NHI and Agentic Risk: When Humans Use Machine Credentials
When people use machine credentials, intent is blurred and audit trails break. Agents make it worse.
Final post in the series. Focus here: what happens when humans use non-human identities, and why agents amplify the damage.
The OWASP overlap: NHI10 (human use of NHI) maps to ASI09 (human-agent trust exploitation) and ASI01 (goal hijack). When people use machine credentials, intent is blurred and audit trails lose the ability to distinguish misuse from automation.
It keeps happening because it feels fast. Shared credentials cut friction. Emergency access becomes standard access. The audit log records the machine, not the person, and the system learns to accept that ambiguity as normal.
An engineer uses an automation token to run a one-off task. The token is later reused by an agent to approve a sensitive action — because it already works. When the action is questioned, the logs show the NHI, not the person. The organization can’t separate a mistake from abuse.
The fixes are familiar: break-glass workflows with short-lived access, attested actions for high-impact agent operations, and treating NHI misuse as a first-class incident rather than an exception.
Agents make it easier to hide behind machine identities. That’s why NHI misuse has a long half-life.