Non-human identity

Non-human identity refers to any identity used by automated processes, bots, applications, APIs, or services rather than a physical user. Examples include service accounts for CI/CD pipelines, chatbots, RPA (robotic process automation) scripts, or IoT devices. These identities still require credentials—passwords, keys, or tokens—to access systems.

It is important to note that all machine identities are non-human identities, but not all non-human identities are machine identities. Non-human identities also include service accounts, APIs, and bots that aren't tied to a specific machine.

How does it affect identity security?

Cloud environments heavily rely on non-human identities for microservices, serverless functions, or data ingestion tasks. 

Because non-human identities often have broad or specialized privileges (like reading thousands of records for a data pipeline), they become prime targets. Attackers who compromise these service credentials can move laterally or exfiltrate data. Additionally, non-human accounts may be overlooked in provisioning or auditing processes since they aren’t tied to a single employee. 

IAM provides separate policies for these service accounts, but it’s easy to misconfigure them with excess permissions. DevOps pipelines also use such identities to deploy resources. Identity governance extends to these accounts: rotating their keys, restricting their scope, and monitoring usage. Strong management—unique credentials, least privilege, credential rotation—ensures that non-human identities don’t become hidden backdoors.

Case study

Atlassian accidentally exposed internal API keys for automation bots. While damage was contained, it highlighted how non-human identities (automation scripts) with unrotated credentials can open high-value targets.

‍