The Challenge
Non-Human Identities & AI Agents are created by your teams at the speed of AI. Living at the core of SDLC & SaaS, they’re ungoverned by security, overprivileged and often exposed by their human creators. Unlike humans though, they have no MFA nor clear ownership, making them invisible and critical attack vectors.
:1
Non-Humans outnumbering Humans in organizations
Over
Different secrets management solutions per enterprise
%
Of cloud services and SaaS apps leverage non-human identities
Attackers don’t break in anymore.
They log in with unmanaged NHIs & AI Agents
Securing Non-Human Identities is complex
Everywhere & Exposed
Machine identities multiply faster than security can track. With no single source of truth, they blend into the background or worse, are exposed on code repos, collaboration tools and messaging apps. These scattered identities create shadow attack surfaces, providing easy entry points for threat actors.
If you don’t know they exist, how can you secure them?
Over-Privileged
Being programmatic access credentials, NHIs usually have more permissions than they need, acting as digital “skeleton keys” to mission critical systems. With no governance or continuous monitoring around them, when compromised they allow attackers to escalate privileges, move laterally, and access sensitive data and infrastructure undetected.
Who’s watching what they can do? or worse who’s stopping them?
No Ownership, No Context
Human identities are managed by HR with known ownership and defined roles. It’s not the case with NHIs, they’re generated on the fly and forgotten by developers with no centralized ownership. Even when an exposed secret is detected, the lack of context like purpose, permissions or linked services, turns incident response into a guessing game. Without knowing who owns it or why it exists, rotating or revoking exposed NHIs is almost impossible.
If you can’t tell its purpose, how can you remediate it?
Behavioral Blindspots
Traditional security tools look for and check static credentials and permissions but are blind to usage anomalies. Without continuous monitoring or behavioral baselines, attackers can exploit NHIs for long periods, escalating privileges, moving laterally, and exfiltrating data – completely undetected. Deviations from normal legitimate activity go unnoticed, allowing cybercriminals to blend in until it’s too late.
If you can’t see it happening, how can you stop the attack?
NHIs & Secrets Are Under Attack
Threat Actors Zeroing In on Non-Human Identities
Okta
Identity and access management provider
Description
Attackers accessed files containing access keys, which were then used to infiltrate Okta’s customer support system by exploiting a compromised service account.
Impact
The incident affected 134 customers, with attackers successfully hijacking sessions of 5 customers, leading to potential unauthorized access to sensitive data and systems.
Hugging Face
Popular AI development platform
Description
Over 1,500 API tokens were found exposed on Hugging Face’s platform due to improper storage practices, making them accessible through public repositories.
Impact
Unauthorized access to customers’ sensitive LLM models, datasets and intellectual property.
Snowflake
Cloud data platform provider
Description
Compromised NHIs in Snowflake’s infrastructure exposed sensitive data of millions of customers.
Impact
Data breach affecting major clients like Santander Bank and Ticketmaster, leading to potential data theft and reputational damage.
Cisco
Global networking and cybersecurity leader
Description
Exposed API tokens provided attackers with unauthorized access to Cisco’s internal systems, highlighting gaps in API security practices.
Impact
Critical risk to internal systems, potential data exfiltration, network manipulation, and service disruption.
Internet Archive
Digital web-archive and non-profit organization
Description
Unrotated Zendesk API tokens were exploited, compromising the support ticket management system.
Impact
Unauthorized access to customer support data, potentially exposing sensitive user information.
BeyondTrust
Privileged access management solutions provider
Description
Attackers exploited a zero-day vulnerability (CVE-2024-12356) in BeyondTrust’s Remote Support software, leveraging a compromised API key to access 17 customer instances. The breach was linked to the Chinese state-sponsored group Silk Typhoon.
Impact
Breaching sensitive systems, including the U.S. Treasury Department, leading to potential data exfiltration and exposure of confidential information.
Microsoft
Technology giant and cloud service provider
Description
LLMJacking campaign, a threat actor group systematically stole API keys from customers of Microsoft Azure AI products, exploiting them to bypass safety controls and generate malicious content. The keys were used to abuse resources of legitimate users, turning them into tools for a hacking-as-a-service model.
Impact
Unauthorized use of AI tools at scale, resource abuse of customer accounts, and compromised content safety.
DeepSeek
AI Platform Provider
Description
DeepSeek, a Chinese AI platform, inadvertently exposed critical databases containing over 1 million records, including system logs, user prompts, and API tokens. The data was accessible on the internet due to misconfigured security settings.
Impact
Potential access to sensitive data and significant security risks, including potential misuse of API tokens and exposure of user data.
Dec 2023
Okta
Identity and access management provider
Description
Attackers accessed files containing access keys, which were then used to infiltrate Okta’s customer support system by exploiting a compromised service account.
Impact
The incident affected 134 customers, with attackers successfully hijacking sessions of 5 customers, leading to potential unauthorized access to sensitive data and systems.
Oct 2023
Hugging Face
Popular AI development platform
Description
Over 1,500 API tokens were found exposed on Hugging Face’s platform due to improper storage practices, making them accessible through public repositories.
Impact
Unauthorized access to customers’ sensitive LLM models, datasets and intellectual property.
Jun 2024
Snowflake
Cloud data platform provider
Description
Compromised NHIs in Snowflake’s infrastructure exposed sensitive data of millions of customers.
Impact
Data breach affecting major clients like Santander Bank and Ticketmaster, leading to potential data theft and reputational damage.
Sep 2024
Cisco
Global networking and cybersecurity leader
Description
Exposed API tokens provided attackers with unauthorized access to Cisco’s internal systems, highlighting gaps in API security practices.
Impact
Critical risk to internal systems, potential data exfiltration, network manipulation, and service disruption.
Oct 2024
Internet Archive
Digital web-archive and non-profit organization
Description
Unrotated Zendesk API tokens were exploited, compromising the support ticket management system.
Impact
Unauthorized access to customer support data, potentially exposing sensitive user information.
Dec 2024
BeyondTrust
Privileged access management solutions provider
Description
Attackers exploited a zero-day vulnerability (CVE-2024-12356) in BeyondTrust’s Remote Support software, leveraging a compromised API key to access 17 customer instances. The breach was linked to the Chinese state-sponsored group Silk Typhoon.
Impact
Breaching sensitive systems, including the U.S. Treasury Department, leading to potential data exfiltration and exposure of confidential information.
Jan 2025
Microsoft
Technology giant and cloud service provider
Description
LLMJacking campaign, a threat actor group systematically stole API keys from customers of Microsoft Azure AI products, exploiting them to bypass safety controls and generate malicious content. The keys were used to abuse resources of legitimate users, turning them into tools for a hacking-as-a-service model.
Impact
Unauthorized use of AI tools at scale, resource abuse of customer accounts, and compromised content safety.
Feb 2025
DeepSeek
AI Platform Provider
Description
DeepSeek, a Chinese AI platform, inadvertently exposed critical databases containing over 1 million records, including system logs, user prompts, and API tokens. The data was accessible on the internet due to misconfigured security settings.
Impact
Potential access to sensitive data and significant security risks, including potential misuse of API tokens and exposure of user data.
“The risk of unmanaged machine identities is no longer acceptable to organizations… The rapidly growing number of machines, both workloads and devices, deployed in organizations’ hybrid and multicloud environments continues to increase. So, too, does the importance of managing a plethora of machine identities as well as their secrets”
