Glossary

30 terms from NHI security

Definitions framed from the machine-identity perspective, not the general IAM one. Every term is one or two paragraphs, linked to deeper reading where useful.

Identity & access

Non-Human Identity Also known as: NHI · Machine Identity · 비인간 신원 · 비인간 아이덴티티 · 기계 신원 · 머신 아이덴티티 · NHI 보안: Any identity that authenticates or authorizes without a human at the keyboard. Includes API keys, service accounts, OAuth tokens, signing keys, SSH keys, workload identities, and CI runner credentials. NHIs typically outnumber human identities in modern infrastructure by 10x to 50x.
IAM Also known as: Identity and Access Management · 신원 접근 관리 · ID 접근 관리: The discipline of managing digital identities (human and non-human) and controlling what each identity can do. In cloud context (AWS IAM, GCP IAM), it refers specifically to the policy and role systems that govern resource access.
Least Privilege Also known as: 최소 권한 · 최소 권한 원칙 · Principle of Least Privilege · PoLP: A security principle: every identity should have the minimum permissions required to do its job, and nothing more. The most common NHI failure is an API key with full admin rights when it only needs to read one bucket.
Zero Trust Also known as: 제로 트러스트 · 제로트러스트 · Zero Trust Architecture · ZTA: An architectural pattern that treats every request as untrusted by default, regardless of network location, and verifies identity and authorization on every call. For NHIs, this means continuous verification instead of "once issued, always trusted."
Service Account Also known as: 서비스 계정 · 서비스 어카운트: A non-human account used by an application, script, or cloud workload to authenticate to other services. Often long-lived, often broadly scoped, often unaudited. A high-value target and a common NHI failure mode.
Workload Identity Federation Also known as: WIF · 워크로드 신원 · 워크로드 아이덴티티 페더레이션: A mechanism that lets a workload in one environment (for example, GitHub Actions) assume an identity in another (GCP or AWS) by exchanging short-lived tokens, without needing a long-lived service account key. Removes the most commonly leaked NHI.
PAM Also known as: Privileged Access Management: Systems and processes that control, monitor, and audit privileged human access to critical systems. PAM does not generally cover NHIs; machine identities need their own lifecycle tooling, which is where Cremit Argus focuses.

Authentication protocols

SAML Also known as: Security Assertion Markup Language · SAML 2.0: An XML-based open standard for exchanging authentication and authorization assertions between an Identity Provider (IdP) and a Service Provider (SP). Used by enterprise Single Sign-On. Cremit Argus supports SAML 2.0 with any compliant IdP (Okta, Azure AD, Google Workspace, Ping, JumpCloud, etc.).
SSO Also known as: Single Sign-On: Authentication scheme that lets a user log in once and access multiple applications without re-entering credentials. Typically implemented via SAML 2.0 or OIDC. In NHI context, SSO applies to human access into management tools; machine-to-machine auth uses service accounts, not SSO.
SCIM Also known as: System for Cross-domain Identity Management · SCIM 2.0: An open standard for automatically provisioning and de-provisioning users and groups between identity systems. When an employee is suspended in the IdP, SCIM propagates that change to downstream apps in real time, so access is revoked without a ticket.
OAuth Also known as: OAuth 2.0: A delegation protocol that lets a user grant a third-party app access to their data without sharing the password. The tokens OAuth issues (access tokens, refresh tokens) are themselves NHIs and need rotation, scope review, and detection when leaked.
OIDC Also known as: OpenID Connect: An identity layer on top of OAuth 2.0 that adds authentication (who the user is) to OAuth's delegation (what they can do). Preferred over SAML for modern web and mobile SSO because it uses JSON and HTTP, not XML.
JWT Also known as: JSON Web Token: A compact, signed token format used to transmit identity and permission claims between parties. Signed JWTs are tamper-evident; leaked JWTs are usable until they expire or are blacklisted, so short expirations matter.

Secrets

Credential Also known as: 크리덴셜 · 자격증명 · 인증정보: Any secret value that proves an identity to a system — a password, API key, OAuth token, TLS private key, SSH key, or JWT. In NHI security, "credential" usually refers to the machine-to-machine secret, not a human password. The word is used interchangeably with "secret" in most operational contexts.
Secret Scanning Also known as: Secret Detection · Credential Scanning · 시크릿 스캐닝 · 시크릿 탐지 · 크리덴셜 스캐닝 · 시크릿 검출: The process of automatically searching code repositories, CI logs, container images, SaaS documents, chat transcripts, and other locations for accidentally committed credentials. Modern secret scanning goes beyond regex (which produces noise) to use entropy analysis, contextual parsing, and provider-specific validators that prove a leaked key is actually live before paging the owner. Cremit Argus runs this across public and private code plus SaaS surfaces.
Secret Sprawl Also known as: 시크릿 스프롤 · 시크릿 확산 · 시크릿 산재 · 크리덴셜 확산 · Credential Sprawl · Secrets Sprawl: The condition where credentials, API keys, and tokens are scattered across code repositories, CI systems, environment variable stores, chat messages, wikis, and documents without a single inventory or ownership record. Rotating a single value becomes expensive because the team does not know how many copies exist. Recent incidents like the April 2026 Vercel exposure and the Bitwarden CLI npm compromise are textbook secret-sprawl outcomes.
Credential Leakage Also known as: Credential Exposure · Credential Leak · 크리덴셜 노출 · 자격증명 유출: The accidental disclosure of a credential to someone who should not have access — an API key committed to a public repo, a token printed in a log, a secret pasted in Slack, a .env file bundled into a client-side JavaScript build. Different from Secret Sprawl (an inventory problem): leakage is an active exposure event that needs immediate rotation, scope review of what the credential could reach, and forensic review of logs.

Threat patterns

NHI Kill Chain: A taxonomy of recurring failure patterns that turn non-human identities into exploitable attack paths. Includes Ghost (orphaned), Shadow (undocumented), Aged (unrotated), Over-shared, Zombie (still valid after deletion), Drifted, Over-privileged, Public, and Unattributed keys.
Overprivileged NHI Also known as: Over-privileged NHI · Overprivileged Non-Human Identity · OWASP NHI5: A machine identity whose IAM permissions exceed what the workload actually needs. OWASP NHI5:2025 flags this as a top-5 non-human identity risk because the blast radius on compromise is far larger than necessary — a read-only batch job running with admin rights will leak admin-level damage if the credential is stolen. Usually caused by copy-pasting policies, using default roles, or leaving expanded permissions behind after a one-time task.
Vulnerable Third-Party NHI Also known as: Third-Party NHI · Vendor API Key · OWASP NHI3: An NHI that belongs to a vendor or third-party integration — a Datadog API key, a Slack bot token, an OAuth grant to a SaaS app, a webhook secret. OWASP NHI3:2025 flags this because a breach on the vendor side (or a lost laptop holding their key) becomes your incident. Inventory, scope review, and rotation workflows on every third-party NHI are essential; most organizations have 10x more than they realize.
Shadow IT: Any tool, service, or integration that employees adopt without the security team's knowledge. In the NHI world, shadow IT creates shadow service accounts, shadow API keys, and shadow OAuth grants that never enter the inventory.
Ghost Key: An API key or credential that still authenticates, but whose owner has left the company or can no longer be identified. Part of the NHI Kill Chain.
Over-shared Key: A single credential pasted into multiple projects, environments, CI systems, and developer machines. Rotating it in one place leaves the others exposed. The most expensive NHI failure mode to fix during an incident.
Aged Key: A long-lived credential that has not been rotated in months or years. Time multiplies the damage: the value has had plenty of opportunity to leak, and attackers can plan around its predictable continued validity.
Zombie Key: A credential that still authenticates even though the service or integration it was meant for has been deleted or decommissioned. The key is alive; the system expects it to be dead.
Out of Scope Loophole: The pattern where credential exposure is not covered by bug bounty scope or secret manager inventory, so the problem persists despite having security programs in place. Common for SaaS credentials pasted into Notion, Jira, or Slack.
Blast Radius: The set of systems, data, and actions that become reachable when a single credential is compromised. For an over-shared DB password, the blast radius is every environment that holds a copy.

Operations

Credential Rotation Also known as: Key Rotation · Secret Rotation · 자격증명 회전 · 키 로테이션 · 시크릿 로테이션 · 크리덴셜 회전: The process of issuing a new credential, updating every system that uses it, and revoking the old value. The hard part is never the new key — it is finding every place the old one lives.

AI / agents

MCP Also known as: Model Context Protocol: A protocol that lets LLM-powered tools connect to external data sources and actions in a structured way. From an NHI perspective, each MCP connection is a new trust boundary: the tool inherits the identity and credentials of whoever connected it.
A2A Also known as: Agent-to-Agent Protocol: A protocol for AI agents to communicate and coordinate with each other directly. Every A2A call is a credential action; inventory of agent identities becomes as important as inventory of human identities.

A term we should add?

The NHI field moves fast. Tell us what else belongs here.

Get in touch