What Is a Non-Human Identity (NHI)?
A non-human identity (NHI) is any digital identity used by software, services, workloads, or automation instead of a person. Service accounts, API keys, OAuth tokens, IAM roles, bots, and AI agents are all NHIs: entities that need to identify, authenticate, and authorize themselves to access secured resources. They are how machines, not people, get into systems.
NHIs matter because they have quietly become the dominant identity type in modern environments, and the most under-governed. As organizations adopted cloud, microservices, third-party integrations, and now AI agents, the number of non-human identities outpaced the controls meant to secure them. Each NHI is a credential that can be stolen, over-permissioned, or forgotten, and attackers know it.
A non-human identity (NHI) is a digital identity used by software, services, workloads, or AI agents rather than a human: service accounts, API keys, tokens, IAM roles, bots. NHIs now outnumber human identities and are a fast-growing attack surface. The OWASP Non-Human Identities Top 10 (2025) standardizes the biggest risks, led by improper offboarding and secret leakage. Governing NHIs means inventory, least privilege, secret rotation, and clean offboarding. Every AI agent is an NHI. Dawiso is not an identity tool, but it supplies the data context, what data exists, who owns it, how sensitive it is, and where it flows, that tells you what an NHI or agent should be allowed to touch.
What a Non-Human Identity Means
An NHI authenticates and acts the way a user account does, but on behalf of code rather than a person. A nightly job that loads data uses a service account; an application that calls a payment API uses an API key; a workload running in the cloud assumes an IAM role; an AI agent that queries a database does so under its own credential. These identities are essential, machine-to-machine access is what makes automation and integration work, but they often lack the lifecycle, ownership, and oversight that human accounts get by default.
Why NHIs Matter Now
Two trends turned NHIs into a priority. First, scale: cloud-native architectures spin up far more machine identities than human ones, and many are created ad hoc and never cleaned up. Second, AI: every autonomous agent is a new NHI with access to data and tools. The result is a sprawling, fast-growing population of credentials, many over-permissioned, some orphaned, that expands the attack surface faster than security teams can track. Compromising one leaked key or stale service account can give an attacker persistent, hard-to-detect access.
The OWASP NHI Top 10
To standardize how organizations think about these risks, OWASP published the Non-Human Identities Top 10 in 2025, a list of the most pressing security risks NHIs present, with guidance on the challenges and how to address them. Two of the highest-ranked illustrate the pattern:
- Improper Offboarding (NHI1:2025). NHIs that are not deactivated or removed when no longer needed stay active beyond their intended use, leaving persistent gaps that attackers exploit to reach systems, exfiltrate data, and maintain long-term access.
- Secret Leakage (NHI2:2025). When high-impact credentials, keys, tokens, secrets, are leaked, the risk of a severe breach rises sharply, because a leaked secret is a ready-made key to whatever it protects.
The broader list covers risks such as over-privileged identities, insecure authentication, and weak secret management. Its goal is education and a common standard for securing the non-human identities in an environment.
Governance and Lifecycle
Securing NHIs applies familiar identity discipline to machines:
- Inventory. Know every NHI that exists, what it is, and what it can access. You cannot govern what you cannot see.
- Ownership. Assign a human owner accountable for each NHI, so it does not become orphaned.
- Least privilege. Grant each NHI only the access its job requires, scoped by what the data actually is.
- Secret rotation. Rotate and securely store keys and tokens so a leak has a short, bounded blast radius.
- Clean offboarding. Decommission NHIs and revoke their access the moment they are no longer needed.
NHIs and AI Agents
AI agents make NHI governance urgent rather than routine. Each agent is an NHI that authenticates, accesses data, and acts, often across many systems and at machine speed. An over-permissioned agent is an over-permissioned NHI that can also reason and chain actions, which raises the stakes of every access decision. This is where NHI security and AI agent governance meet: governing an agent means governing its identity, its least-privilege access, and a clear picture of the data it is allowed to touch.
How Dawiso Fits
Dawiso is not an identity-governance or secrets-management tool, and it does not authenticate NHIs or rotate keys. What it provides is the layer those tools assume but rarely have: governed data context about what an NHI or agent is actually reaching. An access decision is only as good as your understanding of the data on the other side of it, and that is what Dawiso governs.
- An inventory of the data NHIs touch. The data catalog gives you a governed map of what data assets exist, so you can reason about what an NHI or agent should be allowed to access.
- Ownership and accountability. Clear data ownership means every dataset an NHI reaches has an accountable human, which is exactly what NHI offboarding and least privilege depend on.
- Sensitivity made explicit. Classification flags which data is sensitive, so access policy and guardrails for agents can be scoped to real risk rather than guesses.
- Lineage for impact and audit. Interactive lineage shows where the data an NHI uses comes from and flows to, supporting impact analysis when a credential is compromised.
Pair your identity and secrets tooling with Dawiso's governed data context, and access decisions for NHIs and agents are grounded in what the data actually is, not just who or what is asking.
Conclusion
A non-human identity is any digital identity used by software, services, or AI agents instead of a person, and NHIs now outnumber human identities while remaining under-governed. The OWASP NHI Top 10 standardizes the biggest risks, from improper offboarding to secret leakage, and the fix is classic identity discipline applied to machines: inventory, ownership, least privilege, rotation, and clean offboarding. Because every AI agent is an NHI, this discipline is inseparable from AI agent governance, and it works best when access decisions are informed by governed context about the data those identities touch.
See it in action
Data & Analytics Catalog
Create a unified view of your data assets and gain insights faster with automated data discovery.