Six ways to secure NHIs as AI use expands 

COMMENTARY: Generative AI (GenAI) has rapidly become a game-changer, transforming industries – particularly in technology and cybersecurity – as companies rush to unlock its potential. Gartner predicts that by 2027, more than 50% of the GenAI models that enterprises use will be specific to either an industry or business function – up from a mere 1% in 2023.

Retrieval-augmented generation (RAG) architecture, which combines the power of large language models (LLMs) with domain-specific data to power chat or Q&A-based applications, has become the go-to foundation for enterprise GenAI implementations. With a RAG framework, companies can build applications that are highly customized to their workflows.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Despite the benefits, this comes with a host of challenges when it comes to data privacy, integrity, and security. That’s where organizations need to focus on proper non-human identity (NHI) management and governance.

Today, NHIs outnumber human identities on average by a factor of 20x in enterprise environments, according to recent ESG research. NHIs are a digital construct that describe the credentialed access leveraged for machine-to-machine communication. These identities include service accounts, tokens, access keys, and API keys. They are the most rapidly-expanding type of identity and the least governed attack surface for organizations.

While human identities are typically managed through well-established governance processes and mature governance and privileged access management (PAM) systems, NHIs often fly under the radar. Created by developers and DevOps teams directly within cloud platforms, SaaS applications, Kubernetes clusters, and CI/CD pipelines, NHIs frequently bypass standard IT workflows and security checks. Unmanaged NHIs can create hidden vulnerabilities that attackers can easily exploit. ESG research indicates that more than 46% of organizations have been subject to an NHI breach in the last 12 months.

The rapid and widespread creation of NHIs, combined with the lack of centralized tracking systems, leads to significant governance issues. This can result in severe security risks like data leaks and unauthorized access. Traditional security tools, such as PAM systems designed for human users, cannot track NHIs throughout their lifecycle or understand their relationships with applications, data, and other resources. Without this contextual understanding, PAM tools cannot effectively manage or secure the growing number of NHIs.

The risks around NHIs and RAG  

Data sources – and the corresponding access methods – are at the heart of many risks when it comes to NHIs and RAG. Storage accounts are often used as a repository for unstructured data, and leveraged in the implementation of RAG architecture-based applications. Exploring some of the access methods leveraged for storage accounts in cloud environments highlight the potential risks.

For example, Azure blob storage allows many forms of identity and access management, SAS tokens, service principals (Entra ID), and access keys. When configuring any of these access methods, it’s critical to apply the principle of least privilege and adhere to accepted best practices. Yet, it’s common to see very old and unrotated (full access by default) access keys, SAS tokens with privileged access and very long time-to-live (TTL), or with stale service principals or unrotated secrets are unrotated.

Secrets used to assume NHIs are sometimes stolen, accidentally exposed, or kept by former employees when they leave the company. They result in multiple risks to an application. Teams need to lock down, manage, and properly manage sensitive data and the identities used to access it. Improper hygiene of NHI can lead to data leakage, evidenced by recent high-profile security incidents.

Data poisoning also poses a unique risk in RAG architectures, where attackers can edit cloud-based data sources via NHIs. It’s also crucial to ensure the integrity of training data, as unauthorized additions or modifications can lead to incorrect or harmful outputs. Users increasingly rely on AI to complete day-to-day tasks; so decision-making based on responses generated from poisoned data could have devastating and far-reaching consequences.

Credential mismanagement represents another important issue. A study by the Ponemon Institute found that 60% of organizations do not regularly rotate credentials for non-human identities, such as service accounts and API keys. This lack of credential rotation significantly increases the risk of unauthorized access and security breaches. When credentials are not rotated regularly, they become vulnerable to exploitation by malicious actors who can use them to gain unauthorized access to systems and data. This can lead to data theft and system compromise.

What security pros can do

Enterprises and midmarket organizations alike must incorporate comprehensive NHI management into their security and identity programs to avoid potentially costly consequences. Some best practices to consider include the following:

The rise of GenAI and the adoption of RAG architectures have revolutionized the way businesses operate, offering unprecedented customization and efficiency. However, this advancement also points to the critical need for robust management and governance of NHIs. As NHIs proliferate, often outnumbering human identities, they present significant security challenges, including increased risks of unauthorized access and data breaches. Teams must implement stringent governance practices to protect the integrity of AI systems and secure sensitive data. By doing so, organizations can enjoy the full potential of AI, while maintaining trust and security.

Danny Brickman, co-founder and CEO, Oasis Security

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.