Threat patterns
What is Overprivileged NHI?
Also known as: Over-privileged NHI · Overprivileged Non-Human Identity · OWASP NHI5
A machine identity whose IAM permissions exceed what the workload actually needs. OWASP NHI5:2025 flags this as a top-5 non-human identity risk because the blast radius on compromise is far larger than necessary — a read-only batch job running with admin rights will leak admin-level damage if the credential is stolen. Usually caused by copy-pasting policies, using default roles, or leaving expanded permissions behind after a one-time task.
More terms in Threat patterns
- NHI Kill ChainA taxonomy of recurring failure patterns that turn non-human identities into exploitable attack paths. Includes Ghost (orphaned), Shadow (undocumented), Aged (unrotated), Over-shared, Zombie (still valid after deletion), Drifted, Over-privileged, Public, and Unattributed keys.
- Vulnerable Third-Party NHIAn NHI that belongs to a vendor or third-party integration — a Datadog API key, a Slack bot token, an OAuth grant to a SaaS app, a webhook secret. OWASP NHI3:2025 flags this because a breach on the vendor side (or a lost laptop holding their key) becomes your incident. Inventory, scope review, and rotation workflows on every third-party NHI are essential; most organizations have 10x more than they realize.
- Shadow ITAny tool, service, or integration that employees adopt without the security team's knowledge. In the NHI world, shadow IT creates shadow service accounts, shadow API keys, and shadow OAuth grants that never enter the inventory.
- Ghost KeyAn API key or credential that still authenticates, but whose owner has left the company or can no longer be identified. Part of the NHI Kill Chain.
- Over-shared KeyA single credential pasted into multiple projects, environments, CI systems, and developer machines. Rotating it in one place leaves the others exposed. The most expensive NHI failure mode to fix during an incident.
- Aged KeyA long-lived credential that has not been rotated in months or years. Time multiplies the damage: the value has had plenty of opportunity to leak, and attackers can plan around its predictable continued validity.