Key Takeaways:

• For every one employee, there are approximately 45 non-human identities
• One in five organizations already reporting NHI-related breaches
• Organizations must manage cryptographic keys from creation to destruction

Understanding Non-Human Identities (NHIs)

AI is increasingly evolving and as more organizations continue to adopt AI tools, it also ushers in a new identity challenge for cyber professionals, which is known as non-human identities (NHI). As Tal Skverer, Research Team Lead at Astrix Security, stated in his RSAC^TM 2025 Conference presentation, “NHI can be defined as a programmatic access to a process or data where a human is not required to be involved,” meaning digital identities for applications, services, or devices. 

While NHI enhances security and automation, managing the burgeoning number of machine identities that employees are adopting in pursuit of improved efficiency is only growing more complex. With the adoption of NHI, the attack surface is expanding; many organizations are lacking visibility, as detecting compromised NHIs is much harder than with humans. Without a clear strategy to manage these automated actors, many companies will find themselves blind to a major security gap.

Evolution of NHI

Skverer’s co-speaker, John Yeoh, Chief Scientific Officer at CSA, highlighted three primary ways NHIs are created and how they have evolved:

Humans Authorizing NHIs: It has become incredibly simple for humans to create and sign credentials, essentially "authorizing" new identities. This occurs whenever a user grants permission for an app to act on their behalf, instantly creating a new NHI.

Humans Creating NHIs: In cloud terminology, as we build more automation, we constantly connect services. A prime example of an NHI is connecting a Google account to a Salesforce account, which then integrates with other Software-as-a-Service (SaaS)platforms. These credentials aren't associated with a specific person or a physical machine but are assigned to cloud accounts to sync data.

NHIs Creating NHIs: This is the most recent stage of evolution. As we automate how services and accounts access one another, we reach a point where existing NHIs begin generating their own sub-identities or access tokens to complete tasks, leading to a self-replicating web of non-human access.

Yeoh emphasized that for every one employee, there are approximately45 non-human identities, which is an alarming number that can create significant difficulty for monitoring and visibility.

The Attack surface Expansion

As the number of NHIs grows, so does the organizational attack surface. NHIs typically rely on keys, tokens, and certificates for authentication. Attackers are increasingly targeting these credentials, specifically keys, to gain unauthorized access to sensitive systems, files, and data.

As Yeoh pointed out, the 2024 CSA Security Report: The State of Non-Human Identity Security reveals a grim reality: of the 800+ participants surveyed, one in five organizations have already suffered an NHI-related security incident.\

The primary management challenges identified include:

• Managing service accounts:32%
• Auditing and monitoring:25%
• Discovering existing NHIs:24%
• Managing IAM roles:20%

As Skverer noted, “It only takes one key to the kingdom." This was starkly demonstrated in 2025 when hackers successfully breached the US Treasury using stolen API keys.

Non-Human Identities is not a future forecast; it is the current reality. According to the CSA, only 1.5 out of 10 organizations feel highly confident in their ability to secure their non-human identities.

Centralizing the Key Management Lifecycle

Organizations must prioritize building a robust key management strategy as NHIs continue to increase. Keys are the primary defense for sensitive data; therefore, as the number of NHIs continues to grow, organizations must prioritize a robust key management strategy to protect them.

 As Joachim Vance, Chief Security Architect, Distinguished Engineer at Verifone, Inc. Stated in an RSAC 2025 Conference presentation, “Keys must be protected from creation to destruction, not just during storage or transit.” Figure 1 illustrates the full lifecycle during which keys must be protected and monitored.

Figure 1: RSAC 2025 Conference Presentation

Vance explained that building a robust key management strategy does not begin with the key itself, but with the foundation of the ecosystem. At this stage, organizations must determine how trust is established within their own environment. This involves auditing the Hardware Security Module (HSM) to identify who has control over it and what specific protections are in place. And if a key is shared with a third-party partner, the organization must vet against that partner and verify their internal policies regarding key protection.

The next step involves defining the attributes of the key. This includes identifying the specific algorithms and modes of use required for the data involved. Once attributes are defined, the focus shifts to the wrapping mechanism. Organizations must establish integrity protection by deciding whether to use symmetric or asymmetric algorithms for wrapping. 

Finally, the key should be placed into a secure key block. This ensures that from the moment a key is generated within the HSM, it is encrypted before ever leaving the module. By following this process, the key is never exposed in "clear text" in any insecure location, remaining protected even within the HSM's memory.

Beyond the foundational ecosystem and attributes, a robust strategy requires a deep understanding of the specific functional roles that different cryptographic keys play within an organization.

Karen Reinhardt, Principal Engineer, Cryptographic Services at The Home Depot, categorized these essential keys into three primary pillars in her RSAC 2024 Conference presentation:

1. Encryption: Protecting Confidentiality. The first pillar focuses on shielding data from unauthorized access through a structured hierarchy of encryption:

• Data Encryption Keys (DEK): These can be symmetric (primarily used for speed and efficiency in bulk data encryption) or asymmetric (often used for specific security-heavy exchanges).
• Key Encryption Keys (KEK/Wrappers): Typically asymmetric, these function as a "wrapper" to encrypt the DEK. This is the primary method for secure DEK transport and serves as a critical access control mechanism.
• Master and Derived Keys: This involves using a Master Key to generate "derivative keys"—which are typically symmetric—to create a layered wrapping structure that ensures the highest level of protection.

2. Identity: Establishing Trust. The second pillar focuses on verifying the "who" or "what" behind every digital transaction:

• Authentication Keys: These are typically symmetric or based on client certificates and private keys to verify an identity.
• Access Control (KEK): Asymmetric Key Encryption Keys act as the gatekeepers for data access, ensuring only verified identities can decrypt the underlying DEKs.
• Digital Signatures: Identity encompasses more than just authentication; it includes integrity and non-repudiation. Digital signatures prove that an identity is verified and that their actions or "signing" are technically binding.

3. Integrity: Ensuring Data and Code Authenticity. The third pillar provides the "tamper-evidence" necessary to guarantee that data and code have not been altered since their creation:

• Digital Signature Keys: These are used to provide cryptographic proof of origin. By using these keys for code signing, organizations can ensure that software updates or scripts are legitimate and haven't been modified by a third party.
• Tamper Evidence: Any change to the underlying data, even a single bit, will invalidate the signature, providing immediate evidence of a security breach.
• Hashing and MACs: This involves using MAC (Message Authentication Code) and HMAC (Hash-based Message Authentication Code) keys. Unlike standard encryption, these create a unique "fingerprint" of the data, allowing systems to verify the integrity of a message or file without needing to encrypt the entire payload.

The explosion of non-human identities means the security perimeter has shifted from the login screen to the API keys and tokens. Organizations should first start by inventorying their NHIs, ensuring full visibility across every automated connection. By governing every token and key from creation to destruction, an organization can turn a massive hidden vulnerability into a resilient, automated ecosystem.

To read more about how to manage NHI’s, we invite you to visit our RSAC library.