What is Out of Scope Loophole?

A taxonomy of recurring failure patterns that turn non-human identities into exploitable attack paths. Includes Ghost (orphaned), Shadow (undocumented), Aged (unrotated), Over-shared, Zombie (still valid after deletion), Drifted, Over-privileged, Public, and Unattributed keys.

A machine identity whose IAM permissions exceed what the workload actually needs. OWASP NHI5:2025 flags this as a top-5 non-human identity risk because the blast radius on compromise is far larger than necessary — a read-only batch job running with admin rights will leak admin-level damage if the credential is stolen. Usually caused by copy-pasting policies, using default roles, or leaving expanded permissions behind after a one-time task.

An NHI that belongs to a vendor or third-party integration — a Datadog API key, a Slack bot token, an OAuth grant to a SaaS app, a webhook secret. OWASP NHI3:2025 flags this because a breach on the vendor side (or a lost laptop holding their key) becomes your incident. Inventory, scope review, and rotation workflows on every third-party NHI are essential; most organizations have 10x more than they realize.

Any tool, service, or integration that employees adopt without the security team's knowledge. In the NHI world, shadow IT creates shadow service accounts, shadow API keys, and shadow OAuth grants that never enter the inventory.

An API key or credential that still authenticates, but whose owner has left the company or can no longer be identified. Part of the NHI Kill Chain.

A single credential pasted into multiple projects, environments, CI systems, and developer machines. Rotating it in one place leaves the others exposed. The most expensive NHI failure mode to fix during an incident.