Introducing the OWASP NHI Top 10: Standardizing Non-Human Identity Security

The non-human identity market has significantly matured in the past couple of years. While NHIs like service accounts, API keys, and OAuth apps are not new, the realization that managing and securing them has to be a priority is somewhat recent. 

With that, many security teams lack a clear, standardized view of the risks these identities pose, and how to go about including them in security programs. To address this gap, OWASP has launched the OWASP Non-Human Identities Top 10, a community-driven framework led by a collective of industry experts from leading cybersecurity companies, including Astrix Security. 

Below, we dive into why this project is critical, what the Top 10 risks are, and how you can use it as a framework to build a resilient NHI security strategy.

What are the OWASP Top 10 projects?

The OWASP Top 10 lists have long been a cornerstone of web application security and beyond. They identify the most critical risks in web applications, APIs, and more. Security professionals and development teams worldwide rely on these lists to prioritize mitigation strategies and build security frameworks. 

The new NHI Top 10 follows this tradition, providing a clear roadmap for addressing the most critical security implications of non-human identities.

Why we initiated the OWASP NHI Top 10 project

Automation, connectivity, AI adoption, and cloud adoption all rapidly increase the prevalence of non-human identities in corporate and engineering environments, making them a prominent (and very loved) attack vector for cybercriminals. OAuth apps, service accounts, secrets, AI Agents, and automated processes are often overprivileged, under-monitored, or poorly managed, all of which pose substantial risks. 

By standardizing these issues into an NHI Top 10, we aim to ensure that organizations worldwide speak a common language and follow a standard set of guidelines for securing and managing non-human identities.

A quick look at the NHI Top 10

To give you the juice you came for, we included below the NHI Top 10, with links to the full description on the OWASP website:

• NHI1:2025 – Improper Offboarding
• NHI2:2025 – Secret Leakage
• NHI3:2025 – Vulnerable Third-Party NHI
• NHI4:2025 – Insecure Authentication
• NHI5:2025 – Overprivileged NHI
• NHI6:2025 – Insecure Cloud Deployment Configurations
• NHI7:2025 – Long-Lived Secrets
• NHI8:2025 – Environment Isolation
• NHI9:2025 – NHI Reuse
• NHI10:2025 – Human Use of NHI

How we ranked the top 10

The OWASP NHI Top 10 list was ranked based on the standard parameters of the OWASP Top 10 project:

1. Exploitability: Assumes the organization already has the specific vulnerability in place and that a potential attacker possesses the necessary skills and information to exploit it.
2. Impact: Evaluates the worst-case scenario by considering the most significant damage that the risk could inflict on systems and operations.
3. Prevalence: Assesses how frequently the security weakness appears across different environments, without taking any existing protective measures into account.
4. Detectability: Looks at how difficult it would be for an organization to spot the weakness, assuming that standard monitoring and detection capabilities are being used.

The contributors – security experts from Astrix Security, Palo Alto, Torch Security, Snyk, and Orca – reviewed real-world breach data, analyzed industry trends and reports, and drew on their collective experiences to rank each risk according to the above criteria.