What to Expect in This Article:
Discover why machine identities are a critical subset of non-human identities and are becoming cybersecurity’s most overlooked risk. Learn practical strategies for managing these identities, reducing privilege sprawl, and integrating them into your Zero Trust model. Plus, gain real-world insights from NATO’s Locked Shields exercise on defending against identity-based attacks.
In today’s hyperconnected digital world, identity has become the new battleground and not just for people. Machine identities (service accounts, workloads, APIs, bots, and containers) now vastly outnumber human users in most enterprise environments. Yet, while human identities are secured with increasingly sophisticated controls, machine identities remain a blind spot, typically unseen, unmanaged, and over-privileged.
In a recent episode of the Security by Default podcast, Joseph Carson and Evandro Gonçalves deep-dived into this growing problem, discussing the hidden risks, organizational challenges, and real-world lessons from NATO’s Locked Shields exercise.
Their message is clear: securing machine identities is no longer optional; it’s critical to any effective identity security, zero trust, and risk management strategy.
Machine Identities: A Subset of the Non-Human Identity Explosion
Before we dive into the risks and defenses, it's important to clarify terminology.
Machine identities are part of a broader category known as Non-Human Identities (NHIs), a term that encompasses any identity that isn't tied to a living, breathing user. This includes:
- Service accounts (used by applications to access databases or systems)
- Workloads (cloud-native processes like containers or functions)
- Bots (automation tools or RPA agents)
- APIs and microservices (calling other services on behalf of systems)
- IoT and OT devices (from smart cameras to SCADA systems)
- Certificates and secrets (used to authenticate between systems)
While machine identities are typically associated with systems and automation, the broader non-human category also includes third-party integrations, scripting environments, and even AI agents capable of autonomous action. In all cases, these entities interact with digital systems and often hold privileged access, yet lack the oversight, behavioral monitoring, and lifecycle controls applied to human users.
“Most organizations are managing human identities well, but machine identities and NHIs are still operating in the shadows,” Evandro noted on the podcast.
The Cybersecurity Risks of Ignoring Machine Identities
Joseph and Evandro outlined several pressing risks related to unmanaged machine identities:
1. Lack of Visibility
Most organizations don’t maintain a current inventory of non-human identities. Without visibility, there’s no accountability, no lifecycle management, and no auditing in place, leaving massive blind spots.
2. Privilege Creep
Machine identities often bypass identity governance reviews and get blanket permissions. Over time, their entitlements expand to dangerous levels.
3. Invisibility to Traditional Security Tools
Because they don’t behave like users, machine identities rarely trigger user-focused alerts. Their authentication methods are often invisible to SIEMs or EDRs, making them ideal for low-and-slow attacker behavior.
4. Static Credentials and Poor Hygiene
Hard-coded passwords, static tokens, and self-managed keys introduce long-lived, silent vulnerabilities. Without regular rotation or expiration policies, attackers who gain access can persist indefinitely.
Best Practices for Securing Machine and Non-Human Identities
To combat the growing risks of NHIs and machine accounts, Carson and Gonçalves recommend several key actions:
1. Inventory and Classify All NHIs
Start by discovering every identity that interacts with your systems across DevOps pipelines, cloud infrastructure, IoT devices, and legacy environments.
2. Apply Identity Lifecycle Management
Machine identities should be created, monitored, and decommissioned just like user accounts. Tie them to ownership, enforce expiration dates, and automate reviews.
3. Enforce Least Privilege and JIT Access
Don’t assign permanent admin roles. Grant permissions temporarily and only when needed. Use policy-based access controls tied to workloads and roles, not individuals.
4. Secure Secrets and Credentials
Use centralized secrets vaults and automated key rotation. Eliminate hard-coded credentials from scripts and infrastructure-as-code templates.
5. Monitor and Audit Machine Identity Activity
Integrate NHIs into your SIEM, XDR, and UEBA systems. While their behavior may not mirror users, they still have patterns that can be baselined and monitored.
6. Include NHIs in Zero Trust Strategy
Treat every machine and non-human identity as untrusted by default. Require strong authentication, micro-segmentation, and continuous authorization.
Real-World Lessons from NATO’s Locked Shields
One of the most compelling parts of the podcast came from Evandro’s reflections on NATO’s Locked Shields, the world’s most advanced live-fire cyber defense exercise. With hundreds of participants defending a fictional nation-state against coordinated attacks, the event offers a glimpse into the high-stakes reality of modern cyberwarfare.
Machine Identity Mismanagement: The Silent Enabler
Evandro observed that many Red Team attacks exploited stale, forgotten, or over-privileged service accounts. These identities were:
- Provisioned during urgent build phases
- Never audited or tied to ownership
- Retained privileged access far beyond what was needed
This made them easy targets for lateral movement and covert persistence.
“Machine identities weren’t just an oversight, they were actively enabling attacker success,” Evandro said. “If you didn’t know what service accounts existed in your infrastructure, you couldn’t defend it.”
Identity Is Also a Human Coordination Challenge
Locked Shields also illustrated that technical defense isn’t enough. Identity security requires cross-team collaboration. The most successful Blue Teams weren’t just technically skilled; they communicated effectively, assigned clear ownership, and shared situational awareness in real time.
“In high-pressure environments like this, the teams that win are the ones that align operationally, not just technically,” Joseph observed.
Hands-On Experience Beats Theory
Finally, Locked Shields proved the value of experiential learning. Evandro recommends that organizations regularly simulate identity abuse scenarios, especially involving machine identities, as part of their blue team training.
Staying Ahead in a Rapidly Evolving Identity Landscape
To wrap up the podcast, Joseph and Evandro emphasized the need for continuous learning, practical exposure, and community knowledge-sharing in cybersecurity.
Their key advice for professionals and teams:
- Read threat intelligence reports focused on identity-based attacks.
- Participate in cyber exercises and live-fire simulations.
- Share best practices on platforms like LinkedIn.
- Create internal labs for testing IAM controls with NHIs.
“Everyone should get security,” Joseph stated. “That means we need to make identity risk easier to understand and solve not just for experts, but for anyone deploying systems.”
The Future of Identity Security is Machine-Aware
As Zero Trust, DevOps, and cloud-native architecture reshape the enterprise, non-human identities will continue to grow exponentially. Organizations that treat them as second-class citizens or ignore them entirely end up exposing themselves to avoidable risks.
Security leaders must shift left on identity and integrate machine identity management into every phase of the digital lifecycle. It’s no longer just about who is accessing your systems; it’s about what is.
Listen to the Full Podcast Episode
Want more insights and practical takeaways?
Listen to the Security by Default podcast episode with Joseph Carson and Evandro Gonçalves here.
Ready to secure machine identities in your own environment? See how Segura® helps you discover, control, and protect every identity, human or non-human.
