Are the OWASP NHI Top 10 Actually Needed?

The Non-Human Identity ( NHI ) Top 10 project has just been named the Open Web Application Security Project’s new Top 10 list. Through its Top 10 projects, which include the commonly used API and Web Application security listings, OWASP has provided protection professionals and developers with necessary guidance and practical frameworks for years.

Non-human identity protection represents an emerging interest in the security market, encompassing the risks and lack of oversight associated with API keys, support accounts, OAuth apps, SSH keys, IAM roles, secrets, and another device credentials and workload identities.

One may wonder, do we really need the NHI Major 10 given that the main OWASP Top 10 projects currently cover a wide range of security risks that developers should address? The quick response is- yes. Let’s see why, and discover the top 10 NHI risks.

Why are the NHI Top 10 necessary?

While other Axis tasks might feel on related risks, such as techniques malfunction, NHIs and their associated risks go well beyond that. Security situations leveraging NHIs don’t really revolve about exposed strategies, they extend to extreme rights, OAuth phishing episodes, IAM roles used for lateral motion, and more.

While important, the existing OWASP Top 10 listings don’t adequately address the unique difficulties NHIs present. Being the essential connection enablers between systems, services, data, and AI agents, NHIs are extremely common across creation and execution environments, and developers interact with them at every stage of the development pipeline.

With attacks aimed at NHIs becoming more frequent, it became necessary to provide engineers with a comprehensive guide to the challenges they face.

Understanding the OWASP Top 10 performance standards

Before we dive into the real challenges, it’s important to understand the position behind the Major 10 jobs. The OWASP Top 10 tasks adhere to a set of standard criteria to assess the degree of chance:

    Exploitability: Evaluate how quickly an attacker can utilize a given risk if the business lacks adequate protection.

  • Influence: Evaluates the possible harm that the danger might cause to business systems and operations.
  • Prevalence: Examines how frequent the security issue is across different surroundings, disregarding existing protective steps.
  • Detectability: measures the problems of using regular monitoring and detection equipment to identify weaknesses.

Breaking down the OWASP NHI Top 10 challenges

Now to the flesh. Let’s look at the top challenges that merited a place on the list and why they matter:

NHI10: 2025- People Apply of NHI

NHIs are designed to help automated methods, services, and programs without human intervention. Developers or administrators may recycle NHIs for human operations that should ideally be carried out using specific human credentials with appropriate privileges during the development and maintenance phases. This can cause privilege misuse, and, if this abused key is part of an exploit, it’s hard to know who is accountable for it.

NHI9: 2025- NHI Reuse

NHI reuse occurs when teams repurpose the same , for example, across multiple applications. In addition to being convenient, it goes against the principle of least privilege, which allows for the expansion of the blast radius and exposes several services in the event of a compromised NHI.

NHI8: 2025- Environment Isolation

A lack of a may cause test NHIs to bleed into production. An example from the Microsoft attack, , shows that an OAuth app used for testing had high privileges in the testing environment, exposing sensitive data.

NHI7: 2025- Long-Lived Secrets

Secrets that are kept for a long time still pose a significant risk. Unintentionally, Microsoft AI uncovered an access token in a public GitHub repository, which remained active for more than two years and gave access to 38 terabytes of internal data.

NHI6: 2025- Insecure Cloud Deployment Configurations

CI/CD pipelines inherently require extensive permissions, making them prime targets for attackers. Misconfigurations, such as hardcoded credentials or overly permissive OIDC configurations, can lead to unauthorized access to critical resources, exposing them to breaches.

NHI5: 2025- Overprivileged NHI

Poor provisioning practices result in many NHIs receiving excessive privileges. According to a , 37 % of NHI-related security incidents were caused by overprivileged identities, highlighting the urgent need for proper access controls and least-privilege practices.

NHI4: 2025- Insecure Authentication Methods

Insecure authentication techniques like implicit OAuth flows and app passwords, which bypass MFA and are vulnerable to attacks, are still supported on many platforms, including Microsoft 365 and Google Workspace. Developers are often unaware of the security risks of these outdated mechanisms, which leads to their widespread use, and potential exploitation.

NHI3: 2025- Vulnerable Third-Party NHI

Many development pipelines rely on third-party tools and services to expedite development, enhance capabilities, monitor applications, and more. Using NHIs like API keys, OAuth apps, and service accounts, these tools and services integrate directly with IDEs and code repositories. Customers have been forced to rotate their credentials due to breaches involving companies like CircleCI, Okta, and Git Hub, which underscore the importance of closely monitoring and mapping these externally owned NHIs.

NHI2: 2025- Secret Leakage

Secret leakage remains a top concern, often serving as the initial access vector for attackers. that 37 % of organizations have hardcoded secrets within their applications, making them prime targets.

NHI1: 2025- Improper Offboarding

According to the report, improper offboarding is the most common lapse in oversight of lingering NHIs that were not abandoned or discontinued after an employee left, a service was taken away, or a third party was fired. Over 50 % of organizations don’t have formal procedures for offboarding NHIs. NHIs that are no longer required but continue to be active offer a variety of attack possibilities, particularly for insider threats.

A standardized framework for NHI security

The OWASP NHI Top 10 fills a crucial role by bringing attention to the unique security issues that NHIs face. A crystal-clear, of the risks these identities pose and how to include them in security programs is lacking in both development and security teams. In its compliance dashboard, Astrix Security used the OWASP NHI Top 10 as a framework to accomplish this.

The Astrix OWASP NHI Top 10 Compliance Dashboard

This capability correlates the organization’s security findings with the NHI Top 10 risks, to help security professionals visualize the current posture, identify gaps, and prioritize next steps.

Use the dashboard to quickly identify the areas that require the most attention while monitoring progress over time using the Top 10 framework.

Found this article interesting? One of our valued partners contributed to this article. Follow us on and Twitter to access more exclusive content.

Leave a Comment