NHI and Agentic Risk: How Compromise Happens

NHI and Agentic Risk: How Compromise Happens

Stack Research
security identity

Agent incidents usually start with a mundane identity fault, not a novel model exploit.

This is the first post in a series on how compromise happens in agent systems and why it persists.

A non-human identity (NHI) is a credentialed identity used by software: service accounts, API keys, tokens, and certificates that let systems call tools and APIs. In most organizations, these outnumber human users. They live across build systems, pipelines, integrations, and automation. They’re easy to create and hard to retire cleanly.

NHI issues are known, but rotation automation is deferred to ship faster. Agents add autonomy and tool chains to that same risk, which raises the cost of deferral. Service accounts, tokens, and key rotation feel like chores rather than attack surfaces. What changes in agentic systems isn’t the existence of identity risk — it’s the reach and speed.

Two Lists, One Failure Surface

The OWASP NHI list covers identity lifecycle control. The OWASP Agentic Security Initiative (ASI) list covers agent behavior and autonomy. In practice, identity failures enable behavior failures, and behavior failures expand the blast radius. The Appendix C mapping in the OWASP Top 10 for Agentic Applications makes this explicit.

Think of NHIs as the control plane for tools and agents. Agents act through tools; tools are controlled by NHIs. If NHIs are mismanaged, agent safeguards are fragile.

Where the Lists Overlap

  • Improper offboarding (NHI1) → Supply chain vulnerabilities (ASI04). Stale identities behave like forgotten dependencies that still authorize tool access.
  • Overprivileged NHIs (NHI5) → Tool misuse and identity abuse (ASI02, ASI03). Agents can only misuse what identities allow.
  • Secret leakage and long-lived secrets (NHI2, NHI7) → Memory and context poisoning (ASI06). Leaked credentials turn into durable agent context.
  • Environment isolation and NHI reuse (NHI8, NHI9) → Cascading failures (ASI07, ASI08). Boundaries are the only thing that keeps incidents local.
  • Human use of NHIs (NHI10) → Trust exploitation and goal hijack (ASI09, ASI01). Accountability and intent are lost at the identity layer.

How It Plays Out

Agent incidents usually start with a mundane identity fault. An offboarded service identity still has active tool bindings. An over-scoped identity turns a low-risk tool into a high-impact action. A leaked token sits in logs, email, prompts, or long-term memory. When an agent is introduced, these faults become execution paths. The agent doesn’t create the vulnerability — it makes it operable and faster.

Identity debt is durable. Once a credential is copied, cached, or embedded, it’s hard to prove removal. When that credential is attached to agent tools, the blast radius grows and cleanup gets deferred again. This is why the same NHI issues reappear in incidents even when the model itself did nothing unexpected.

The Practical Line

Identity controls decide who or what can call a tool. Agent controls decide when and why a tool is called. If either side is weak, the system behaves as if both are.

Stale identities get treated as owned dependencies, tokens outlive the systems they protect, and tool access is granted by convenience rather than need. The most common gap is the lack of proof that an NHI was removed from every tool chain it ever touched.

The Point

If we want safer agents, NHI hygiene is an engineering dependency, not a compliance afterthought. None of this should sound new.

Next post: least privilege meets least agency, and how over-scoped identities turn tool misuse into routine risk.