Adam Ochayon
Solution Architect
Published on
March 6, 2025
Non-Human Identities (NHIs) are everywhere and many security and identity teams are struggling to keep up. NHIs don’t follow standard onboarding or offboarding processes - they’re created on demand, often without centralized tracking, and they rarely expire. Without full visibility, organizations can’t enforce policies, detect anomalies, or mitigate risks.
As organizations are waking up to this massive risk, the hype around the NHI space is real. Many vendors are now claiming to offer “NHI Discovery” - but what are they really providing? In most cases, it is just a list of accounts, periodically updated.
The truth is, gathering a basic inventory of NHIs is usually not the hard part. For many environments, like Microsoft Entra ID, identifying service principals can be as simple as running a script like the one below:
# Install the Microsoft Graph PowerShell module if you haven't already
# https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation
# Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes 'Application.Read.All'Get-MgServicePrincipal -ConsistencyLevel eventual -Count spCount
This script will return all service principals and their count (stored in the variable spCount). While it offers a quick snapshot, it’s akin to knowing a list of names without understanding their roles, behavior patterns, or risk factors. Modern threats demand that we go beyond this superficial layer.
Discovering NHIs is only the first step. A basic inventory lacks the critical context needed to assess risk or take action.
Let's go back to the human world for a second. When securing human identities, you don’t just list users in Active Directory and call it a day. You create identity profiles with details such as their role, department, access privileges, and authentication requirements. NHIs require the same level of security intelligence.
To effectively secure NHIs, organizations must be able to answer “the 5 Ws” of identity context (in no particular order):
Ownership is the foundation of accountability and lifecycle management for NHIs. Without clear ownership, NHIs are:
Any remediation process must start with having a clear understanding of the accountable person or group, and maintaining an up-to-date mapping is paramount.
Just like human identities, not all NHIs pose the same level of risk. Some operate with minimal permissions, while others require highly privileged access, such as domain admin rights, full API permissions, or broad access to critical systems and sensitive data. If an attacker gains access to a highly privileged NHI, they can use it to move laterally, escalate privileges, and compromise additional systems.
Understanding an NHI’s privileges is therefore essential for assessing its security impact and necessity. Mapping out permissions and enforcing least privilege ensures that NHIs only have the access they require and nothing more, reducing potential attack vectors.
Understanding when an identity was created and how it was used over time is crucial to managing its lifecycle. In particular, changes in activity over time could be flagged as a new risk, or they can trigger a “lifecycle event”.
For example, dormant or unused NHIs should be reviewed and removed to reduce the attack surface. Attackers actively seek out stale NHIs because they are less likely to trigger detection systems and may still have privileged access.
Understanding where and how an NHI is being used, or in order words, usage across consumers and resources, is critical for risk assessment, operational continuity, and security policy enforcement. NHIs are often embedded in business-critical workflows, such as scheduled operations, CI/CD pipelines, or automation scripts. If their dependencies are unknown, making security-driven changes such as disabling an account or rotating its secrets can lead to system outages, broken integrations, or failed security controls.
As the organization evolves, so do the identities powering its infrastructure. However, as things move around, it can often be difficult to track what an account or identity is being used for, does it still require the access it has, or even is it still needed altogether.
It is therefore essential to have a clear certification of business purpose, and to recertify accounts periodically to maintain best practices.
To recap - NHIs operate across on-premise, IaaS, PaaS and SaaS environments, each with different logging mechanisms, permission models, and governance challenges. Gaining context in a structured and normalized way across all environments, revealing both seen and unseen NHIs is crucial to overcome these challenges.
To achieve this, organizations must:
Discovering NHIs is an important first step, but without context, a simple list provides limited security value. Organizations must move beyond static inventories and address the “5 Ws” to strengthen their identity security posture and mitigate threats. NHIs should not be an afterthought in identity security strategies; they must be actively managed, monitored, and secured.
