Tackling the OWASP top 10 NHI risks for 2025

Non-human identities like service accounts, API keys, and machine tokens now outnumber human ones in most systems. In 2025, OWASP released a new top 10 list highlighting the most critical security risks tied to NHIs. This blog unpacks each risk and provides clear, practical steps to reduce exposure.

Key takeaways

• OWASP’s 2025 top 10 NHI risks highlight the most common threats to machine identities, including leaked secrets, overprivileged accounts, and long-lived tokens.
• If left unaddressed, these risks can lead to breaches, especially in environments where access isn’t scoped or credentials are reused.
• Teams can reduce exposure to risks by rotating secrets frequently, enforcing least privilege, isolating environments, and managing machine identities through a centralized secrets manager.

Every system you build creates a shadow network of machine identities. API keys, service accounts, tokens, and SSH keys quietly authenticate and interact without oversight. These non-human identities (NHIs) now outnumber human ones, and many are forgotten.

Most teams don’t know how many exist. Fewer still know which ones are overprivileged, reused, or lingering long after they should have been revoked. And when one leaks, attackers move without asking questions.

OWASP’s new 2025 top 10 list of NHI security risks reveals how deep this hole already goes. This article unpacks each risk and shows how to stop your systems from bleeding access in the dark.

Understanding and mitigating the OWASP top NHI risks for 2025

The OWASP top 10 isn’t a warning against using NHIs. It’s a guide developed by the Open Worldwide Application Security Project (OWASP), a nonprofit focused on improving software security. Each item highlights a pressing security risk tied to non-human identities, from access left open to secrets reused, to credentials exposed. What follows is a breakdown of the risks, what they look like in the wild, and how to shut them down before they spread.

Risk 1: Improper offboarding

Old tokens linger quietly in your systems, waiting to be misused. Maybe it belonged to a developer who left months ago. Perhaps it was tied to a deprecated service nobody touched again. Either way, it’s still active and still has access. One forgotten NHI is all it takes for an attacker to slip in undetected and move freely.

How to confront it:

• Audit NHIs regularly. If you don’t know what it’s doing, shut it down.
• Build automated processes for offboarding employees and decommissioning services.
• Implement lifecycle policies to expire unused identities before they become liabilities.

Risk 2: Secret leakage

An API key tucked into a config file. Database credentials pushed through Git. A token passed over Slack “just this once.” These things happen until someone notices too late. Leaked secrets open the door to full system compromise, allowing attackers to access sensitive data, escalate privileges, and move freely across restricted systems.

How to confront it:

• Replace long-lived secrets with short-lived, scoped alternatives.
• Use a centralized secrets manager like Doppler to securely store, rotate, and access secrets.
• Scan every commit, pipeline, and config file for exposed credentials every time.

Risk 3: Vulnerable third-party NHIs

Third-party tools often receive NHIs to integrate with internal systems, perform specific tasks, or pull data from production. But when one of those tools is compromised, the fallout spreads fast. A single exposed token can become a foothold, turning their breach into an internal one.

How to confront it:

• Use short-lived, scoped credentials when connecting to third-party tools.
• Rotate credentials regularly, even if the vendor doesn’t require it.
• Limit third-party access to the minimum necessary and monitor their activity continuously.

Risk 4: Insecure authentication

Old authentication methods can stick around long after they’re safe. NHIs still relying on outdated techniques like basic authentication (Base64 encoded credentials) or static credentials expose systems. These weak entry points easily get bypassed, allowing attackers to slip past defenses.

How to confront it:

• Phase out outdated authentication methods like basic auth and static tokens.
• Adopt modern alternatives such as OAuth 2.1 and OpenID Connect (OIDC).
• Regularly review NHI authentication flows to identify weak spots before attackers do.

Risk 5: Overprivileged NHI

In the rush to deploy, permissions are often left wide open. NHIs created for testing or early development stages can end up with more access than needed, and those permissions quietly follow them into production. This overreach is one of the most common breakdowns in non-human identity security. If one of those identities is compromised, the blast radius is far greater than anyone expected.

How to confront it:

• Follow the principle of least privilege for every NHI from day one.
• Re-audit permissions before pushing to production.
• Apply zero trust policies to ensure every request is verified with no assumptions.

Risk 6: Insecure cloud deployment configurations

CI/CD pipelines rely on service accounts to deploy code, manage infrastructure, and trigger automated tasks across cloud environments. But when those accounts rely on hardcoded credentials stored in config files or exposed through logs, they become high-value targets. A single leaked key can bypass MFA, reach production, and undo months of solid security work.

How to confront it:

• Replace static credentials with dynamic tokens such as OpenID Connect (OIDC).
• Use IAM roles with short-lived, scoped access for all pipeline operations.
• Store and rotate secrets using a centralized secrets manager.

Risk 7: Long-lived secrets

Secrets are meant to expire. But in many systems, credentials like API keys, tokens, and encryption keys live far longer than they should. Some don’t expire at all. Without strong security controls in place, these long-lived secrets are exposed, and attackers often get unlimited time to use them without setting off alarms.

How to confront it:

• Use short-lived secrets wherever possible to reduce exposure time.
• Automate secret rotation to prevent credentials from lingering.
• Store and manage all secrets through a centralized system with access controls.

Risk 8: Environment isolation

It’s common to reuse the same NHI across development, staging, and production. It’s also a mistake. A compromised key in a non-production environment can become a direct line to critical systems. Without isolation, even low-risk environments become attack surfaces.

How to confront it:

• Use separate NHIs for each environment to contain breaches.
• Retire test or staging credentials as soon as they are no longer needed.
• Monitor usage patterns across environments to catch anomalies early.

Risk 9: NHI reuse

One breach quickly becomes many when the same NHI is used across multiple services or systems. An exposed token in one microservice can give attackers access to everything else it touches. Reuse might seem convenient, but it multiplies the blast radius.

How to confront it:

• Assign a unique NHI to each service or component.
• Avoid reuse unless necessary, and isolate reused identities with strict boundaries.
• Regularly audit for reused credentials and break them apart where possible.

Risk 10: Human use of NHI

Non-human identities are meant for automation, not manual work. But when engineers start using them to bypass user controls or speed up tasks, it muddies the audit trail. It becomes harder to tell whether an action came from a script or a person, and harder to respond when something goes wrong.

How to confront it:

• Set clear policies that define when NHIs can and cannot be used.
• Enforce audits that flag suspicious or out-of-scope activity.
• Train teams to recognize the risks of misusing NHIs for manual access.

Implementing a comprehensive NHI security strategy

While OWASP outlined several risk factors, it does not imply throwing NHIs out the door. These identities are vital to how modern systems operate. With proper secrets management techniques in place, their advantages outweigh the risks. Adopting the mitigation strategies outlined earlier is a path every organization serious about risk management should take.

However, using secrets management tools is only one part of securing NHIs. These identities should be treated with the same level of diligence as a company’s core products. As teams invest in training, tools, and processes to support product success, the same mindset should apply to managing non-human identities.

A robust approach includes inventory assessments, threat detection and response planning, zero trust principles, compliance enforcement, security training for staff, and clearly defined lifecycle policies. These practices help security teams control how NHIs are created, used, and decommissioned.

It shouldn’t be a one-time effort. NHI security should become part of the company culture. That means setting up regular strategy reviews, monitoring and auditing activity, and running frequent threat assessments to confirm that NHIs remain safe for organizations’ systems and data.

Machine identity security can’t be an afterthought

Removing NHIs from modern systems is like removing payment gateways from digital businesses today. It can’t be done. Just as risks are actively managed in the latter, the same level of care must be applied to the former.

Teams must define structured policies, train their people, and adopt the right tools to reduce the risks tied to NHIs using OWASP’s comprehensive list as a guide. Delays come at a cost, and the time to act is now.

Centralized secrets management plays a critical role among these strategies. Choosing a tool that addresses these risks through secure storage, automated rotation, access controls, logging, and auditing is essential. That’s why many teams choose Doppler as their single source of truth for managing secrets. Here’s how to get started.

FAQ: OWASP’s 2025 NHI risks