The Growing Risk of Non-Human Identities in Modern IT Environments

By Trevor Hilligoss, Chief Intelligence Officer, SpyCloud

Every digital initiative today – cloud migration, SaaS adoption, AI integration – relies on system connectivity behind the scenes. Applications sync data across platforms, pipelines move information between environments, and AI agents access internal tools to generate insights or automate work. None of this happens manually. It’s all powered by credentials like API keys, tokens, session credentials, and service accounts, which allow machines to authenticate and interact autonomously. 

These non-human identities (NHIs) have become the connective tissue of modern business, but they’re also expanding the identity attack surface and creating a new category of risk that many organizations are only beginning to understand. 

The Infrastructure You Don’t See

Unlike employees, NHIs aren’t visible in org charts or directories. They exist within the architecture itself, embedded in applications, integrations, and workflows. And they’re multiplying rapidly. Every time a team connects a SaaS platform, automates a business process, deploys a new microservice, or enables an AI tool or agent, it introduces new credentials into the environment. Individually, these identities are low-profile. Collectively, they form a vast, dynamic access layer that spans cloud, on-prem, and third-party systems.

From a business perspective, the rise of NHIs is a sign of progress. They enable speed, scalability, and efficiency. But from a security and risk perspective, this creates a sprawling identity layer that is difficult to inventory, govern, or secure consistently. Many of these identity artifacts are created outside traditional security workflows, which creates a fragmented environment where access is provisioned inconsistently, permissions accumulate over time, and credentials remain active long after their purpose has changed. 

Why Machine Identities Are Becoming a Prime Target

For attackers, the same complexity is opportunity. Instead of going after employees, they go after the credentials machines use to operate on their own. These are worth the effort: they offer direct, programmatic access, they often aren’t covered by the authentication controls built for human users, and they connect systems in ways that make lateral movement easy. Compromise one and you frequently unlock a chain of others.

AI agents and orchestration platforms raise the stakes. To do their jobs, they tend to hold broad access across email, collaboration tools, cloud infrastructure, internal databases, and third-party apps. Many companies have moved quickly in adopting AI agents to increase productivity and collaboration, but the security implications are often overlooked in this rapid speed to adopt. 

TeamPCP, the financially motivated group Google tracks as UNC6780, used stolen GitHub Personal Access Tokens to compromise Checkmarx KICS as part of its software supply-chain campaign. Other groups are stealing AI API keys and running up large compute bills on the victim’s account. And abuse of package-registry publishing tokens is surging again.

Visibility Remains the Biggest Challenge

The hardest part is knowing what exists. There’s rarely a central inventory of non-human identities. The information sits scattered across cloud platforms, SaaS apps, CI/CD pipelines, and internal scripts, and where it’s tracked at all, it’s often a spreadsheet or team-level knowledge that goes stale fast. Without a single view, most organizations can’t answer basic questions: how many machine identities are active, what they can reach, and which ones anyone still needs. That gap makes it hard to line security up against real business risk, and it leaves access pathways open that no one is watching.

Extending Identity Management to Machines

Extend the IAM program you already have to cover machine identities rather than standing up something separate. Treat NHIs as first-class identities and govern them the way you govern people: clear ownership, a defined lifecycle, and accountability. Then map how they interact across applications instead of tracking each one in isolation, so you can see where risk concentrates.

Build controls into the architecture itself. Perimeter defenses aren’t enough on their own, so constrain how each credential can be used by scoping it to a specific environment or workload. And move monitoring past whether access was authorized toward whether an identity’s behavior has changed in a way that signals operational risk.

The Business Implication

Non-human identities multiply business risk, and the last year keeps proving it.

In August 2025, attackers stole OAuth tokens from Salesloft’s Drift chatbot integration and used them to pull data from more than 700 Salesforce organizations. Nobody cracked a password or exploited a flaw in Salesforce. The tokens were valid, so the access looked legitimate, and the attackers used it to comb support records for AWS keys and Snowflake credentials that could open the next door. One compromised vendor integration became a problem for hundreds of downstream companies.

In May 2026, a GitHub employee installed a poisoned VS Code extension that harvested the access tokens sitting in their local environment. The group behind it, TeamPCP, used those credentials to clone roughly 3,800 of GitHub’s internal repositories, then listed the source code for sale and demanded payment to keep it private. The way in was one developer’s tool. The damage ran entirely on stolen machine credentials.

Neither attack needed a person to type a password. That’s the shape of the risk. NHIs power the integrations and automation that make a company faster, and they open the same pathways that expose data, halt operations, or carry a breach from one system into the next. That layer keeps growing as companies add AI agents, automation, and connected platforms. The companies that handle it well will manage it as core infrastructure, with the same ownership, funding, and scrutiny they give any system that runs the business.

Trevor Hilligoss is the Chief Intelligence Officer at SpyCloud, where he is the head of their in-house security research team, SpyCloud Labs, and oversees the company’s global intelligence strategy, advancing research into cybercriminal tactics, and driving the exposed data collection that fuels identity-based attacks.

Trevor’s background, including experience with the FBI and the U.S. Army, informs his approach to translating raw data into actionable insights that strengthen defenses, support responsible disclosures, and enable proactive identity threat prevention.  

error: Content is protected !!