# The 68% Problem: Why Orphaned Non-Human Identities Are Quietly Becoming Cloud Security's Biggest Blind Spot
A new industry webinar is calling attention to a statistic that should alarm every cloud security team: in 2024, compromised service accounts and forgotten API keys were responsible for 68 percent of cloud breaches. The culprit was not phishing campaigns, weak passwords, or sophisticated zero-day exploits. It was the silent accumulation of unmanaged non-human identities (NHIs) — the service accounts, API tokens, AI agent connections, and OAuth grants that quietly outnumber human employees by a ratio of 40 or 50 to one, and that nobody is watching.
## Background and Context
For most of the last decade, identity security programs have centered almost exclusively on human users. Single sign-on, multi-factor authentication, conditional access policies, and privileged access management were all designed around the assumption that the riskiest identity in the environment belongs to a person who can be trained, deprovisioned, and audited. That assumption no longer holds.
Modern cloud-native architectures are built on machine-to-machine communication. Every microservice authenticates to every other microservice. Every CI/CD pipeline carries credentials. Every SaaS integration requires an OAuth grant. Every AI agent — and there are now thousands of them embedded in enterprise workflows — needs an API key to call models, retrieve data, and execute actions on behalf of users. The result is an identity population that has exploded silently in the background, while governance frameworks lag years behind.
The upcoming webinar, hosted by identity security vendors and analysts, is framing the issue around a single uncomfortable question: when a project ends, when an employee leaves, when a vendor relationship is terminated, what happens to all of the credentials they created? The answer, in most organizations, is nothing. The credentials remain active, often with broad privileges, and frequently with no owner who can be held accountable for rotating, revoking, or auditing them.
## Technical Details
Non-human identities take many forms, and each carries its own decay pattern. Service accounts in Active Directory or cloud IAM systems are typically created with long-lived passwords or certificates that are never rotated because rotation would break the dependent workload. API tokens issued through developer portals or CI systems are often scoped too broadly — a token meant to deploy to staging routinely carries production write access — and stored in environment variables, configuration files, or worse, source code repositories. OAuth grants accumulate in SaaS platforms as employees connect personal productivity tools, sometimes granting third-party applications full mailbox or drive access that persists long after the application has been forgotten.
The newest and least understood category is the AI agent connection. Large language model integrations require API keys for the model provider, plus a chain of downstream credentials that allow the agent to read documents, send messages, query databases, and trigger workflows. A single agent can hold a dozen credentials, and because agents are often spun up by individual developers experimenting with frameworks like LangChain or AutoGen, those credentials rarely make it into a central registry.
The decay vector is consistent across all of these: credentials are created at the speed of the cloud, but governance happens at the speed of compliance reviews. The gap is where attackers live. Tools like TruffleHog and GitGuardian routinely surface tens of thousands of leaked credentials across public repositories every week, and threat actors have industrialized the process of harvesting and validating them. Once a valid token is found, lateral movement is trivial because NHIs typically bypass the conditional access policies that would slow down a human attacker — no MFA prompt, no impossible-travel detection, no risk-based step-up.
## Real-World Impact
The 68 percent figure cited in the webinar tracks with breach data published over the past 18 months. The Internet Archive, Snowflake customer environments, Microsoft's Midnight Blizzard incident, the Dropbox Sign breach, and the Cloudflare Okta-related compromise all involved compromised service accounts, OAuth tokens, or API keys rather than user passwords as the initial access vector. In several cases, the credentials had been exposed for months before exploitation, and in at least one case the credential belonged to a service that had been decommissioned but never had its access revoked.
The financial and operational consequences are amplified by the privileged nature of NHIs. Service accounts are routinely granted write access to production databases, administrative rights in SaaS tenants, and the ability to spawn or destroy infrastructure. A single compromised CI/CD token can give an attacker the ability to push malicious code into production releases, as seen in supply-chain incidents affecting npm and PyPI packages over the past year.
## Threat Actor Context
The threat actors exploiting this gap are not exotic. Initial access brokers have built entire business models around scanning public repositories, paste sites, and exposed cloud storage for valid credentials, then selling validated access on criminal marketplaces. State-aligned groups, including the actor tracked as Midnight Blizzard, have demonstrated patient, methodical use of OAuth abuse to maintain persistence in target environments. Ransomware affiliates increasingly favor stolen API keys over phishing because they offer faster, quieter access and bypass endpoint detection entirely.
What unifies these adversaries is opportunism. They are not breaking sophisticated controls; they are picking up credentials that defenders forgot existed.
## Defensive Recommendations
Security teams looking to close the NHI gap should start with discovery. You cannot govern what you cannot see, and most organizations are surprised by the size of their NHI population once they begin to inventory it. Cloud-native tools from the major providers — AWS IAM Access Analyzer, Azure Entra Workload Identities, Google Cloud's Service Account Insights — provide a baseline, but they typically miss SaaS OAuth grants and homegrown API tokens. Dedicated NHI security platforms such as Astrix, Entro, Oasis, and Natoma have emerged to fill this gap.
Beyond discovery, the priorities are ownership, lifecycle, and least privilege. Every NHI should have a named human owner who is accountable for its existence. Every NHI should have a defined expiration or rotation cadence, enforced automatically. Every NHI should be scoped to the minimum permissions required for its function, and broad wildcard policies should be treated as findings, not configurations. When projects end or employees leave, an automated offboarding workflow should sweep for any NHIs they created or owned and either reassign or revoke them.
Secret scanning belongs in the developer pipeline, not as an after-the-fact audit. Pre-commit hooks, repository-level scanning, and runtime detection of credential exposure all reduce the window between leak and exploitation.
## Industry Response
The security community is beginning to treat NHI security as a distinct discipline rather than a subset of IAM. Gartner introduced a dedicated category for non-human identity management in its 2024 Hype Cycle, and the CSA published its first NHI security framework the same year. Major identity vendors including Okta, CyberArk, and SailPoint have all announced NHI-focused product lines or acquisitions in the past 12 months. The OWASP Non-Human Identity Top 10 project, launched in 2024, is now in its second iteration and has become a common reference point for security teams building governance programs.
The webinar reflects a broader shift in posture: identity is no longer a human problem with machine edge cases. It is a machine problem with human edge cases, and the organizations that recognize the inversion first will be the ones that close the 68 percent gap before it widens further.
---
**