Non-Human Identities – Can we “tool” our way out?

Recently I started to notice a lot of “noise” in security area related to so called “Non-Human Identities” with a main idea that we need to have one more type of tools to solve this problem. So, I decided to dig deeper to understand myself if we need one more tool or is it something we should be solved by us, humans?

If we distill the marketing claims of some of the tools, it is apparent that most of them are focused on the following components:

• Discovery – connects to your environment and creates an inventory of machine identities.
• Ownership – through different means (such as logs) systems, would try to identify possible owners or at least users of the system.
• Threat Detection – highlight possible threats caused by mentioned identities. That could be “static” findings like “Over permissive role”, or it could be anomaly detection based on activity/usage.
• Remediation – propose how to resolve the issues mentioned, like reducing permissions, reset access key or delete role if not used.
• Lifecycle management – facilitates rotation, reassigning ownership once owner left the organization.

But do we have real problems with these components?

Actually we do, based on OWASP NHI Top 10 – https://owasp.org/www-project-non-human-identities-top-10/2025/top-10-2025/

• NHI1:2025 Improper Offboarding
• NHI2:2025 Secret Leakage
• NHI3:2025 Vulnerable Third-Party NHI
• NHI4:2025 Insecure Authentication
• NHI5:2025 Overprivileged NHI
• NHI6:2025 Insecure Cloud Deployment Configurations
• NHI7:2025 Long-Lived Secrets
• NHI8:2025 Environment Isolation
• NHI9:2025 NHI Reuse
• NHI10:2025 Human Use of NHI

As you can see, some of the problems from the list are specifically targeted by NHI tools and specifically advertised to solve these problems. However, I have a feeling that we already have some tool which aims to solve exactly these problems.

To be specific it reminds me of the description of CIEM (Cloud Infrastructure Entitlement Management) component of most CNAPP (Cloud Native Application Protection) tools. Which was created to track and monitor Cloud Identities and threats associated with them. If you also add CDR (Cloud Detection and Response) component, you covered from technical part. Now you only need to chase down all the people needed, ask them gently to delete what needs to be deleted and you are good. A new type of solution is not required, right?

Based on some news it looks like we need to have these tools, you can see that investors are voting with their money (which means circumstantially that there is an interest from customers as well):

• https://techcrunch.com/2024/01/31/oasis-security-leaves-stealth-with-40m-to-lock-down-the-wild-west-of-non-human-identity-management/
• https://techcrunch.com/2025/01/27/hackers-are-targeting-machine-identities-token-security-just-raised-20m-to-stop-them/

So, why do we need this new tool?

For me everything boils down for 2 reasons:

• Current CIEM tools as a part of CNAPP are quite good, but they lack some additional features like “owner detection” and detecting if owner left the company.
• Such niche solutions are essential to push current vendors to improve CIEM functionality (maybe by acquiring start-ups which is a standard situation). As one of my managers told me “We need to have niche tools until the moment when this functionality is a commodity”.

But why don’t we need this new tool?

If you already have a CNAPP solution, most probably you can already cover most of the problems if not all with existing tools. But the real work would be to resolve the issues mentioned, since it would be required to:

• Enforce ownership – sometimes people don’t want to have accountability, even for such small things as machine identity.
• Enforce restrictions – you would have to create boundaries in which people would be allowed to operate, like type of allowed permissions or secrets lifetime.

But is it a tool problem?

I do not think so. We got into this problem because of a lack of processes and/or lack of enforcement of the processes. All the mentioned problems related to NHI are not new, they existed for many years.

In every problem you might have actions in the following areas to resolve a problem:

• People
• Processes
• Tool

And as I mentioned above, we already have other tools to highlight all the required problems. Now matter to resolve them is in areas of People and Processes. We must establish and enforce processes which would control NHI area. Tool can help by providing relevant insights, but it cannot fix problem by itself.

Conclusion

I think that we need to have such type of hype around niche solutions and products, because it pushes vendors to improve their products and at the end all wins.

But would I use this solution? Most probably only in the case of unlimited budget, which is a highly unlikely situation.