LAS VEGAS — Non-human identities (NHIs) are growing at an exponential rate, and we need to learn how to manage them before they get completely out of our control, security researcher Dwayne McDaniel said at the BSides Las Vegas hacker conference Monday.
"In 2022, CyberArk said that there was a 45-to-1 NHI-human ratio," McDaniel said. "In 2025, it might be closer to 100-to-1. It depends on which report you read."
The
AI explosion, especially the imminent wave of
AI agents, is making the problem even worse, he added.
"I have never seen people deploy so much stuff so fast," said McDaniel, a developer advocate at secrets manager GitGuardian. "Can we get ahead of this? Probably, but we've got to act quickly."
Counting shadows
Most organizations don't even know
how many NHIs they have, and there's even debate about what constitutes an NHI. The Internet Engineering Task Force (IETF) prefers the term "workload" and defines it as "a running instance of software executing for a specific purpose."
McDaniel liked that definition, but there's also the simpler one used by the Open Web Application Security Project (OWASP): An NHI is an application that needs to be identified.
The consequences of not properly managing NHIs can be severe. Ninety-three percent of organizations had at least two identity-related
breaches in a 12-month period spanning 2023-2024, and most of those identities weren't human, McDaniel said, citing a CyberArk report. ("I don't work for CyberArk," he admitted. "I just like their research.")
The rapid growth of NHIs, he added, makes it much easier for attackers to break into systems.
"I barely have to be functionally literate to put an API in the right place," McDaniel said. "I don't need to be a super hacker."
The problem of
hardcoded credentials keeps getting worse. McDaniel's company, GitGuardian, found 23.77 million of them in public GitHub commits in 2024, a 25% increase from the previous year. And those hardcoded credentials aren't being erased — 70% of those found in 2022 were still valid in January 2025.
Those statistics shed light on the
2025 Verizon Data Breach Investigations Report (DBIR), which
puzzlingly listed credential abuse as behind 22% of breaches, but
phishing — also credential abuse — as behind 16%.
"Phishing is how you get human credential abuse," said McDaniel. "The rest is likely mostly NHIs."
The secrets that you keep
NHIs need to be identified and enumerated before they can be managed. That might be impossible to achieve 100%, McDaniel admitted, but there's an indirect way to count and control of most NHIs: You can identify and manage their credentials, which McDaniel called "secrets" even though he admitted he wasn't technically accurate.
"What if we just map out all the secrets?" he asked. "That will get us most of the NHIs."
Top cloud service providers (CSPs) like Amazon Web Services, Azure and Google Cloud Platform offer secrets management, but McDaniel warned that they work well only if you're using a single CSP. For hybrid or multi-cloud environments, he recommends using a commercial solution like those from Hashicorp, CyberArk or Doppler.
Industry standards to manage NHIs are also being developed, McDaniel said. The Cloud Native Computing Foundation has the Secure Production Identity Framework for Everyone (SPIFFE) and its complementary standard the SPIFFE Runtime Environments (SPIRE), but McDaniel said they of course mainly apply to cloud environments.
The Internet Engineering Task Force has developed Workload Identity in Multi-System Environments (WISME), which should work for on-prem and hybrid environments, and there's also the Kubernetes-specific Kubelet.
McDaniel recommended following the activities of the Non-Human Identity Management Group, which is establishing best practices for NHI management.
But at the organizational level, there's a lot that can be done too. He recommends that designated "owners" of identity management systems be identified, because a lot of organizations haven't done that.
"Ask an IT team: Who owns AD [Active Directory]? Who owns Okta? Many won't have an answer," McDaniel said. "We can spend all the money in the world on
EDR, but if we can't control the identities, we've lost."
