Key Takeaways
- Non-human identities (NHIs) now vastly outnumber human users and are growing at a much faster rate, creating a significant and under-governed attack surface.
- Attackers increasingly use social engineering, like voice phishing (vishing), to bypass human defenses and gain access to machine-layer credentials.
- Most NHIs operate with excessive permissions and lack proper lifecycle management, contributing to accumulated “identity debt.”
- Traditional security tools fail to detect threats in the machine layer because NHIs behave differently from human users.
- Organizations must shift from prevention-first strategies to recovery-first approaches, prioritizing rapid detection and rollback of identity-based attacks.
For the past decade, enterprise security investment has followed the human. Better authentication. Stronger multi-factor authentication (MFA). Phishing simulation. Identity-centric architecture. These investments were the right response to the threat landscape at the time.
The threat landscape has moved.
Today’s most sophisticated adversaries aren’t trying to defeat your MFA. They’re using it as a door. A convincing phone call to your IT help desk, an MFA reset, and a compromised human account – that’s the entry. What they’re actually after is what’s behind it: the sprawling, under-governed layer of NHIs that connects every system in your environment.
The Scale of the Problem Is Staggering
Service accounts, API keys, OAuth tokens, AI agents – NHIs now outnumber human users by a ratio of 144 to 1, and they’re growing 4 to 10 times faster than human accounts. Yet fewer than 25% of organizations have formal policies governing their creation or decommissioning. Nearly all of them carry excessive permissions – rights that far exceed what their function requires.
This isn’t a new risk that suddenly appeared. It’s accumulated identity debt: years of provisioning without governance, automation without accountability, cloud expansion without visibility. And adversaries have noticed.
Vishing Is the Entry Point
Groups like ShinyHunters and Scattered Spider – operating under what researchers call the Scattered LAPSUS$ Hunters (SLH) cluster – have industrialized social engineering to exploit exactly this gap. Voice phishing rose 449% in 2025. These aren’t opportunistic calls. They’re coordinated operations: purpose-built scripts, recruited callers, financial incentives of up to $1,000 per successful help desk impersonation.
The call isn’t the attack. The call is the credential reset that gets an attacker past the human perimeter. The attack begins when they migrate to the machine layer – stealing OAuth tokens, creating administrative service accounts, embedding access into credentials that are rarely monitored and almost never rotated.
The human account gets remediated. The machine-layer access persists. The attacker has already moved on.
Three Vulnerabilities that Traditional Controls Can’t See
Standard security tools are designed around human behavior. They flag anomalous logins, unusual geolocation, suspicious email traffic. NHIs operate differently, and that difference is the blind spot.
OAuth abuse, for instance, looks like normal API traffic – even after a password reset. Thousands of undocumented service accounts operate in large enterprises with administrative privileges, often long after the projects that created them ended. Long-lived API keys embedded in DevOps pipelines carry broad access with no device context and no login alert.
MFA doesn’t cover them. Endpoint detection doesn’t see them. Email filtering is irrelevant to them.
The Framework Shift: From Prevention-First to Recovery-First
The logical response to a threat that often evades traditional detection is to stop assuming you can prevent every intrusion and start designing for rapid recovery from the ones that succeed.
That means treating NHIs as Tier 0 assets – with the same governance controls applied to domain administrators or cloud control planes managed with human identities. It means replacing static secrets with short-lived tokens and automatic rotation.
It also means correlating cross-domain signals: A help desk interaction followed by an MFA reset followed by a new token creation is a high-confidence indicator of compromise, and catching it early is the difference between containment and a prolonged breach. It means mapping NHIs to human identities for accountability.
Most importantly, it means having the capability to detect unauthorized privilege escalations and roll back malicious identity changes in real time – returning the environment to a known-trusted state before the damage extends.
Prevention still matters. But given the governance gap many organizations are carrying, recovery speed is becoming a primary resilience metric. Organizations should build identity programs designed for the attacks that are already happening, not the ones that were common five years ago.
Visit the Readiverse and check out our eBook The Non-Human Identity Crisis, which explores the full scope of the machine attack surface and the framework for identity resilience.
FAQs
Q1: What are non-human identities (NHIs)?
A: NHIs include service accounts, API keys, OAuth tokens, and AI agents that allow systems and applications to interact. Unlike human users, they often operate automatically and at scale, making them harder to monitor and control.
Q2: Why are NHIs considered a security risk?
A: NHIs often have excessive permissions and lack proper governance, making them attractive targets for attackers. Because they are rarely monitored or rotated, compromised credentials can persist undetected for long periods.
Q3: How do attackers exploit NHIs?
A: Attackers typically gain initial access through social engineering, such as voice phishing, then pivot to the machine layer. They steal tokens, create new service accounts, or embed persistent access in credentials that are not closely monitored.
Q4: Why don’t traditional security tools detect these threats?
A: Most security tools are designed to track human behavior, such as login anomalies or phishing attempts. NHIs generate normal-looking system traffic, which allows malicious activity to blend in with legitimate operations.
Q5: What is meant by a “recovery-first” security approach?
A: A recovery-first approach focuses on quickly detecting breaches and restoring systems to a trusted state rather than assuming all attacks can be prevented. This includes identifying unauthorized changes and rolling them back in real time.
Q6: How can organizations improve NHI security?
A: Organizations can treat NHIs as critical assets, implement strict governance policies, replace static credentials with short-lived tokens, and correlate signals across systems. Mapping NHIs to human owners also improves accountability and oversight.
Vidya Shankaran is Field CTO at Commvault.
