The Hidden Identity Threat Lurking Behind APIs and Automation

Machine identities now outnumber human users across most enterprises, yet many remain unmanaged, overprivileged, and virtually invisible to security teams. Understanding how attackers exploit API keys, OAuth tokens, and service accounts is becoming essential for organizations seeking to close one of today's fastest-growing attack surfaces.

Key Highlights

  • Non-human identities like API keys and OAuth tokens are often stored insecurely, making them prime targets for attackers who can exploit them without user interaction.
  • A fragmented approach to managing machine credentials creates visibility gaps, increasing the risk of undetected breaches and overprivileged access.
  • Implementing centralized inventory, ownership, and lifecycle management for machine identities is crucial to reducing the attack surface.
  • Contextual controls such as IP allowlisting and workload binding can serve as effective compensating security measures where MFA isn't feasible.
  • Continuous monitoring of credential usage and behavior helps detect anomalies early, preventing attackers from reusing stolen machine identities.

Organizations have spent years doubling down on employee security through MFA, phishing training, and device trust approaches, but now, a new reality is setting in. And while compromised employee data leading to a breach is still a real threat, the growing (and ungoverned) risk comes from a leaked non-human credential sitting in plain sight.

Attackers routinely harvest non-human identities (think: API keys and authentication tokens) from sources such as public code repositories, misconfigured storage buckets, or even endpoint logs. In some cases, those credentials belong to internal automation tools or third-party integrations with broad, persistent access. Once discovered, they can be used immediately: no phishing, no password cracking, no user interaction required.

Put another way, identity is still the primary attack vector, but often, the identity being exploited isn’t human.

The Expansion of the Machine Identity Attack Surface

Non-human identities (NHIs) power SaaS integrations, enable DevOps pipelines, and drive automation across cloud and on-prem environments; they also introduce a distinct and often underappreciated risk. Consider a few common scenarios:

  • A hardcoded API key in a public GitHub repo grants access to a cloud database.
  • A long-lived service account used in a CI/CD pipeline has permissions to deploy across multiple environments.
  • An OAuth token issued to a third-party SaaS integration continues to provide access long after the integration is no longer actively monitored.

In each case, access doesn’t depend on the person. It depends on whether the credential is valid. Unlike human users, these identities authenticate continuously rather than at a single login point. They’re often embedded in code, scripts, or configuration files, lack safeguards like MFA, and tend to persist far longer than intended without rotation.

They’re appealing targets because they’re built for uptime, not scrutiny. While IAM programs have matured around human behavior such as logins, sessions, and interactive access, machine identities fall outside those patterns. Controls like MFA, device trust protocols, and behavioral analytics simply don’t apply in the same way. Machine identities don’t log in through an identity provider, trigger step-up authentication, or exhibit obvious anomalies like unusual locations or access times. In most cases, access is binary: if the credential is valid, it works.

Threat actors are already taking advantage. Last year, SpyCloud researchers recaptured over 18.1 million NHI-associated credentials circulating in the criminal underground.

The Visibility Gap

Non-human identities are typically provisioned in a decentralized way: developers generate API keys for applications, DevOps teams create service accounts for automation, and SaaS platforms issue OAuth tokens for integrations. Each system maintains its own records, if any exist at all, leaving organizations without a unified view. In practice, this results in an incomplete inventory of machine identities, limited understanding of what each credential can access, and little visibility into how those credentials are actually being used. Put another way, this is effectively the next generation of shadow IT.

Non-human identities are typically provisioned in a decentralized way: developers generate API keys for applications, DevOps teams create service accounts for automation, and SaaS platforms issue OAuth tokens for integrations.

Security teams are left trying to piece together fragmented data, such as spreadsheets, configuration files, and platform-specific logs, none of which provide a real-time or comprehensive picture. Without that visibility, risk becomes difficult to quantify, let alone reduce. Addressing machine identity risk doesn’t require reinventing security principles, but it does require applying them differently.

Operationalizing Machine Identity Security

Instead of focusing solely on authentication events, organizations need to think in terms of visibility, ownership, and usage. The goal isn’t just to protect credentials at creation, but to continuously understand where they exist, what they can access, and how they behave over time.

Start with inventory: Organizations need a centralized, continuously updated view of non-human identities across environments. Without that baseline, everything else is reactive.

Establish ownership and lifecycle management: Every credential should have a clear owner, defined purpose, and expiration or rotation policy. Long-lived, orphaned credentials are a common entry point for attackers.

Reduce unnecessary access: Many NHIs are overprivileged by default. Applying least-privilege principles can significantly limit the blast radius if a credential is exposed.

Add contextual controls where possible: While MFA isn’t typically feasible for machine identities, controls like IP allowlisting or binding credentials to specific workloads can serve as compensating controls, preventing use outside intended environments.

Monitor behavior, not just existence: Tracking how credentials are used – frequency, volume, access patterns – can help identify anomalies that indicate compromise.

These measures aren’t theoretical. In real-world incidents, organizations that constrained how machine credentials could be used (for example, limiting them to known systems) were able to prevent attackers from reusing stolen access.

What Security Teams Need to Understand About Non-Human Identities

Automation, cloud adoption, and the rise of AI-driven workflows are rapidly increasing the number of non-human identities operating inside enterprise environments. Each one is a potential entry point. For years, identity security programs have focused on strengthening protections around human users, and for good reasons. But attackers are shifting their attention to a different class of identity: one that is often invisible, highly privileged, and far less protected.

The takeaway for security teams is straightforward: you can’t treat machine identities as a secondary concern. In today’s environment, the easiest way in isn’t through your workforce. It’s through the systems they rely on.

About the Author

Trevor Hilligoss

Trevor Hilligoss

Chief Intelligence Officer, SpyCloud

Trevor Hilligoss is the Chief Intelligence Officer at SpyCloud, where he oversees the company’s global intelligence strategy, advances research into cybercriminal tactics, and drives the collection of exposed data that fuels identity-based attacks. Trevor’s background, including experience with the FBI and the U.S. Army, informs his approach to translating raw data into actionable insights that strengthen defenses, support responsible disclosures, and enable proactive prevention of identity threats.

Sign up for our eNewsletters
Get the latest news and updates