Ian Glazer breaks down the new OWASP NHI Top 10 and shares why it’s a critical step toward securing non-human identities.
The release of OWASP’s Non-Human Identity (NHI) Top 10 is a major step forward for the industry. For the first time, we have a structured way to evaluate NHI-related threats and measure organizational exposure. That’s no small thing. Risk management starts with understanding, and while the list may not be perfect, it gives us a foundation to have meaningful, constructive conversations about the challenges organizations face when it comes to NHIs.
One thing missing from the Top 10 is sheer scale. There are already an order of magnitude more NHIs than human identities in most enterprises. And if we believe that agentic AI is on the horizon, that number will only grow. The implication? We’re looking at a massive population of loosely governed entities, many of which hold significant privileges. That’s a problem worth addressing now, before it becomes insurmountable.
Whether we’re talking about a human identity or a non-human identity, every entity in an enterprise has some level of privilege at some point in the day. If we acknowledge that every human is privileged at some point, it follows that every NHI is, too. The patterns of privilege acquisition aren’t all that different - if you have standing access for humans, you probably have it for NHIs as well. The difference is that with NHIs, there are exponentially more identities, meaning exponentially more risk.
And with increased risk comes the need for a structured approach to managing it. The OWASP NHI Top 10 helps highlight some of the most pressing security concerns in this space. Understanding where NHIs introduce the most risk allows organizations to take proactive measures. So let’s look at some of the key threats identified in the list and why they matter.
One of the things that makes the OWASP list useful is that it encourages organizations to think critically about risks stemming from:
At SGNL, these are exactly the kinds of problems we work to solve—whether the identity in question is human or non-human. If you can’t reason about what’s happening in your CI/CD pipeline, that’s a problem. We can help organizations address overprivilege in real time based on policy and context, rather than relying on standing access.
One item that stands out is NHI10:2025 - Human Use of NHI. Speaking personally, this one gives me pause. It feels less like a risk and more like an opinion. The argument is that NHIs have different logging, attribution, and capabilities than human identities. That’s all true. But at scale, organizations rely on NHIs to handle administrative tasks. Sometimes it’s the only practical approach. So are we calling that a risk? Or are we victim-shaming here? Not sure.
On a broader level, defining what we mean by NHI - and what we mean by “secret” - is an ongoing effort. If we lived in a world without standing access, where policy was evaluated in real time, secret leakage wouldn’t be such a pressing concern. But today, an API key is often all that’s needed to access a service, much like how a Social Security number is often treated as a proof of identity rather than just an identifier.
Eric Wahlstrom’s work on categorizing NHIs into genus, family, and species is an ambitious and much-needed undertaking. It’s going to take time, but it’s critical to understanding the risks we face.
Ultimately, the OWASP NHI Top 10 is a great starting point. It’s helping organizations think critically about NHI risk and giving the industry a common reference for discussion. The road ahead is long, but at least now we can see the hill we have to climb.
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.