Unmonitored Nonhuman Identities Can Expose SMBs to Hackers

Delinea CISO Pierre Mouallem says compromised nonhuman identities may pose a greater threat to business systems than hacked human identities.

“Nonhuman identities have access to a lot of highly restricted information,” he says. “Think of an application that accesses a database: There’s usually a service account or a token that allows applications to access that database, whereas most human identities would not have that level of access.”

“There could be a much more significant impact in terms of ransomware or data expulsion when compromising a nonhuman identity, like a service account, than when compromising a human identity,” he adds.

Why Do SMBs Use Nonhuman Identities?

Most SMBs have some level of control and oversight over their human identities. But every IT environment also harbors nonhuman identities that allow for intersystem communications, Mouallem says. 

When a human logs in to a network, they gain access to authorized resources associated with their identity. Service accounts, application programming interfaces keys, tokens and other machine actors also require access to systems to do their jobs, Mouallem says.

“Nonhuman identities are used to operate any modern solution, regardless of industry,” Mouallem says.

Delinea estimates that there are 46 nonhuman identities for every 1 human identity in modern IT environments. This means that a business with 200 employees might have as many as 9,200 nonhuman identities.

“They facilitate the communications between different services and entities. They operate in the background and are often set to allow that communication, and then they’re ignored,” Mouallem says.

While nonhuman identities are important for automating workflows — setting and forgetting them — their credentials are often not refreshed within recommended time frames, according to Delinea’s research.

DIVE DEEPER: Identity and access management’s role is evolving in complex IT environments.

How Do Nonhuman Identities Expand the Attack Surface for SMBs?

SMBs, especially those with 200 or more employees, frequently interact with third-party companies such as customers, contractors and vendors. By exposing nonhuman identities to those third parties, they expand their attack surface. This potentially opens the door for bad actors to use nonhuman identities as access points.

“Under-secured identities become attractive targets, especially with the high volume of NHIs in environments,” CrowdStrike notes. “With seemingly countless NHIs deployed across modern organizations, it is easy for NHIs to be overlooked in security strategies, introducing a higher risk of unauthorized access.”

IBM warns that bad actors can hack nonhuman identities and steal access credentials. Because nonhuman identities often go unmonitored, cybercriminals may circumvent security easily due to a lack of multifactor authentication. Once hacked, nonhuman identities can escalate privileges or allow lateral network movement for criminals to steal resources, launch malware or install backdoors.

“The risk that they introduce to the security of the environment can be pretty significant, particularly with the rise of artificial intelligence and agentic AI,” Mouallem says. “AI-based agents are used to perform certain functionality, and these agents rely on nonhuman identities in order to communicate with other parts of the environment and operate.”

Delinea’s threat report estimates the total number of operating nonhuman identities may exceed 45 billion by the end of 2025, “creating a massive and often overlooked attack surface.”

How Can Businesses Secure Nonhuman Identities?

SMBs can turn to various cybersecurity solutions to ensure that certain accounts (including nonhuman identities) maintain least-privilege access and to refresh their credentials on a schedule.

Because nonhuman identities do not necessarily act like normal, day-to-day users, IT admins must monitor them closely.

“Delinea offers solutions to provision and then administer access management, and essentially you can use the solution to control all nonhuman identities and what access they have,” Mouallem says. “You can audit that access to make sure that there is no anomaly. So, for example, something used for a specific functionality — all of a sudden it is used for something else, or it’s used more frequently or from a location that is not typical.”

Click the banner below to keep reading stories from our new publication, BizTech: Small Business.

Vendors such as Delinea can detect anomalous functions and alert principals to maintain visibility in all identities.

“It also provides a centralized single pane of glass for viewing and monitoring all nonhuman identities,” Mouallem says. “You can introduce security controls such as automatic password rotation and ensure that all identities adhere to those controls.”

As many small to medium-size businesses may have limited budgets and expertise, remaining aware of the challenges associated with nonhuman identities is key to mitigating any threats that hackers may pose by compromising them.

“In some cases, it’s going to be similar to the controls that you would expect from human identities,” Mouallem says. “It really boils down to having proper cyber hygiene around the use of nonhuman identities and ensuring best practices are applied.”