Non-Human Identities — API keys, service accounts, OAuth tokens, and AI agent credentials — now outnumber human users 50:1 in the average enterprise. They're the fastest-growing attack vector in 2026. And most organisations have no idea how many they have.
Every time a developer adds an API key, spins up a CI/CD pipeline, grants OAuth access to a SaaS tool, or deploys an AI agent — they create a Non-Human Identity. These machine credentials operate silently in the background, accumulating privileges, persisting long after they're needed, and frequently leaking into places they shouldn't be.
The Midnight Blizzard attack on Microsoft, the Snowflake customer breach wave, and dozens of major 2024–2025 incidents were enabled not by phishing humans — but by compromising machine credentials that nobody was watching.
HackLabs NHI Security Assessments surface exactly what attackers are looking for: the over-privileged service account with admin rights that's been dormant for two years, the OAuth grant giving a third-party app access to your entire SharePoint, the API key committed to a public GitHub repo six months ago.
These aren't edge cases — they're standard findings across Australian enterprises running modern cloud and SaaS environments. If you haven't had an NHI assessment, you almost certainly have most of these.
Service accounts with Domain Admin or Global Admin rights, created years ago for a one-off project, never decommissioned. No rotation, no MFA, no audit trail.
AWS access keys, GitHub tokens, database passwords, and Stripe keys committed to source repositories — often months or years ago, often in repos that have since been made public.
Third-party applications with persistent access to read all email, access calendar data, or download SharePoint files — granted by individual employees, unknown to IT, and never reviewed.
Build and deployment pipelines with production write access, often running on long-lived credentials with no expiry. A compromised pipeline becomes a direct path to production infrastructure.
Copilot Studio and custom AI agents deployed with standing admin permissions "so they can help with anything." No scope limits, no audit logging, no rotation.
Service accounts and API credentials created for a contractor, MSP, or vendor that is no longer engaged — still active, still privileged, and with credentials potentially still held by former personnel.
Our NHI assessment covers the full lifecycle of machine identities across cloud, SaaS, on-premises AD, and development pipelines — not just a point-in-time scan.
We enumerate all non-human identities across your environment — cloud workload identities, SaaS service accounts, API integrations, CI/CD credentials, and AI agent accounts. Most organisations are surprised by the count.
We map what every NHI can access and what it actually uses. Over-privileged accounts — those with far more access than their function requires — are rated as critical risk and prioritised for immediate remediation.
We scan source code repositories, CI/CD logs, container images, and configuration management systems for hardcoded or committed secrets — including historical commits that developers believe are "deleted."
We enumerate all third-party OAuth grants across Microsoft 365, Google Workspace, GitHub, Salesforce, and other SaaS platforms — identifying apps with excessive scopes, unsanctioned by IT, or connected to defunct vendors.
For organisations running AI agents (Copilot Studio, LangChain, AutoGen, Salesforce Agentforce), we assess the identity and permission model — ensuring agents operate under least-privilege with appropriate audit logging.
We evaluate whether your organisation has the processes, tooling, and ownership structures to manage NHI lifecycle — creation, rotation, review, and decommissioning — on an ongoing basis, not just point-in-time.
A focused 2-week assessment covering one environment — cloud or SaaS. Rapid inventory, top risk identification, and a prioritised remediation list. Ideal as a first look or board-level risk briefing.
Full six-domain assessment across cloud, SaaS, Active Directory, and development pipelines. Our most comprehensive standalone NHI engagement — covers the complete attack surface attackers target.
Full enterprise NHI assessment plus DevOps pipeline security review, AI agent identity audit, and an ongoing monthly monitoring service to catch new NHI risk as your environment evolves.
HackLabs is the first Australian security firm offering dedicated NHI assessments — built on the same adversarial methodology that powers our red team practice.
Our consultants combine identity and access management depth with offensive security experience — we assess NHIs the way attackers exploit them.
We don't just scan for secrets. Our six-domain framework covers discovery, privileges, secrets, OAuth, AI agents, and lifecycle governance — the full picture.
Every assessment includes a remediation workshop. We don't hand you a report and walk away — we work with your team to prioritise and fix what matters most.
Russian SVR actors compromised a legacy OAuth application with elevated access to Microsoft's corporate email. A machine identity — not a human account — was the entry point to senior leadership inboxes.
Hundreds of Snowflake customer organisations breached through stolen service account credentials. Ticketmaster, Santander, AT&T and dozens more — all enabled by unmonitored machine identities with no MFA.
A multi-year social engineering campaign resulted in a backdoor in a critical open-source library — exploiting CI/CD pipeline automation and unsigned build credentials. Machine identity governance would have detected it.
Australian regulators are increasingly explicit about machine identity risk. NHI assessment findings map directly to mandatory controls across key frameworks.
Third-party access controls, service account governance, and access management obligations directly addressed by NHI assessment outputs.
Restrict admin privileges (ML3), application control, and patching obligations all intersect with NHI hygiene — particularly for service accounts and pipeline credentials.
Control A.8.2 (privileged access rights), A.5.16 (identity management), and A.8.18 (use of privileged utility programs) directly require NHI governance.
Critical infrastructure operators under SOCI must demonstrate access control and identity lifecycle management — NHI assessment provides the evidence.
Most organisations are shocked by their NHI inventory. Schedule a scoping call and we'll walk you through what a HackLabs NHI assessment covers for your environment.