In December, bad actors hacked the U.S. Treasury Department, compromising an application programming interface key to gain unauthorized access to its systems. The incident sensitized federal, state and local government IT experts as to the potential damage bad actors can cause by compromising nonhuman identities.
Cybersecurity software manufacturer Delinea recently published a report, “Cybersecurity and the AI Threat Landscape,” which refreshed awareness of this security challenge. The report defines nonhuman identities as “digital accounts used by applications, APIs and services to authenticate and interact with each other.”
These digital IDs are granted specific access privileges that a layman might associate with human users who possess login credentials.
As the report warns, “attackers are likely to intensify their exploitation of nonhuman identities and identity providers, taking advantage of inadequate lifecycle management and identity sprawl.”
Click the banner below for cyber resilience strategies that reduce the risks of an attack.
Delinea CISO Pierre Mouallem said compromised nonhuman identities may pose a greater threat to government systems than hacked human identities.
“Nonhuman identities have access to a lot of highly restricted information,” he says. “Think of an application that accesses a database. There’s usually a service account or a token that allows applications to access that database, whereas most human identities would not have that level of access.”
“There could be a much more significant impact in terms of ransomware or data expulsion when compromising a nonhuman identity like a service account than when compromising a human identity,” he adds.
Why Do Government IT Systems Use Nonhuman Identities?
Many government IT managers are well-versed in human identities, which facilitate human beings logging into government systems. But IT environments also harbor nonhuman identities that allow for intersystem communications, Mouallem says.
When a human being logs into a government network, that person gains access to authorized resources associated with their identity. Service accounts, API keys, tokens and other machine actors also require access to systems to do their jobs, Mouallem says.
“Nonhuman identities are used to operate any modern solution, regardless of industry,” Mouallem says.
Delinea estimates that there are 46 nonhuman identities for every one human identity. “They facilitate the communications between different services and entities; they operate in the background and oftentimes they’re set to allow that communication and then they’re ignored,” Mouallem says.
While nonhuman identities are important for automating workflows — setting and forgetting them — their credentials are often not refreshed within recommended timeframes, according to Delinea’s research.
DIVE DEEPER: IAM’s role is evolving in complex IT environments.
How Do Nonhuman Identities Expand the Attack Surface for Government Agencies?
Governments interacting with third-party companies such as contractors or vendors increase their attack surface by exposing nonhuman identities to those third parties. This potentially opens the door for bad actors to use nonhuman identities as access points into government systems.
“Under-secured identities become attractive targets, especially with the high volume of NHIs in environments,” CrowdStrike notes. “With seemingly countless NHIs deployed across modern organizations, it is easy for NHIs to be overlooked in security strategies, introducing a higher risk of unauthorized access.”
IBM warns that bad actors can hack nonhuman identities and steal access credentials. Because nonhuman identities often go unmonitored, cybercriminals may circumvent security easily due to a lack of multifactor authentication. Once hacked, nonhuman identities can escalate privileges or allow lateral network movement for criminals to steal resources, launch malware or install backdoors.
“The risk that they introduce to the security of the environment can be pretty significant, particularly with the rise of artificial intelligence and agentic AI,” Mouallem says. “AI-based agents are used to perform certain functionality, and these agents rely on nonhuman identities in order to communicate with other parts of the environment and operate.”
Delinea’s cybersecurity threat report estimates the total number of operating nonhuman identities may exceed 45 billion by the end of 2025, “creating a massive and often overlooked attack surface.”
Click the banner below to Sign up for the StateTech newsletter for weekly updates.
What Tools and Best Practices Can Governments Use To Secure Nonhuman Identities?
State and local governments can turn to various cybersecurity solutions to ensure that certain accounts (including nonhuman identities) maintain least privileged access, and to refresh their credentials on a schedule.
Because nonhuman identities do not necessarily act like a normal day-to-day user, government IT admins must monitor them closely.
“Delinea offers solutions to provision and then administer access management, and essentially you can use the solution to control all nonhuman identities and what access they have,” Mouallem says. “You can audit that access to make sure that there is no anomaly. So, for example, something used for a specific functionality — all of a sudden it is used for something else, or it’s used more frequently or from a location that is not typical.”
Vendors such as Delinea can detect anomalous functions and alert principals to maintain visibility in all identities.
“It also provides a centralized single pane of glass for viewing and monitoring all nonhuman identities,” Mouallem says. “You can introduce security controls like automatic password rotation and ensure that all identities adhere to those controls.”
As many government agencies may have limited budget and expertise, remaining aware of the challenges associated with nonhuman identities is key to mitigating any threat that hackers may pose by compromising them.
“In some cases, it’s going to be similar to the controls that you would expect from human identities,” Mouallem says. “It really boils down to having proper cyber hygiene around the use of nonhuman identities, and ensuring best practices are applied.”
