time.

• Implication: To manage NHIs effectively, organizations must adopt flexible and scalable strategies. The OWASP Top 10 for NHI highlights the risks tied to decentralized NHI management and offers guidance on standardizing security practices. Moving forward, new approaches and technologies—leveraging intelligence platforms and AI—will be instrumental in mitigating NHI-related risks and ensuring a robust security posture.

3. Regulatory and Compliance Considerations

• Explanation: As attacks on NHIs become more widespread, regulatory bodies are increasingly focusing on NHI security by introducing specific standards and compliance requirements. We can anticipate further guidance and regulations in the near future, tailored to the unique governance needs of NHIs.

• Implication: By aligning with the OWASP Top 10 for NHI, organizations can stay ahead of emerging compliance mandates, enhance their security posture, and minimize the risk of potential fines or reputational damage.

Conclusion

The OWASP Top 10 for NHI is poised to become a go-to framework for identifying and mitigating the distinct security risks associated with Non-Human Identities. In parallel, we can expect new, more specialized guidelines—much like how PCI-DSS continues to evolve—to address the unique needs of NHIs. By familiarizing yourself with this list, you can stay one step ahead of emerging threats and help ensure a more secure, resilient digital environment for your organization.

Take Action:

• Implement or adopt tools and practices aligned with the controls recommended for each of the OWASP top 10 risks.
• Look to migrating from traditional tools to an intelligent cloud security platform to leverage automation and AI for managing the complex world of NHIs.
• For a comprehensive NHI security strategy, leverage the power of intelligence and AI to integrate security measures for NHIs alongside human-centric identity security, as they are inherently interconnected.

Saviynt Identity Cloud for Non-Human Identities

Saviynt’s Identity Cloud supports organizations as they race to address the emerging risks outlined in the OWASP Top 10 for NHI. Saviynt provides a unified, identity-centric platform that extends governance and access controls beyond human users to include machine identities, service accounts, and other NHIs. Features like automated discovery of NHIs, policy-based access controls, continuous risk scoring, and lifecycle management help organizations to reduce the risk of overprovisioned, orphaned, or long-lived secrets associated with NHIs. 

Saviynt integrates seamlessly across hybrid and multi-cloud environments, enabling real-time visibility and intelligent remediation for both human and non-human identities. By aligning with OWASP’s best practices and leveraging AI-driven insights, Saviynt empowers enterprises to manage NHI sprawl, improve compliance, and secure their identity perimeter in an increasingly decentralized and automated digital ecosystem. Learn more.