OWASP Non-Human Identities Top 10

NHI7:2025

Improper Access Control

Inadequate or misconfigured access controls for non-human identities.

Details

Improper access control can lead to non-human identities gaining unauthorized access to sensitive resources or performing actions beyond their intended scope. This risk often arises from misconfigured permissions, overly broad access policies, or a lack of granular control.

Stay Informed

Keep up with the latest developments in non-human identity security.Explore Resources

Video Explanation

Enhance Your Security Posture

Learn how to protect your non-human identities and strengthen your overall cybersecurity strategy.

Get Started

Example Scenario

HealthTech Solutions develops a revolutionary AI-driven diagnostic tool for hospitals. To train their model, they set up a data pipeline that pulls anonymized patient records from various health institutions. Due to a misconfiguration in their access controls, the AI service account gains write access to the source databases instead of read-only access. During a routine update, a bug in the AI system causes it to write corrupted data back to the source databases. This leads to numerous misdiagnoses and incorrect treatments before the error is caught. The incident results in potential harm to patients, multiple malpractice lawsuits against the hospitals, and a federal investigation into HealthTech Solutions' data handling practices.