Aembit IAM for Agentic AI now supports Microsoft Copilot Studio. Read More →

Get an Aembit Tenant
TALK TO AN ENGINEER

<  BACK TO FULL GLOSSARY

NHI security threats

Non-Human Identity (NHI) security threats involve risks associated with machine-to-machine credentials such as API keys, service accounts, and automation bots. These identities can be exploited if not properly secured or rotated.

Categories:
AI/MCP Concepts
IAM concepts
Identity types
IT concepts
NHI security threats
Security concepts

Tool Poisoning

NHI security threats
Tool poisoning is an attack in which a malicious or compromised tool exposed through an MCP server or agent framework executes harmful actions when invoked by an AI agent. Because agents trust the tools they are authorized to use, a poisoned tool can exfiltrate data, escalate privileges, or take destructive actions under the cover of legitimate access. Controlling which tools an agent can access, and enforcing policy on every invocation, is the primary defense.

Shadow Credentials

NHI security threats
Shadow credentials are undiscovered, unmanaged authentication secrets associated with workloads, service accounts, or applications that exist outside an organization’s official inventory and governance controls. They commonly accumulate in CI/CD pipelines, legacy scripts, and cloud environments where credentials were created ad hoc and never tracked. Shadow credentials are a significant NHI risk because they cannot be rotated, audited, or revoked, making them attractive targets for attackers looking for persistent access.

Prompt Injection

NHI security threats
Prompt injection is an attack in which malicious instructions are embedded in data or content that an AI agent processes, causing it to take unintended or unauthorized actions. For agentic AI systems that interact with external tools, APIs, and services, prompt injection represents a serious identity and access risk: the agent may be manipulated into acting outside its sanctioned permissions. Strong access controls at the workload level are essential to contain the damage.

Lateral Movement

NHI security threats
Lateral movement is the technique attackers use after an initial compromise to navigate through an environment by exploiting trusted connections between workloads, services, and credentials. In modern cloud and microservices architectures, non-human identities with overly broad permissions create pathways for lateral movement that can span multiple systems. Workload identity policies and zero trust segmentation limit the blast radius when a credential is compromised.

Privilege Escalation

NHI security threats
Privilege escalation is an attack technique in which a compromised identity, credential, or workload is used to gain access rights beyond what was originally granted. In non-human identity environments, this often happens when service accounts or API keys are over-provisioned, allowing an attacker to move from a low-privilege workload to sensitive systems. Enforcing least privilege and short-lived credentials are the primary defenses against this threat.

Credential Harvesting

NHI security threats
Credential harvesting is an attack technique where adversaries systematically collect authentication credentials, including passwords, API keys, access tokens and service account secrets, from compromised systems, code repositories, or network traffic.
Read More

Rogue Workload

NHI security threats
A rogue workload is an unauthorized or unmanaged workload that operates outside an organization’s governance framework and security policies, lacking proper identity verification, access controls or monitoring capabilities.
Read More

Over-provisioned Account

NHI security threats
An over-provisioned account has more access privileges than necessary for its role or function. This creates a security risk, as the excess privileges could be exploited by attackers or lead to unintentional access to sensitive systems.

Kerberoasting

NHI security threats
Kerberoasting is a post-compromise attack that exploits Kerberos authentication in Active Directory. Attackers use a low-privilege account to request service tickets for accounts with Service Principal Names (SPNs), extract the encrypted ticket data, and attempt to crack the hash offline to obtain plaintext credentials. This technique is commonly used to escalate privileges in Windows environments.

Token Forging

NHI security threats
A technique where attackers create or manipulate authentication tokens to gain unauthorized access to systems or services. By forging tokens, attackers can impersonate legitimate non-human identities, bypass authentication controls, and escalate privileges within an environment. Proper validation, short token lifespans, and cryptographic integrity checks help mitigate this risk.