Fundamentally, a zero-trust architecture is about moving beyond securing the perimeter to securing every user, every device, and every connection—every time. It’s a journey as companies continue to navigate the territory and determine how best to create the rules and protocols for always verifying and never trusting any identity, all without overly frustrating users or making it more difficult than necessary for employees to do their jobs or customers to interact with the business.
Non-human identities represent a big blind spot for zero-trust.
Because of the heavy focus on user access, non-human identities, or NHIs, have traditionally flown under the radar within the zero-trust space. As NHIs are increasingly becoming part of the larger cybersecurity dialogue, the whole zero-trust effort becomes exponentially more complicated.
This is especially true considering the vast number of NHIs in any ecosystem—there are typically 20, 30, or even more NHIs attached to every human identity—and the proliferation of AI is adding still more NHIs all the time. Further, NHIs remain a fuzzy concept with many organizations still not internally aligned on what constitutes an NHI and how they function within the environment.
Following the right roadmap can help bring NHIs into the zero-trust fold.
While a lot of gray area exists, IT leaders that want to adopt a true zero-trust cybersecurity framework must start considering how they manage the NHI lifecycle within this environment, sooner than later. Taking the following steps can help teams get their arms around this constantly expanding issue so that they can move toward a universal approach to managing all identities with zero-trust principles, human or otherwise.
1. Build awareness around non-human identities and how everyday tools increase security exposure
NHIs—including service accounts, application identities, machine identities, bots, scripts, and API keys and tokens—are essential in modern IT environments for managing access across systems, applications, and devices. However, there’s a general lack of understanding around NHIs, and this is driving security risks, especially as AI becomes increasingly common in everyday workflows.
Many employees simply do not realize that every AI-powered tool, integration, or automated workflow they use is creating multiple new NHIs, each with its own identity and permissions to access systems and information to perform actions on the employee’s behalf. As employees across the organization increasingly adopt AI tools to more efficiently meet the demands of their jobs, IT teams are quickly becoming overwhelmed with potentially thousands of new NHIs entering the environment every week. Many of these identities are inadvertently over permissioned, leading to tens of thousands of new permutation combinations that increase the attack surface and leave a company’s information and systems more vulnerable than ever, without many employees even realizing it’s happening.
That’s why any approach needs to begin with simply establishing a clear definition of NHIs and when and how they are created. Only then can an IT team begin to develop a sense of what it needs to protect and how wide the zero-trust environment must extend.
2. Define zero-trust policy procedures for NHIs.
Once an organization understands how and where NHIs are being introduced, it can create guidelines and approval processes for employees to follow. Generally, this should include treating all NHIs as privileged accounts, to which existing controls and zero-trust processes should apply.
If, however, current controls are rudimentary at best, now may be the time to review and see where zero-trust principles—such as multi-factor authentication (MFA), identity and access management (IAM), privileged access management (PAM), endpoint detection and response (EDR), and security information and event management (SIEM)—need to be upgraded for all identifies, human and non-human alike.
It’s important for teams to remember that such processes create friction. Employees, constantly challenged to move faster and do more with less, won’t always adhere to the established channels for onboarding new identities, particularly if the protocols are overly cumbersome or if they are unclear about the risk involved.
3. Leverage automation to help with NHI management and control.
Even with well-defined and widely understood policies in place, not all NHIs will be properly onboarded. The sheer volume of NHIs being introduced, particularly through AI tools, makes it inevitable that some will fall through the cracks, intentionally or unintentionally, especially as employees rush to meet demands and deadlines. Further, many of these NHIs will have more permissions than they really need, creating additional unnecessary security risks for the company.
Monitoring action logs can help IT teams identify new NHIs and establish a comprehensive inventory of identities, so the organization has better knowledge of what it needs to oversee and protect. Ideally, this documentation will include the specific purpose of every account, allowing IT to right size permissions. For example, an NHI created to read information from Salesforce CRM can function with read only permission and has no need for write or update access.
Of course, the analysis needed to discover new NHIs and the work to manage permissions is extensive, which brings us to our next critical step.
4. Leverage automation to help with NHI management and control.
As the number of NHIs continues to burgeon, IT teams will need tools not only to aid in the discovery of NHIs but also to manage those identities, apply policies in a meaningful way, and review permissions over time. This can include automatically applying permission sets by roles and automatically rightsizing permissions based on usage patterns through periodic reviews, tasks for which AI agents can be deployed to help.
Automated just-in-time permissioning can be another powerful tool for approving workflows. These tools allow users to request permissions for specific tasks as needed, receive quick automated or manager-reviewed approval depending on the nature of the request, and then retract the permission automatically when the task is completed.
5. Implement training, education, and enablement for users.
Like any other change, successfully increasing security around non-human identities will take buy-in and cooperation from users. This is best achieved through continuous, easy-to-access, and clear instructions on how procedures will change along with background on the importance of those changes to protect the employees and the company.
As new security controls are added, which may complicate workflows for users, it’s best to phase in blockers. For example, IT can let employees know that the new NHIs introduced through certain actions might be approved this time, but that the employees should expect to follow a different set of procedures in the future. This is also an opportunity to educate employees on how and why to avoid over permissioning and how NHIs can create unintended or inadvertent exposures.
6. Track progress toward a true zero-trust environment
Establishing zero-trust principles is a major change and a challenging endeavor. Companies can track their progress over time by reviewing key metrics. For example, as employees begin to understand and follow protocols around onboarding NHIs, the number on non-onboarded NHIs discovered each month should be trending down, along with the number of over-permissioned accounts and, eventually, the number of help desk tickets received. Companies may even see their applications costs decrease as their review and oversight helps to identify and eliminate underused or redundant applications across the enterprise.
It’s a great idea to communicate with employees throughout the process and leverage user feedback. As IT is rolling out and explaining the new controls, listen to employees’ concerns and see where protocols may be able to be tweaked to reduce unnecessary complications and increase compliance. Remember, the ultimate goal is to reduce the risk and attack surface while keeping the user experience as positive as possible, and with the right approach, it’s possible to achieve both.
Make sure the next steps in your zero-trust journey include NHIs.
If your company is like most, you still have your job cut out for you when it comes to determining how best to manage the vast number of NHIs within the context of your zero-trust environment. With essentially all employees using tools like ChatGPT, the number of NHIs—and thus the number of privileged accounts within your purview— will only continue to grow.
That makes now the time to start laying the groundwork for managing and properly protecting existing and future NHIs. Ideally, your company will arrive at policies that apply across the board to all identities, human and non-human. improving visibility and control over all network activity and safeguarding against data breaches of any type.
