Identity management has long been a pillar of any sound cybersecurity program, ensuring that only authorized persons and machines have access to specific data and systems. Today, the rapid adoption of artificial intelligence (AI) is complicating the management of machine identities, making the appearance of the OWASP Non-Human Identities Top 10 very timely.
Dwayne McDaniel, a developer advocate at GitGuardian, said this is an interesting time in the history of computer science. Over the last 30 to 40 years, security teams have been credentialing machines — workloads, identities, workloads, servers — as if they were humans. But machines aren't human — and that's where a new set of problems arises, he said.
"With humans, we can do things like multifactor authentication and all sorts of fun stuff like biometrics. Non-human identities don't have that advantage because, well, they're not people. You can't multifactor-authenticate a workload in a Kubernetes cluster."
–Dwayne McDaniel
The Open Worldwide Application Security Project's Non-Human Identities Top 10 calls attention to non-human identities (NHIs) in the age of AI. Here's what you need to know — and why you need a comprehensive approach to AI security.
[ See Special Report: Secure Your Organization Against AI/ML Threats ]
How OWASP boosts AI security with the NHI Top 10
While the NHI list overlaps with other OWASP lists, it’s necessary because of the risk coming from today's AI and soon to come from agentic AI, which involves agents automatically carrying out tasks, said Tal Skverer, lead researcher at the security firm Astrix.
“The growing threats around NHIs warrant a dedicated list. Identifying these risks helps bridge the knowledge gap for developers who may not be familiar with this emerging security area.”
—Tal Skverer
Gene Spafford, a computer science professor at Purdue University and a member of the Cyber Security Hall of Fame, noted that OWASP's NHI list recasts an old and well-known problem in cybersecurity: access control.
“Traditionally, it has been phrased as relationships between subjects and objects, where the subject can be a person, program, or agent of some kind. Sadly, many current practitioners do not seem to be aware of the considerable body of literature on access control.”
—Gene Spafford
Why a standardized approach is needed for AI security
OWASP projects historically have driven standardization, which is still lacking when it comes to protecting NHIs, Skverer said. Elad Luz, head of research at Oasis Security, explained that the cybersecurity industry needs field experts to set the stage for discussing the most critical risks tied to NHIs.
“This list provides organizations with a structured starting point, helping them understand these risks, assess their potential impact, and prioritize those that are most relevant to their environment. Without a standardized approach, many companies might overlook or underestimate how NHIs contribute to security gaps, leaving them exposed to threats they may not even be aware of.”
—Elad Luz
Thomas Richards, network and red-team practice director at Black Duck Software, said the NHI Top 10 list classifies vulnerabilities that impact modern software development lifecycles. While organizations have processes focused on managing user accounts, he continued, those processes don’t typically apply to system accounts. “Now they do need to include them for management,” he said.
“APIs, servers, and applications often require keys and tokens to communicate securely, and improperly managing these can lead to a breach. Many of these we have discovered during contracted penetration tests, and we were able to use them to compromise additional portions of the network or applications.”
—Thomas Richards
This NHI list provides a long-overdue road map
Akhil Mittal, a senior manager at Black Duck, said that a single overlooked API key can unlock an entire network, and a build pipeline pull can poison container images because no one checked whether it was safe.
“These issues often stay hidden until it’s too late. The new OWASP list will force us to shine a light on things like hardcoded credentials, overly broad permissions, and unmonitored AI systems. It’ll help us fix what we usually miss.”
—Akhil Mittal
He said the OWASP Top 10 list for NHIs was long overdue. “It’ll give security pros a road map to handle the new wave of machine-driven threats,” he said.
“Our invisible workforce isn’t going anywhere, so it’s time to protect it. The next big breach could start with a single forgotten token or an AI script no one was watching. If we don’t act, we’ll learn the hard way. By giving these identities real oversight, we make modern development both faster and safer.”
—Akhil Mittal
The NHI Top 10 and emerging risks
While the OWASP Top 10 covers many critical areas, Mittal said, emerging risks should also be considered. For example, ephemeral environments — where containers or serverless functions exist only for short periods — often escape standard security checks.
As AI technology advances, new AI-specific vulnerabilities are becoming more prevalent, he said. “Including these factors will ensure the list remains comprehensive and up to date with the latest threats,” Mittal said.
Eric Schwake, director of cybersecurity strategy at Salt Security, said the new OWASP list is a good start, but he cautioned not to rely on it too heavily.
“This list is not all-inclusive and might overlook some potential dangers. Organizations need to assess their unique context and industry to uncover additional risks that could impact their operations.”
—Eric Schwake
What's next for the NHI Top 10
Kevin Bocek, chief innovation officer at the machine identity-protection company Venafi, praised the items on the NHI top list as “spot on.”
“Are there going to be more machines? Yes. Are there going to be more APIs, microservices? Yes. Are the adversaries going to abuse those? Yes. So this top 10 is important. It's really great at its core. It's great hygiene. I think security teams can start to judge themselves by it.”
—Kevin Bocek
However, Bocek said, the next version of the OWASP NHI Top 10 list should emphasize machine entities more. “The non-human identities that matter are machines,” he noted. “I think it would help to focus on machine identity.”
He also suggested that the list look beyond the present, given that the next generation of AI is just around the corner.
"This list is focused on what we're using today as machine identities, things like API keys, access tokens. As we go ahead to the future, there are new types of machine identities that are short-lived being issued by a business. These are oftentimes referred to as 'workload identities.' I would like to see workload identities added.”
—Kevin Bocek
Oasis Security’s Luz said NHI security is no longer just about reducing attack risk; it’s now a compliance issue as well. He said that governance requirements for NHIs are starting to appear in regulatory frameworks and industry standards, meaning organizations that fail to implement proper attestation, ownership assignment, and access reviews could face compliance violations.
“This shift highlights the growing recognition that machine identities require the same level of oversight as human identities to meet security and regulatory expectations.”
—Elad Luz
