Open Worldwide Application Security Project (OWASP) has released the top 10 non-human identities risks for 2025. Other OWASP resources address app and API security but not NHIs. This new document fills the gap as NHIs pose unique challenges with critical security implications.

It's a significant milestone as a trusted security community recognizes NHIs and their importance. Given the growing number of breaches from NHI credential leaks or misuse, the release is timely.

Non-Human Identities Are a Growing Attack Surface: NHIs perform actions in systems, and their use has increased due to cloud computing, third-party services, and machine learning. IAM tools have focused on human users, and there's a lack of clear ownership definitions for NHIs, causing confusion across teams.

A Closer Look at the Top 10 Non-Human Identities Risks for 2025:

• NHI1:2025 Improper Offboarding: NHIs often live longer than needed. Only calls to them are deprecated in code, and underlying services aren't deactivated. Enterprises need automated lifecycle management.
• NHI2:2025 Secret Leakage: NHIs have credentials that are often leaked. 80% of breaches are tied to identities and 83% involve compromised credentials.
• NHI3:2025 Vulnerable Third-Party NHI: Modern apps rely on third-party services. It's important to ensure partners follow security practices and understand which services are called.
• NHI4:2025 Insecure Authentication: Not all authentication methods are secure. As technology evolves, all methods need to be reviewed.
• NHI5:2025 Overprivileged NHI: Scoping permissions for NHIs is a challenge. Enterprises need to review and enforce least-privilege policies.
• NHI6:2025 Insecure Cloud Deployment Configurations: Storing credentials in configuration files is insecure. Use proper secrets management platforms.
• NHI7:2025 Long-Lived Secrets: Adversaries love long-lived secrets. Short-lived secrets reduce the attack window.
• NHI8:2025 Environment Isolation: Every system should be dedicated to its SDLC phase, but NHIs are often reused across the pipeline.
• NHI9:2025 NHI Reuse: Using the same NHI across multiple applications exposes data. Understanding context is key.
• NHI10:2025 Human Use of NHI: NHIs grant access based on credentials, so it's important to identify authorized uses and detect breaches.

Strategic Recommendations for Mitigating NHI Risks: Implement centralized NHI management, adopt automation, educate development teams, integrate into DevSecOps pipelines, and monitor continuously.

OWASP's new NHI-focused Top 10 is authoritative and will help enterprises address the growing and ungoverned NHI attack surface, paving the way for a more secure digital ecosystem.