Here’s what’s on our plate today:

• 🤖 The invisible risk of SaaS: why bot tokens and zombie API keys are your new security headache.

• 🗳️ Do you know all the non-human identities in your cloud?

• 🧠 AI lawsuits, Apple’s new parental controls, and a CEO steps down.

• ⭐️ Pro tip: How to keep your stack (and sanity) safe from silent breaches.

Let’s dive in. No floaties needed…

The Laboratory

The invisible risk of SaaS: Managing non-human identities

As the world moves toward digitization, cloud computing has become essential for both large and small enterprises. While for bigger organizations, cloud computing has been aiding in scaling business and streamlining processes by sharing workload with AI. For small businesses, it helps to lower barriers to entry, such as technical expertise or costs.

One of the largest segments of cloud computing is software-as-a-Service or Saas. This model contributes the largest share of the total cloud computing market, which was expected to generate over half a trillion U.S. dollars in revenue in 2023, and shows very few signs of slowing down. Under the SaaS model, customers pay for access to software and databases while the service provider manages the infrastructure and platforms.

While it is convenient for businesses to offload the pressure of purchasing software and installing it on individual machines, beneath the convenience lies a lesser-known risk. While SaaS platforms simplify how we work, they also depend on something most users never see: non-human identities (NHIs).

Most of the platforms currently used by organizations, including email, CRM, file sharing, accounting tools, and even platforms like Salesforce, Zoom, Slack, and Google Workspace, rely on non-human identities (NHIs).

So let us take a closer look at what NHIs are, the problems they pose to an organization’s security apparatus, and what organizations can do to minimize their risks.

What are NHIs?

NHIs are digital credentials or service accounts used by applications, bots, or scripts to authenticate and interact with other software systems, without human intervention. NHIs could include API keys, OAuth tokens, service accounts, client secrets, and certificates.

Basically, their function is to ensure that different systems and applications used within an organization can securely talk to each other, without human intervention, to continue performing their tasks securely.

In SaaS, these NHIs are essential for enabling automation, integrations, and cloud orchestration.

The hidden risks of NHIs

While NHIs are great at securing communications between different applications without human intervention, their very nature can lead to problems that are often overlooked by business owners.

Most organizations have regular training exercises, including strong authentication methods, to ensure the security of their systems; they often overlook NHIs, which are not directly monitored by individuals. As a result, they may not be subject to the same level of scrutiny, making them potential targets for exploitation.

Another problem with NHIs is that while suspicious activity by a human-managed system could lead to a detection of security lapses, machines talk to each other all the time, which makes detection even more difficult. This makes NHIs and the lack of information around their existence an ideal situation for attackers.

And it is not a far-off problem. In 2022, Toyota, the Japanese-based automotive manufacturer, revealed that it had accidentally exposed a credential allowing access to customer data for nearly 5 years. The data leak occurred due to a credential that was unintentionally exposed on GitHub. Other major companies like  Samsung, Nvidia, and Twitch have also faced similar problems in the past.

Challenges in managing NHIs?

One of the major challenges of managing NHIs is their sheer numbers. Organizations today often possess thousands of NHIs, from API keys to service accounts, spanning the cloud, DevOps pipelines, and automation tools. This identity sprawl makes it incredibly difficult to maintain a comprehensive inventory or understand what each identity does. Security teams struggle to discover all of them, leaving blind spots in their defenses.

Another problem is access management; NHIs often require elevated permissions (e.g., to move data or trigger jobs), but are frequently over-permissioned to ensure they can continue performing their tasks. Without the ability to apply typical human controls such as MFA or password rotation, these identities become high-value targets if compromised. Controlling access becomes even more challenging when NHI permissions cross multiple tools and environments.

Rotating credentials for NHIs is also a far more difficult job than it is for human users. Each credential is tied to scripts, services, or integrations, and rotating them could disrupt workflows. Organizations also use multiple places to store these NHIs, which further increases the likelihood of them being compromised and makes detection difficult.

NHIs are frequently created for short-term use but seldom retired. Over time, these “zombie identities” remain active, unused, but still valid, presenting unmonitored attack vectors. Without active decommissioning processes, they can linger indefinitely. These challenges, when combined, create significant risks for organizations.

Strategies for securing NHIs?

To effectively protect non‑human identities (NHIs), organizations must adopt a strategic, lifecycle‑oriented approach. These could include:

• Comprehensive discovery and inventory: Organizations can’t secure what they cannot; as such, they need to make use of automated discovery tools that scan code repositories, cloud environments. Once identified, each NHI must be associated with a clear, ensuring accountability and enabling rational cleanup of “zombie identities”. Each NHI should also possess only the minimal permissions required to perform its function, no more, no less. This might mean implementing role‑based access control (RBAC) or attribute‑based access control (ABAC) and periodically reviewing all service accounts and tokens to detect overprivileged identities.

Organizations should also invest in ensuring strong authentication, automating credential rotation, deactivating unused NHIs periodically, and having a centralized governance model that ensures that tokens and keys are not scattered across spreadsheets but unified for consistent policies across platforms.

A growing threat in the digital age

Whether you're a business owner or a consumer, the evolving global digital economy affects your life. As more of the global tech infrastructure shifts online, the risk from NHIs is only going to rise.

The expansion of AI agents and reliance on automation is also going to lead to an increase in the number of NHIs. And while these identities power modern business efficiency, they also create a vast, invisible attack surface that remains under-secured and poorly governed in many organizations.

Incidents like the Toyota data leak are cautionary tales, not isolated accidents. And as the digital economy continues to grow, organizations must act now to ensure that the invisible workforce powering their operations, their NHIs, are managed with the same vigilance and discipline as their human employees.

Monday Poll

Bite-Sized Brains

• X’s Grok and ChatGPT Spread Protest Disinfo in LA
  AI chatbots were caught sharing false and misleading information about recent Los Angeles protests, raising fresh alarm over automated disinformation.

• Disney and Universal Sue AI Firms Over Copyright
  Disney and Universal have filed a major lawsuit against AI companies, alleging their copyrighted content is being misused to train generative AI models.

• Apple Launches Parental Permission Text for Child Safety
  Apple is rolling out a new feature that requires kids to send a permission text to parents before making certain device changes.

• Scale AI Confirms Meta Investment, CEO Steps Down
  Scale AI revealed a significant investment from Meta, while CEO Alexandr Wang announced he’s stepping down—shaking up the rapidly growing AI data sector.

Roko Pro Tip

Meme of the Day

Rate this edition