What is Vulnerable Third-Party NHI?

A taxonomy of recurring failure patterns that turn non-human identities into exploitable attack paths. Includes Ghost (orphaned), Shadow (undocumented), Aged (unrotated), Over-shared, Zombie (still valid after deletion), Drifted, Over-privileged, Public, and Unattributed keys.

A machine identity whose IAM permissions exceed what the workload actually needs. OWASP NHI5:2025 flags this as a top-5 non-human identity risk because the blast radius on compromise is far larger than necessary — a read-only batch job running with admin rights will leak admin-level damage if the credential is stolen. Usually caused by copy-pasting policies, using default roles, or leaving expanded permissions behind after a one-time task.

Any tool, service, or integration that employees adopt without the security team's knowledge. In the NHI world, shadow IT creates shadow service accounts, shadow API keys, and shadow OAuth grants that never enter the inventory.

An API key or credential that still authenticates, but whose owner has left the company or can no longer be identified. Part of the NHI Kill Chain.

A single credential pasted into multiple projects, environments, CI systems, and developer machines. Rotating it in one place leaves the others exposed. The most expensive NHI failure mode to fix during an incident.

A long-lived credential that has not been rotated in months or years. Time multiplies the damage: the value has had plenty of opportunity to leak, and attackers can plan around its predictable continued validity.