OWASP Publishes First Non-Human Identity Top 10

In 2025, the OWASP Foundation published its first-ever Top 10 list specifically addressing non-human identity risks. This is a landmark development and formal recognition that the identity security challenge has fundamentally expanded beyond human users.

The full OWASP NHI Top 10: 1. Improper Offboarding: failing to revoke NHI credentials when services are decommissioned 2. Secret Leakage: credentials exposed in code, logs, or configuration 3. Vulnerable Third-Party NHI: compromised tokens from vendor integrations 4. Insecure Authentication: weak or absent authentication for machine-to-machine communication 5. Overprivileged NHI: service accounts with more access than needed 6. Insecure Cloud Deployment Configurations: misconfigured cloud identity settings 7. Long-Lived Secrets: credentials that never expire or rotate 8. Environment Isolation: insufficient separation between dev/staging/production NHIs 9. NHI Reuse: sharing credentials across multiple services 10. Human Use of NHI: people using service accounts for interactive access

The list was compiled from real-world breach analysis, industry surveys, CVE databases, and expert input. Every entry maps to incidents that have already occurred.

For identity architects, this list provides a structured framework for assessing NHI risk. Most organizations we work with have significant exposure across multiple categories, particularly improper offboarding, long-lived secrets, and overprivileged service accounts. These are not edge cases. They are the norm.