What is the OWASP Non-Human Identity Top 10?

By Identra · Updated

The OWASP Non-Human Identity (NHI) Top 10 is a ranked list of the ten most critical security risks affecting non-human identities such as service accounts and workload identities, along with the API keys, tokens, and secrets they authenticate with. Published by the OWASP Foundation in January 2025, it ranks risks by exploitability, prevalence, detectability, and impact, with improper offboarding at number one.

Key numbers

What does the OWASP NHI Top 10 cover?

The OWASP Non-Human Identities Top 10 is an official OWASP Foundation project, first published in January 2025. It catalogs the risks that arise when software, not people, holds credentials: service accounts, API keys, OAuth app registrations, cloud workload roles, CI/CD tokens, and certificates.

OWASP ranked the ten entries using four factors: exploitability, prevalence, detectability, and impact. The list targets developers and security teams who create and consume these identities across the development lifecycle, not just the IAM team that nominally owns them.

The full 2025 list

Each entry carries an identifier in the form NHI1:2025 through NHI10:2025. One line on each:

RankRiskOne-line summary
NHI1Improper OffboardingService accounts and keys stay active after the app is retired or the owner leaves
NHI2Secret LeakageAPI keys, tokens, and certificates leak into repos, logs, tickets, and chat tools
NHI3Vulnerable Third-Party NHICredentials granted to third-party tools and extensions are exposed when the vendor is compromised
NHI4Insecure AuthenticationApps authenticate with weak or obsolete mechanisms instead of current standards
NHI5Overprivileged NHIIdentities carry far more permission than the workload actually needs
NHI6Insecure Cloud Deployment ConfigurationsCI/CD and cloud pipelines rely on static credentials that end up in code, logs, or config
NHI7Long-Lived SecretsKeys and tokens with distant expiration dates, or none, stay exploitable for years
NHI8Environment IsolationThe same NHI is reused across test and production, so a test compromise reaches prod
NHI9NHI ReuseOne identity shared across multiple apps or services widens the blast radius of any leak
NHI10Human Use of NHIPeople borrow machine credentials for manual tasks, destroying attribution and audit trails

Why does the OWASP NHI Top 10 exist?

Non-human identities now dominate the enterprise identity population. CyberArk's 2025 Identity Security Landscape puts the ratio at 82 machine identities for every human, and reports that nearly half of those hold sensitive or privileged access. Cloud services, microservices, CI/CD automation, and AI agents each mint credentials faster than any human workforce grows.

The breach record made the gap concrete. GitGuardian counted 23.8 million secrets leaked in public GitHub commits in 2024 alone, and the December 2024 US Treasury incident was traced to a leaked API key for BeyondTrust's remote support platform. Before this list, there was no shared vocabulary for these failures. The NHI Top 10 gives developers, security engineers, and auditors a common reference, the same role the original OWASP Top 10 has played for web application flaws since 2003.

How does it differ from the classic OWASP Top 10?

The classic OWASP Top 10 ranks vulnerabilities in application code and request handling: injection, broken access control, cryptographic failures. Fixes usually land in the codebase.

The NHI Top 10 ranks failures in the lifecycle of the credentials and identities that applications use: how they are provisioned, scoped, stored, rotated, and retired. Fixes usually land in identity governance, secrets management, and cloud configuration rather than application logic. The two lists are complementary. An application can pass a clean AppSec review while its service account is overprivileged, its API key is five years old, and its retired predecessor's credentials are still live.

How should teams use the list?

The list works best as an audit checklist run against a real NHI inventory, not as abstract reading. Three clusters cover all ten entries and suggest an order of operations:

  • Lifecycle failures (NHI1, NHI7): identities that outlive their purpose or their expiration horizon. Start here, since improper offboarding is ranked first for a reason.
  • Exposure failures (NHI2, NHI3, NHI6): credentials that leak through code, logs, pipelines, or third-party vendors.
  • Scope failures (NHI4, NHI5, NHI8, NHI9, NHI10): identities that authenticate weakly, hold too much privilege, or are shared across environments, services, or people.

How Identra thinks about it

Our read: the NHI Top 10 is written as a posture checklist, but most of its entries only become visible as behavior. An offboarded account is a config state; that account authenticating again is a runtime event. A dev-scoped token is an inventory row; that token touching production is a runtime event. Teams that treat each of the ten entries as a detection question, asking what they would see at the moment the risk is exploited, get far more from the list than teams that treat it as a quarterly inventory review. That framing matters even more as AI agents begin minting and wielding NHIs at machine speed, where the gap between a stale inventory and live behavior is widest.

Go deeper: The Non-Human Majority

Frequently asked questions

What is the number one risk in the OWASP NHI Top 10?

Improper offboarding, identified as NHI1:2025. It covers service accounts that stay enabled, and API keys and other machine credentials that stay valid, after the application they served is retired or the person who owned them leaves. These orphaned identities and credentials keep working access alive with no owner watching them, making them ideal footholds for attackers.

How is the NHI Top 10 different from the classic OWASP Top 10?

The classic OWASP Top 10 ranks flaws in application code, such as injection and broken access control, and fixes usually land in the codebase. The NHI Top 10 ranks failures in the lifecycle of machine credentials: how they are provisioned, scoped, stored, rotated, and retired. Fixes land in identity governance and secrets management instead.

Who should use the OWASP NHI Top 10?

Developers, platform engineers, and security teams who create or consume machine credentials, not only the IAM team that nominally owns identity. OWASP designed it as a shared vocabulary across the development lifecycle. It works best as an audit checklist run against a real inventory of service accounts, keys, and tokens.

What counts as a non-human identity under the list?

Any credentialed identity used by software rather than a person: service accounts, API keys, OAuth app registrations, cloud workload roles, CI/CD tokens, and certificates. AI agents that hold credentials also fall in scope. The common thread is that no human authenticates interactively, so human-centric controls like MFA and offboarding do not apply cleanly.

Related terms