NHI and Agentic Risk: How Compromise Happens

This post is part of a series that asks two questions: how compromise happens, and why it persists.

A non-human identity is a credentialed identity used by software rather than a person: service accounts, API keys, tokens, and certificates that let systems call tools and APIs. In most organizations, these identities outnumber human users, and they live across build systems, pipelines, integrations, and automation. They are easy to create and hard to retire cleanly.

NHI issues are known but rotation automation is often deferred in order to ship faster. Agents add autonomy and tool chains to that same risk, which raises the cost of deferral. Most teams already understand service accounts, tokens, and key rotation; familiarity makes these feel like chores rather than unknown attack surfaces. What changes in agentic systems is not the existence of identity risk, but its reach and speed.

The OWASP Non-Human Identities (NHI) list is about identity lifecycle control, whereas the OWASP Agentic Security Initiative (ASI) list is about agent behavior and autonomy. In practice, identity failures enable behavior failures, and behavior failures expand the blast radius. The Appendix C mapping in the OWASP Top 10 for Agentic Applications makes this explicit: the identity plane and the agent plane are separate disciplines with a shared failure surface.

Think of NHIs as the control plane for tools and agents. Agents act through tools; tools are controlled by NHIs. If NHIs are mismanaged, agent safeguards are fragile. This is why identity debt—the accumulation of stale credentials, orphaned accounts, and deferred rotation—shows up as agent risk even when the model is behaving as designed.

Appendix C of the OWASP Agentic Top 10 shows the alignment:

Improper offboarding (NHI1) → Supply chain vulnerabilities (ASI04): Stale identities behave like forgotten dependencies that still authorize tool access.
Overprivileged NHIs (NHI5) → Tool misuse (ASI02) and identity abuse (ASI03): Agents can only misuse what identities allow.
Secret leakage and long-lived secrets (NHI2, NHI7) → Memory and context poisoning (ASI06): Leaked credentials turn into durable agent context.
Environment isolation and NHI reuse (NHI8, NHI9) → Inter-agent communication failures and cascading failures (ASI07, ASI08): Boundaries are the only thing that keeps incidents local.
Human use of NHIs (NHI10) → Trust exploitation and goal hijack (ASI09, ASI01): Accountability and intent are lost at the identity layer.

Most agent incidents begin with a mundane identity fault, not a novel model exploit. An offboarded service identity still has active tool bindings. An over-scoped identity turns a low-risk tool into a high-impact action. A leaked token sits in logs, email, prompts, or long-term memory. When an agent is introduced, these faults become execution paths. The agent does not create the vulnerability; it makes it operable and faster.

Identity debt is durable. Once a credential is copied, cached, or embedded, it is hard to prove removal. When that credential is attached to agent tools, the blast radius grows and cleanup work gets deferred again with the next urgent project or update. This is why the same NHI issues reappear in incidents even when the model itself did nothing unexpected.

There is a practical line between identity controls and agent controls. Identity controls decide who or what can call a tool. Agent controls decide when and why a tool is called. If either side is weak, the system behaves as if both are.

Stale identities are treated as owned dependencies, tokens live longer than the system they protect, and tool access is granted by convenience rather than need. The most common gap is the lack of proof that an NHI was removed from every tool chain it ever touched.

If we want safer agents, we need to treat NHI hygiene as an engineering dependency, not a compliance afterthought. None of this should sound new.

Next post: least privilege meets least agency, and how over-scoped identities turn tool misuse into routine risk.