BlogIdentity and Access ManagementSecurity
Blog4 minute read

PAM-Demonium I: Attack of the Scripts - The Rise of Non-Human Identities

Non-human identities (NHIs) — including bots, scripts, service accounts and APIs — are taking over. Part 1 of this four-part series explores the mass chaos this is causing.

In this blog

  1. Introduction

 Introduction

Non-human identities (NHIs)—bots, scripts, service accounts, APIs—are taking over. They're faster and more numerous and rarely forget their passwords (because they're hardcoded, of course). This blog explores the chaos these synthetic souls unleash and why securing them is PAM's (privileged access managment's) most overdue evolution.

 Our story…

It began innocently enough. A developer needed to automate the nightly data sync, so they created a service account named dataBot9000. Then another. And another. Fast-forward two years, and there were 237 service accounts, each with slightly more privilege than the last, including one with full domain admin rights named definitely_not_prod_root.

No one knew who owned what. One account hadn't been used since the Obama administration, but still had keys to the kingdom. When a breach occurred via api_sync_backupv2_FINAL_FINAL, security traced it back to a Jenkins job last touched in 2019 by "intern-temp." That intern now sells crystals in Sedona.

Lesson learned? If your scripts can summon more power than your security team, it's time to audit the robots before they revolt.

 The problem

Non-human identities (NHIs) are like digital interns — they do all the grunt work, never take lunch breaks and nobody remembers who hired them. But give one root access and forget to rotate its credentials, and suddenly that silent script is a security incident waiting to trend on Twitter. If you think bots are harmless because they don't drink coffee, think again.

Example: In 2023, a major U.S. financial institution discovered that a legacy service account used for nightly batch jobs had access to production databases despite the original developer having left the company three years prior. No rotation. No logging. Just hope.

  • No lifecycle or owner tracking
  • Unmonitored credentials
  • Thousands of active secrets, zero accountability

 Business risk

When bots and scripts have more privileges than the CIO — and no HR record to boot — you're basically trusting your infrastructure to invisible interns with flamethrowers. These identities don't clock out, don't retire and definitely don't fill out exit forms. If one gets compromised, congratulations: You just gave a hacker admin access with zero oversight and infinite runtime.

Example: In the infamous Capital One breach, a misconfigured web application firewall allowed an attacker to exploit metadata credentials for a role with excessive privileges — an NHI without proper controls. The breach exposed data of over 100 million customers.

  • Breaches scale exponentially
  • Audits become nightmares
  • Root access is held by a script someone named init-killer-v2

 What to do about it

You can't walk around the office asking bots to turn in their badges, but you can treat their credentials like plutonium — valuable, powerful and not something you leave lying around. Managing NHIs means giving them short leashes, rotating secrets like laundry and ensuring someone—anyone—is accountable when svc-deploy starts behaving like a cyber criminal.

  • Enforce NHI lifecycle policies.
    Example: Google enforces tight lifecycle management by tying NHIs to specific CI/CD pipeline stages and automatically deactivating them after use.
  • Assign ownership to a human (yes, actual accountability).
    Example: A healthcare firm mapped all service accounts to named business owners. Any orphaned identity was disabled within 30 days unless reassigned.
  • Use machine identity management tools integrated with PAM.
    Example: Netflix uses internal tools that integrate with secrets managers and service meshes to ensure short-lived, rotated credentials for microservices.

 Top 3 vendors for NHI management

CyberArk Conjur

Why: Automates machine identity management across DevOps environments. Integrates with CI/CD pipelines, APIs, and Kubernetes for secure secret injection.
🔗Secrets Management | Conjur

HashiCorp Vault

Why: Manages dynamic secrets, access policies, and integrations with service meshes and cloud-native tools.
🔗HashiCorp Vault | Identity-based secrets management

Akeyless Vault

Why: SaaS-based secrets and identity management platform for machine-first environments, offering just-in-time secrets and API key brokering.
🔗Unified Secrets & Machine Identity Platform | Akeyless

 Closing thought…

If your bots have more access than your CFO, it might be time for an intervention. Unchecked NHIs are a hacker's dream and an auditor's worst nightmare. So treat them like what they are — identities. Give them owners. Limit their roles. Rotate their credentials. And maybe — just maybe — don't let svc-backup2021 be your most powerful administrator in 2025.

Adopt an identity-first approach for bots, scripts and services. Manage NHIs like you do humans: with access reviews, owners, expiration dates and performance reviews — minus the annual bonus. And if your most privileged account is still buildbot-legacy, it's time to retire it before it retires your data.

Read on for Part 2: PAM-Demonium II:  Long Live Remote Access

To discuss this article further, please contact Jeff Clayton Contact
Learn more about WWT's take on identity and access management
click here