Glossary

25 terms from NHI security

Definitions framed from the machine-identity perspective, not the general IAM one. Every term is one or two paragraphs, linked to deeper reading where useful.

Identity & access(7)Authentication protocols(6)Secrets(1)Threat patterns(8)Operations(1)AI / agents(2)

Identity & access

Non-Human Identity Also known as: NHI · Machine Identity: Any identity that authenticates or authorizes without a human at the keyboard. Includes API keys, service accounts, OAuth tokens, signing keys, SSH keys, workload identities, and CI runner credentials. NHIs typically outnumber human identities in modern infrastructure by 10x to 50x.
IAM Also known as: Identity and Access Management: The discipline of managing digital identities (human and non-human) and controlling what each identity can do. In cloud context (AWS IAM, GCP IAM), it refers specifically to the policy and role systems that govern resource access.
Least Privilege: A security principle: every identity should have the minimum permissions required to do its job, and nothing more. The most common NHI failure is an API key with full admin rights when it only needs to read one bucket.
Zero Trust: An architectural pattern that treats every request as untrusted by default, regardless of network location, and verifies identity and authorization on every call. For NHIs, this means continuous verification instead of "once issued, always trusted."
Service Account: A non-human account used by an application, script, or cloud workload to authenticate to other services. Often long-lived, often broadly scoped, often unaudited. A high-value target and a common NHI failure mode.
Workload Identity Federation Also known as: WIF: A mechanism that lets a workload in one environment (for example, GitHub Actions) assume an identity in another (GCP or AWS) by exchanging short-lived tokens, without needing a long-lived service account key. Removes the most commonly leaked NHI.
PAM Also known as: Privileged Access Management: Systems and processes that control, monitor, and audit privileged human access to critical systems. PAM does not generally cover NHIs; machine identities need their own lifecycle tooling, which is where Cremit Argus focuses.

Authentication protocols

SAML Also known as: Security Assertion Markup Language · SAML 2.0: An XML-based open standard for exchanging authentication and authorization assertions between an Identity Provider (IdP) and a Service Provider (SP). Used by enterprise Single Sign-On. Cremit Argus supports SAML 2.0 with any compliant IdP (Okta, Azure AD, Google Workspace, Ping, JumpCloud, etc.).
SSO Also known as: Single Sign-On: Authentication scheme that lets a user log in once and access multiple applications without re-entering credentials. Typically implemented via SAML 2.0 or OIDC. In NHI context, SSO applies to human access into management tools; machine-to-machine auth uses service accounts, not SSO.
SCIM Also known as: System for Cross-domain Identity Management · SCIM 2.0: An open standard for automatically provisioning and de-provisioning users and groups between identity systems. When an employee is suspended in the IdP, SCIM propagates that change to downstream apps in real time, so access is revoked without a ticket.
OAuth Also known as: OAuth 2.0: A delegation protocol that lets a user grant a third-party app access to their data without sharing the password. The tokens OAuth issues (access tokens, refresh tokens) are themselves NHIs and need rotation, scope review, and detection when leaked.
OIDC Also known as: OpenID Connect: An identity layer on top of OAuth 2.0 that adds authentication (who the user is) to OAuth's delegation (what they can do). Preferred over SAML for modern web and mobile SSO because it uses JSON and HTTP, not XML.
JWT Also known as: JSON Web Token: A compact, signed token format used to transmit identity and permission claims between parties. Signed JWTs are tamper-evident; leaked JWTs are usable until they expire or are blacklisted, so short expirations matter.

Secrets

Secret Sprawl: The condition where credentials, API keys, and tokens are scattered across code repositories, CI systems, environment variable stores, chat messages, wikis, and documents without a single inventory or ownership record. Rotating a single value becomes expensive because the team does not know how many copies exist.

Threat patterns

NHI Kill Chain: A taxonomy of recurring failure patterns that turn non-human identities into exploitable attack paths. Includes Ghost (orphaned), Shadow (undocumented), Aged (unrotated), Over-shared, Zombie (still valid after deletion), Drifted, Over-privileged, Public, and Unattributed keys.
Shadow IT: Any tool, service, or integration that employees adopt without the security team's knowledge. In the NHI world, shadow IT creates shadow service accounts, shadow API keys, and shadow OAuth grants that never enter the inventory.
Ghost Key: An API key or credential that still authenticates, but whose owner has left the company or can no longer be identified. Part of the NHI Kill Chain.
Over-shared Key: A single credential pasted into multiple projects, environments, CI systems, and developer machines. Rotating it in one place leaves the others exposed. The most expensive NHI failure mode to fix during an incident.
Aged Key: A long-lived credential that has not been rotated in months or years. Time multiplies the damage: the value has had plenty of opportunity to leak, and attackers can plan around its predictable continued validity.
Zombie Key: A credential that still authenticates even though the service or integration it was meant for has been deleted or decommissioned. The key is alive; the system expects it to be dead.
Out of Scope Loophole: The pattern where credential exposure is not covered by bug bounty scope or secret manager inventory, so the problem persists despite having security programs in place. Common for SaaS credentials pasted into Notion, Jira, or Slack.
Blast Radius: The set of systems, data, and actions that become reachable when a single credential is compromised. For an over-shared DB password, the blast radius is every environment that holds a copy.

Operations

Credential Rotation Also known as: Key Rotation · Secret Rotation: The process of issuing a new credential, updating every system that uses it, and revoking the old value. The hard part is never the new key — it is finding every place the old one lives.

AI / agents

MCP Also known as: Model Context Protocol: A protocol that lets LLM-powered tools connect to external data sources and actions in a structured way. From an NHI perspective, each MCP connection is a new trust boundary: the tool inherits the identity and credentials of whoever connected it.
A2A Also known as: Agent-to-Agent Protocol: A protocol for AI agents to communicate and coordinate with each other directly. Every A2A call is a credential action; inventory of agent identities becomes as important as inventory of human identities.

A term we should add?

The NHI field moves fast. Tell us what else belongs here.

Get in touch