What is a non-human identity (NHI)?
A non-human identity (NHI) is a digital identity for a machine, application, service, or automated process – including service accounts, API keys, OAuth tokens, certificates, and SSH keys. As cloud and SaaS adoption grows, NHIs outnumber human identities in most enterprises, and they’re increasingly targeted because they often hold privileged, under-monitored access.
How NHI credentials get stolen
NHI credentials are valuable because they grant privileged access to cloud infrastructure, production databases, and CI/CD pipelines without generating the login anomalies human takeover does. The dominant exposure path runs through developer and engineer devices: developers keep API keys, service-account credentials, and connection strings in config files, IDE extensions, and local environments.
When a developer’s machine is hit by an infostealer, those NHI secrets are pulled alongside the personal ones – a single laptop infection can expose service-account passwords, API keys, and SSH keys for production systems.
How do I check if my organization’s API keys and machine credentials are exposed?
Run Check Your Exposure to see exposed API keys and machine credentials tied to your domain that are circulating in the criminal underground. SpyCloud’s recaptured data already documents this exposure at scale, including 18.1M exposed API keys and 6.2M AI tool credentials in the 2026 Identity Exposure Report.
Why stolen NHIs are more dangerous and how to surface them
The 2025 OWASP Non-Human Identities Top 10 formalized NHI security as its own discipline, flagging improper secret management, overpermissioned credentials, and lack of rotation. Those properties are exactly what make a stolen NHI dangerous:
- Highly privileged. A service account often has broader permissions than any human account.
- Under-monitored. Automated, repetitive behavior looks normal, so anomalies generate few alerts.
- Long-lived. Keys and service-account passwords are rotated rarely or never, so a stolen one stays exploitable for months or years.
- Different remediation. It’s a rotation in the secrets manager, not a password reset – and SpyCloud Endpoint Threat Protection surfaces the per-device inventory so you rotate exactly what was taken.
NHIs and the AI agent surface
The non-human identity problem is expanding fastest where AI agents and automation now authenticate on their own. Agents and automated workflows sign in with API keys, tokens, and service accounts – NHIs that often carry broad, standing permissions with no human in the loop. SpyCloud’s 2026 dataset captured 6.2 million credentials and authentication cookies tied to AI tools, alongside 18.1 million exposed API keys and tokens.
What makes these identities dangerous is that they rarely have MFA, rotate infrequently, and behave predictably enough that anomalies don’t fire – so a stolen one can persist undetected for months. As agentic systems multiply, the developer-device pathway that exposes them becomes a larger share of total identity risk.
Machine identities outnumber human ones and get reused everywhere.
See which tied to your domain are exposed.
Frequently Asked
Three main vectors. Developer-device infostealer infections are the primary source – malware extracts API keys, service-account passwords, connection strings, and environment variables from browsers, IDE configs, and local files. Repository and secrets misconfiguration exposes credentials committed to code or stored in plaintext. And phishing targeting developers and DevOps engineers can capture access to cloud consoles and secrets managers.
They’re often more privileged than any human account; they’re less monitored because automated, repetitive behavior generates few anomaly alerts; and they have longer validity because keys and service-account passwords are rotated infrequently or never. A stolen NHI can stay valid and exploitable for months or years.
Endpoint Threat Protection surfaces the complete exfiltration inventory from each infostealer infection, including NHI credentials found in developer and engineer device infections. For each device it shows the credential types and application access stolen, so teams can identify exposures needing NHI-specific rotation – visibility into the developer-device pathway that is the primary source of NHI credentials in criminal markets.