What is the OWASP Non-Human Identity Top 10?
By Identra · Updated
The OWASP Non-Human Identity (NHI) Top 10 is a ranked list of the ten most critical security risks affecting non-human identities such as service accounts and workload identities, along with the API keys, tokens, and secrets they authenticate with. Published by the OWASP Foundation in January 2025, it ranks risks by exploitability, prevalence, detectability, and impact, with improper offboarding at number one.
Key numbers
- Machine identities outnumber human identities 82 to 1 in surveyed organizations (CyberArk Identity Security Landscape, 2025)
- 23.8 million secrets were leaked in public GitHub commits during 2024, up 25% year over year (GitGuardian State of Secrets Sprawl, 2025)
- 70% of secrets leaked in 2022 were still valid two or more years later (GitGuardian State of Secrets Sprawl, 2025)
What does the OWASP NHI Top 10 cover?
The OWASP Non-Human Identities Top 10 is an official OWASP Foundation project, first published in January 2025. It catalogs the risks that arise when software, not people, holds credentials: service accounts, API keys, OAuth app registrations, cloud workload roles, CI/CD tokens, and certificates.
OWASP ranked the ten entries using four factors: exploitability, prevalence, detectability, and impact. The list targets developers and security teams who create and consume these identities across the development lifecycle, not just the IAM team that nominally owns them.
The full 2025 list
Each entry carries an identifier in the form NHI1:2025 through NHI10:2025. One line on each:
| Rank | Risk | One-line summary |
|---|---|---|
| NHI1 | Improper Offboarding | Service accounts and keys stay active after the app is retired or the owner leaves |
| NHI2 | Secret Leakage | API keys, tokens, and certificates leak into repos, logs, tickets, and chat tools |
| NHI3 | Vulnerable Third-Party NHI | Credentials granted to third-party tools and extensions are exposed when the vendor is compromised |
| NHI4 | Insecure Authentication | Apps authenticate with weak or obsolete mechanisms instead of current standards |
| NHI5 | Overprivileged NHI | Identities carry far more permission than the workload actually needs |
| NHI6 | Insecure Cloud Deployment Configurations | CI/CD and cloud pipelines rely on static credentials that end up in code, logs, or config |
| NHI7 | Long-Lived Secrets | Keys and tokens with distant expiration dates, or none, stay exploitable for years |
| NHI8 | Environment Isolation | The same NHI is reused across test and production, so a test compromise reaches prod |
| NHI9 | NHI Reuse | One identity shared across multiple apps or services widens the blast radius of any leak |
| NHI10 | Human Use of NHI | People borrow machine credentials for manual tasks, destroying attribution and audit trails |
Why does the OWASP NHI Top 10 exist?
Non-human identities now dominate the enterprise identity population. CyberArk's 2025 Identity Security Landscape puts the ratio at 82 machine identities for every human, and reports that nearly half of those hold sensitive or privileged access. Cloud services, microservices, CI/CD automation, and AI agents each mint credentials faster than any human workforce grows.
The breach record made the gap concrete. GitGuardian counted 23.8 million secrets leaked in public GitHub commits in 2024 alone, and the December 2024 US Treasury incident was traced to a leaked API key for BeyondTrust's remote support platform. Before this list, there was no shared vocabulary for these failures. The NHI Top 10 gives developers, security engineers, and auditors a common reference, the same role the original OWASP Top 10 has played for web application flaws since 2003.
How does it differ from the classic OWASP Top 10?
The classic OWASP Top 10 ranks vulnerabilities in application code and request handling: injection, broken access control, cryptographic failures. Fixes usually land in the codebase.
The NHI Top 10 ranks failures in the lifecycle of the credentials and identities that applications use: how they are provisioned, scoped, stored, rotated, and retired. Fixes usually land in identity governance, secrets management, and cloud configuration rather than application logic. The two lists are complementary. An application can pass a clean AppSec review while its service account is overprivileged, its API key is five years old, and its retired predecessor's credentials are still live.
How should teams use the list?
The list works best as an audit checklist run against a real NHI inventory, not as abstract reading. Three clusters cover all ten entries and suggest an order of operations:
- Lifecycle failures (NHI1, NHI7): identities that outlive their purpose or their expiration horizon. Start here, since improper offboarding is ranked first for a reason.
- Exposure failures (NHI2, NHI3, NHI6): credentials that leak through code, logs, pipelines, or third-party vendors.
- Scope failures (NHI4, NHI5, NHI8, NHI9, NHI10): identities that authenticate weakly, hold too much privilege, or are shared across environments, services, or people.
How Identra thinks about it
Our read: the NHI Top 10 is written as a posture checklist, but most of its entries only become visible as behavior. An offboarded account is a config state; that account authenticating again is a runtime event. A dev-scoped token is an inventory row; that token touching production is a runtime event. Teams that treat each of the ten entries as a detection question, asking what they would see at the moment the risk is exploited, get far more from the list than teams that treat it as a quarterly inventory review. That framing matters even more as AI agents begin minting and wielding NHIs at machine speed, where the gap between a stale inventory and live behavior is widest.
Go deeper: The Non-Human Majority
Frequently asked questions
What is the number one risk in the OWASP NHI Top 10?
Improper offboarding, identified as NHI1:2025. It covers service accounts that stay enabled, and API keys and other machine credentials that stay valid, after the application they served is retired or the person who owned them leaves. These orphaned identities and credentials keep working access alive with no owner watching them, making them ideal footholds for attackers.
How is the NHI Top 10 different from the classic OWASP Top 10?
The classic OWASP Top 10 ranks flaws in application code, such as injection and broken access control, and fixes usually land in the codebase. The NHI Top 10 ranks failures in the lifecycle of machine credentials: how they are provisioned, scoped, stored, rotated, and retired. Fixes land in identity governance and secrets management instead.
Who should use the OWASP NHI Top 10?
Developers, platform engineers, and security teams who create or consume machine credentials, not only the IAM team that nominally owns identity. OWASP designed it as a shared vocabulary across the development lifecycle. It works best as an audit checklist run against a real inventory of service accounts, keys, and tokens.
What counts as a non-human identity under the list?
Any credentialed identity used by software rather than a person: service accounts, API keys, OAuth app registrations, cloud workload roles, CI/CD tokens, and certificates. AI agents that hold credentials also fall in scope. The common thread is that no human authenticates interactively, so human-centric controls like MFA and offboarding do not apply cleanly.
