Identity management has long been a pillar of any sound cybersecurity program, ensuring that only authorized persons and machines have access to specific data and systems. Today, the rapid adoption of artificial intelligence (AI) is making it much more complicated to manage the identities of machines, making the appearance of the OWASP Non-Human Identities Top 10 very timely.

Dwayne McDaniel, a developer advocate at GitGuardian, said this is an interesting time in the history of computer science. Over the last 30 to 40 years, security teams have been credentialing machines — workloads, identities, workloads, servers — as if they were humans. But machines aren’t human — and that’s where a new set of problems arises, he said.

“With humans, we can do things like multifactor authentication and all sorts of fun stuff like biometrics. Non-human identities don’t have that advantage because, well, they’re not people. You can’t multifactor authenticate a workload in a Kubernetes cluster.”
–Dwayne McDaniel

Securing identity for humans is one thing. The OWASP Non-Human Identities Top 10 calls attention to non-human identities in the age of AI. Here’s what you need to know — and why you need a comprehensive approach to AI security.

[ See Special Report: Secure Your Organization Against AI/ML Threats ]

What’s covered in the OWASP NHI Top 10

While the NHI list overlaps with other OWASP lists, it’s necessary because of the risk coming from today’s AI — and its next generation of agentic AI, which involves agents automatically carrying out tasks, said Tal Skverer, lead researcher at the security firm Astrix. 

“The growing threats around NHIs warrant a dedicated list. Identifying these risks helps bridge the knowledge gap for developers who may not be familiar with this emerging security area.”
—Tal Skverer

Gene Spafford, a computer science professor at Purdue University and member of the Cyber Security Hall of Fame, noted that OWASP’s NHI list recasts an old and well-known problem in cybersecurity — that of access control.

“Traditionally, it has been phrased as relationships between subjects and objects, where the subject can be a person, program, or agent of some kind. Sadly, many current practitioners do not seem to be aware of the considerable body of literature on access control.”
—Gene Spafford

Why a standardized approach is needed

OWASP projects have historically driven much-needed standardization, which is currently lacking for protecting NHIs, Skverer said. Elad Luz, head of research at Oasis Security, explained that the cybersecurity industry needs field experts to set the stage for discussing the most critical risks tied to non-human identities.

“This list provides organizations with a structured starting point, helping them understand these risks, assess their potential impact, and prioritize those that are most relevant to their environment. Without a standardized approach, many companies might overlook or underestimate how NHIs contribute to security gaps, leaving them exposed to threats they may not even be aware of.”
—Elad Luz

Thomas Richards, network and red team practice director at Black Duck Software, said the NHI Top 10 list classifies vulnerabilities that impact modern software development lifecycles. While organizations have processes focused on managing user accounts, he continued, those processes don’t typically apply to system accounts. “Now they do need to include them for management,” he said. 

“APIs, servers, and applications often require keys and tokens to communicate securely and improperly managing these can lead to a breach. Many of these we have discovered during contracted penetration tests, and we were able to use them to compromise additional portions of the network or applications.”
—Thomas Richards

This NHI list provides a long-overdue roadmap

A senior manager at Black Duck, Akhil Mittal, said one overlooked API key can unlock an entire network, or a build pipeline pull can poison container images because no one checked if it was safe.

“These issues often stay hidden until it’s too late. The new OWASP list will force us to shine a light on things like hardcoded credentials, overly broad permissions and unmonitored AI systems. It’ll help us fix what we usually miss.”
—Akhil Mittal

He said the OWASP Top 10 list for NHIs was long overdue. “It’ll give security pros a roadmap to handle the new wave of machine-driven threats,” he said.

“Our invisible workforce isn’t going anywhere, so it’s time to protect it. The next big breach could start with a single forgotten token or an AI script no one was watching. If we don’t act, we’ll learn the hard way. By giving these identities real oversight, we make modern development both faster and safer.”
—Akhil Mittal

The NHI Top 10 and emerging risks

While the OWASP Top 10 covers many critical areas, Mittal said that there are emerging risks that should also be considered. For example, ephemeral environments — where containers or serverless functions exist only for short periods — often escape standard security checks.

As AI technology advances, new AI-specific vulnerabilities, are becoming more prevalent, he said. “Including these factors will ensure the list remains comprehensive and up to date with the latest threats,” Mittal said.

Eric Schwake, director of cybersecurity strategy at Salt Security, said he was this was a good start but he cautioned not to rely on it too heavily.

“[T]his list is not all-inclusive and might overlook some potential dangers. Organizations need to assess their unique context and industry to uncover additional risks that could impact their operations.”
—Eric Schwake

What’s next for the NHI Top 10

Kevin Bocek, chief innovation officer at the machine identity protection company Venafi, praised the items on the NHI top list as “spot on.” 

“Are there going to be more machines? Yes. Are there going to be more APIs, microservices? Yes. Are the adversaries going to abuse those? Yes. So this top 10  is important. It’s really great at its core. It’s great hygiene. I think security teams can start to judge themselves by it.”
—Kevin Bocek

However, Bocek said the next version of the OWASP NHI Top 10 list should emphasize machine entities more. “The non-human identities that matter are machines,” he noted. “I think it would help to focus on machine identity.”

He also suggested that the list look beyond the present, given the next generation of AI is just around the corner. 

“This list is focused on what we’re using today as machine identities—things like API keys, access tokens. As we go ahead to the future, there are new types of machine identities that are short-lived, that are being issued by a business. These are oftentimes referred to as workload identities. I would like to see workload identities added.”
—Kevin Bocek

Oasis Security’s Luz said NHI security is no longer just about reducing attack risk — it’s now a compliance issue as well. He said thatr governance requirements for NHIs are starting to appear in regulatory frameworks and industry standards, meaning organizations that fail to implement proper attestation, ownership assignment, and access reviews could face compliance violations.

“This shift highlights the growing recognition that machine identities require the same level of oversight as human identities to meet security and regulatory expectations.”
—Elad Luz

*** This is a Security Bloggers Network syndicated blog from Blog (Main) authored by John P. Mello Jr.. Read the original post at: https://www.reversinglabs.com/blog/owasp-nhi-top-10-what-you-need-to-know-about-agentic-ai-risk