Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure for Software Supply Chain Security
Get Free TrialMore about Spectra Assure Free TrialOWASP tackles AI security with new NHI Top 10: What you need to know
Identity management is key for security, but AI is bringing a lot more non-humans into the mix. The OWASP list calls attention to this. Here are the top takeaways.
Identity management has long been a pillar of any sound cybersecurity program, ensuring that only authorized persons and machines have access to specific data and systems. Today, the rapid adoption of artificial intelligence (AI) is complicating the management of machine identities, making the appearance of the OWASP Non-Human Identities Top 10 very timely.
Dhaval Shah, Senior Director of Product Management at ReversingLabs, said non-human identities (NHIs) are critical for AI, in the following areas:
- Automation: NHIs enable automated processes, CI/CD pipelines, and system-to-system communications.
- Scalability: They allow applications to handle large-scale operations without human intervention.
- Integration: NHIs facilitate seamless integration between different services and APIs.
- Efficiency: They reduce the need for manual intervention in routine tasks, improving overall system efficiency.
However, NHIs are also ripe for exploitation by malicious actors. Shah said AI- and ML-driven agents often require large volumes of data from multiple services, potentially demanding more extensive privileges or rapid scaling of ephemeral identities. And because these AI agents might spin up microservices on-demand, or orchestrate complex workflows automatically, they pose a threat, he said.
Shah said this new reality immediately expands the risk surface, in the following areas:
- Scale and velocity: More automated processes running in parallel, each generating or requiring tokens.
- Potential for self-Replication or autonomous decision making: If an AI system is compromised, it can pivot or escalate privileges autonomously.
- Complex debugging and logging: AI-driven processes can be more difficult to trace, further complicating auditing and incident response.
Dwayne McDaniel, a developer advocate at GitGuardian, said this is an interesting time in the history of computer science. Over the last 30 to 40 years, security teams have been credentialing machines — workloads, identities, workloads, servers — as if they were humans. But machines aren't human — and that's where a new set of problems arises, he said.
Dwayne McDanielWith humans, we can do things like multifactor authentication and all sorts of fun stuff like biometrics. Non-human identities don't have that advantage because, well, they're not people. You can't multifactor-authenticate a workload in a Kubernetes cluster.
The Open Worldwide Application Security Project's new Non-Human Identities Top 10 aims to raise awareness of risk from NHIs in AI systems. Here's what you need to know.
Get White Paper: How the Rise of AI Will Impact Software Supply Chain Security
How OWASP boosts AI security with the NHI Top 10
While the NHI list overlaps with other OWASP lists, it’s necessary because of the risk coming from today's AI and soon to come from agentic AI, which involves agents automatically carrying out tasks, said Tal Skverer, lead researcher at the security firm Astrix.
Tal SkvererThe growing threats around NHIs warrant a dedicated list. Identifying these risks helps bridge the knowledge gap for developers who may not be familiar with this emerging security area.
Gene Spafford, a computer science professor at Purdue University and a member of the Cyber Security Hall of Fame, noted that OWASP's NHI list recasts an old and well-known problem in cybersecurity: access control.
Gene SpaffordTraditionally, it has been phrased as relationships between subjects and objects, where the subject can be a person, program, or agent of some kind. Sadly, many current practitioners do not seem to be aware of the considerable body of literature on access control.
Why a standardized approach is needed for AI security
OWASP projects historically have driven standardization, which is still lacking when it comes to protecting NHIs, Skverer said. Elad Luz, head of research at Oasis Security, explained that the cybersecurity industry needs field experts to set the stage for discussing the most critical risks tied to NHIs.
Elad LuzThis list provides organizations with a structured starting point, helping them understand these risks, assess their potential impact, and prioritize those that are most relevant to their environment. Without a standardized approach, many companies might overlook or underestimate how NHIs contribute to security gaps, leaving them exposed to threats they may not even be aware of.
Thomas Richards, network and red-team practice director at Black Duck Software, said the NHI Top 10 list classifies vulnerabilities that impact modern software development lifecycles. While organizations have processes focused on managing user accounts, he continued, those processes don’t typically apply to system accounts. “Now they do need to include them for management,” he said.
Thomas RichardsAPIs, servers, and applications often require keys and tokens to communicate securely, and improperly managing these can lead to a breach. Many of these we have discovered during contracted penetration tests, and we were able to use them to compromise additional portions of the network or applications.
This NHI list provides a long-overdue road map
Akhil Mittal, a senior manager at Black Duck, said that a single overlooked API key can unlock an entire network, and a build pipeline pull can poison container images because no one checked whether it was safe.
Akhil MittalThese issues often stay hidden until it’s too late. The new OWASP list will force us to shine a light on things like hardcoded credentials, overly broad permissions, and unmonitored AI systems. It’ll help us fix what we usually miss.
He said the OWASP Top 10 list for NHIs was long overdue. “It’ll give security pros a road map to handle the new wave of machine-driven threats,” he said.
Akhil MittalOur invisible workforce isn’t going anywhere, so it’s time to protect it. The next big breach could start with a single forgotten token or an AI script no one was watching. If we don’t act, we’ll learn the hard way. By giving these identities real oversight, we make modern development both faster and safer.
ReversingLabs' Shah said modern applications rely heavily on “non-human” or machine-based identities (e.g., service accounts, CI/CD pipeline tokens, API keys, robotic process automation accounts). These identities often outnumber human identities. Yet, historically, most security best practices and awareness programs have targeted human users, leaving machine identities less scrutinized, he said.
And NHIs behave differently from human users in the following ways:
- They may require privileged access across multiple systems.
- They often operate continuously and at high scale without human oversight.
- They can be ephemeral or auto-generated, complicating standard identity management.
Shah said these differences make NHI a challenge for security teams — one that needs to be addressed.
Dhaval ShahThis new OWASP list highlights these unique risks so that security and development teams can address them explicitly.
The NHI Top 10 and emerging risks
While the OWASP Top 10 covers many critical areas, Mittal said, emerging risks should also be considered. For example, ephemeral environments — where containers or serverless functions exist only for short periods — often escape standard security checks.
As AI technology advances, new AI-specific vulnerabilities are becoming more prevalent, he said. “Including these factors will ensure the list remains comprehensive and up to date with the latest threats,” Mittal said.
Eric Schwake, director of cybersecurity strategy at Salt Security, said the new OWASP list is a good start, but he cautioned not to rely on it too heavily.
Eric SchwakeThis list is not all-inclusive and might overlook some potential dangers. Organizations need to assess their unique context and industry to uncover additional risks that could impact their operations.
What's next for the NHI Top 10
Kevin Bocek, chief innovation officer at the machine identity-protection company Venafi, praised the items on the NHI top list as “spot on.”
Kevin BocekAre there going to be more machines? Yes. Are there going to be more APIs, microservices? Yes. Are the adversaries going to abuse those? Yes. So this top 10 is important. It's really great at its core. It's great hygiene. I think security teams can start to judge themselves by it.
However, Bocek said, the next version of the OWASP NHI Top 10 list should emphasize machine entities more. “The non-human identities that matter are machines,” he noted. “I think it would help to focus on machine identity.”
He also suggested that the list look beyond the present, given that the next generation of AI is just around the corner.
Kevin BocekThis list is focused on what we're using today as machine identities, things like API keys, access tokens. As we go ahead to the future, there are new types of machine identities that are short-lived being issued by a business. These are oftentimes referred to as 'workload identities.' I would like to see workload identities added.
Oasis Security’s Luz said NHI security is no longer just about reducing attack risk; it’s now a compliance issue as well. He said that governance requirements for NHIs are starting to appear in regulatory frameworks and industry standards, meaning organizations that fail to implement proper attestation, ownership assignment, and access reviews could face compliance violations.
Elad LuzThis shift highlights the growing recognition that machine identities require the same level of oversight as human identities to meet security and regulatory expectations.