Video

Secure Non-Human Identities: How to Protect Your Agents, Automated Scripts, and Service Accounts

Written by

Published on

October 7, 2025

Copy link

Table of contents

FIDO passkey risks

Effective Solution

TLDR

Non-human identities (NHIs)—like bots, service accounts, and AI agents—now outnumber humans 50:1, yet most IAM frameworks overlook them.

NHIs introduce major risks: privilege escalation, credential theft, lack of visibility, and compliance violations.

Beyond Identity eliminates static credentials (API keys, client secrets) and replaces them with phishing-resistant, cryptographic authentication for both human and non-human entities.

The platform applies Zero Trust across hardware, software, and identity, ensuring bots and agents only run from authorized devices or containers.

Organizations can leverage existing tools like CrowdStrike and Jamf for continuous posture checks, full auditability, and anomaly detection—bringing NHIs into the same secure ecosystem as humans.

Transcript

SPEAKER_02 (00:00 - 00:29): All right, hello everybody. Welcome to another edition of Beyond Identity's webinars. I'm Kasia, a product marketing manager here at Beyond Identity. Today we are talking about securing non-human identities. So those agents, automated scripts, service accounts that are really, really tough to secure, how to do just that. And we have Sarah here today, who recently I've heard is basically a celebrity in the identity space. So we're really excited to have her on here.

SPEAKER_01 (00:29 - 00:30): Sarah, I'd love

SPEAKER_02 (00:30 - 00:32): to introduce yourself and take it away.

SPEAKER_01 (00:33 - 00:51): Yeah, first of all, I want to thank all of you for coming today. I know you have very busy days. I know things are moving very fast in technology, and you have a ton to do. So we really appreciate you taking the time. And it's really important. Like, you are making a good investment when you are thinking about non-human identities in your infrastructure.

SPEAKER_01 (00:51 - 01:14): Good on you for making a great investment of your time. And let's get into how we can help you secure this infrastructure really hard technical problem. So first of all, what are we talking about today when we talk about non-human identities? So when we are talking about them today, we're talking about agents, scripts, bots, and service accounts.

SPEAKER_01 (01:15 - 01:40): There's one other kind of non-human identity, which is hardware non-human identity. So think about things on the factory floor or drones. Beyond Identity can also help you with securing those, but that's a whole different webinar. So if you want to hear about that, we're happy to talk about that. But today we're going to be talking about software. So when we talk about bots, we're talking about software bots. When we talk about agents, we're talking about AI agents who may be running on your hardware or in the cloud.

SPEAKER_01 (01:40 - 01:52): We're talking about scripts and we're talking about your basic service accounts that you've had around for years. And that's where a lot of the vulnerabilities in your organization, especially in your IAM infrastructure, are going to lie.

SPEAKER_01 (01:54 - 02:04): So what do these non-human identities do? They perform automated tasks. They access systems. They manage data. They're incredibly useful, right? You cannot do without service accounts in an organization.

SPEAKER_01 (02:05 - 02:43): But they're often overlooked in traditional identity security frameworks. If you look at the NICS Digital Identity Guidelines, for example, they're focused on humans. And so when you look at frameworks and you look at – various ways of judging your security and your IAM infrastructure. Most of them will focus on passwords. They will focus on multi-factor authentication. They'll focus on how you do federation between security domains. Most of them will not focus on your non-human identities. And so it's up to you to figure out how to secure these and how to make sure that they're not going to cause a breach or have over-permissioned accounts that are going to get you in trouble.

SPEAKER_01 (02:44 - 03:02): They are critical to modern IT ecosystems, especially in the cloud, obviously. If you have a cloud environment, everything is going to be talking to everything. You have Apache and Kafka coordinating how all of these things get to message each other.

SPEAKER_01 (03:03 - 03:18): And in DevOps, you have instances of bots and scripts being created and deleted and created and deleted all the time as you do releases, as you create new things. And so if you don't secure those, you're leaving yourself

SPEAKER_00 (03:19 - 03:20): open to quite a bit

SPEAKER_01 (03:20 - 03:26): of vulnerability. So when we talk about

SPEAKER_00 (03:26 - 03:28): non-human identities getting breached, we're really

SPEAKER_01 (03:28 - 04:09): talking about four classes of risks. So the first is privilege escalation. So service accounts need to be able to do a lot of things. There was a breach just a couple of years ago. I don't know if it had a specific name, but Microsoft had an internal service account that was decades old, and it had access to every single Microsoft tenant. And things like that are absolutely lying in your organization. You have skeletons in your closet, I am sure all organizations do, where your service accounts have access to all sorts of things so that they can do things like taxes or HR or things that all of your tenants need, all of your employees need.

SPEAKER_01 (04:09 - 04:19): And so they have access to everything. And when you have that kind of privilege escalation, those service accounts are prime targets for attackers for obvious reasons.

SPEAKER_01 (04:20 - 04:35): The next is credential theft. So everyone knows about accidentally checking in an API key into a GitHub repo. If you do that, that credential is compromised and you're going to have to rotate it And until you do, your environment is wide open.

SPEAKER_01 (04:35 - 04:51): So keeping track of those credentials is very complicated. Having those secrets lying around, we call that secrets for all, right? It comes all over your organization. Every app that you create ends up having a secret, especially if you're using a microservices architecture, right? Everything has to talk to everything else.

SPEAKER_01 (04:52 - 05:12): If you do that with API keys, that's no better. In fact, it's worse even than having a ton of passwords in your organization that can be breached, that can be guessed. that can be reverse engineered. So credential theft, if you think it's only for humans, it is absolutely not. It is also for non-human identities.

SPEAKER_01 (05:13 - 05:35): And then lack of visibility. So often in your IDP, in your identity provider, you will have logs and you will have alerts for what humans are doing. If there are a bunch of human authentications that fail, If we see Kasha and Kasha has tried to log in 10 times this morning and every time she's had a bad password, like, yes, it's possible. Maybe she didn't have enough coffee that morning. It's happened to me.

SPEAKER_01 (05:35 - 05:57): Right. But her IT director or her CISO will get a little alert that says, hey, on your dashboard, here are the highest risk things. You might want to go Slack Kasha, see if she's just having a bad morning or see if there's actually somebody trying to compromise her account. Right. So, yeah. We have well-established ways of tracking and alerting on suspicious activity for humans.

SPEAKER_01 (05:58 - 06:16): But often with non-human identities, we don't track that, right? We know that these service accounts are going all over our organization. They're moving quickly. So if you see hundreds of transactions per second, that might not raise an alarm bell. Maybe that's perfectly normal. If you see them acting as root, maybe that's perfectly normal. Maybe that's what they're designed to do.

SPEAKER_01 (06:17 - 06:28): But maybe it's not. And so having that kind of auditing and alerting in your non-human identities, the same that you have in your human identities, is really important. And then the last is compliance violations.

SPEAKER_01 (06:29 - 06:41): So unmonitored non-human identities can lead to regulatory issues, especially if you have data sovereignty requirements where the data in your organization needs to stay within geographic boundaries.

SPEAKER_01 (06:42 - 07:00): Beyond identity respects that both in the U.S. and in Europe, And so when we manage an identity, human or non-human, we keep track of the data that that identity has access to and where that data is located, right? And if your non-human identities have access to data, they're processing data, they're managing data, they may well take it between boundaries that

SPEAKER_00 (07:00 - 07:02): can cause you regulatory problems

SPEAKER_01 (07:02 - 07:09): in the future. So let me talk a little

SPEAKER_00 (07:09 - 07:11): bit about how Beyond Identity solves

SPEAKER_01 (07:11 - 07:54): this problem with non-human identities. And the answer is that we secure all of your identities in one place, both human and non-human. So humans in the Beyond Identity ecosystem never have passwords. And just like they're humans, the non-human identities also never have passwords. So you will never see an API key. You will never see a client credential. Everything is secured with past keys, right? Right. and that is phishing-resistant authentication. So that uses the TPM in your phone or a trusted execution environment to hold a private key pair and use that key pair to sign everything you do in the environment and log it to an irrefutable log, an immutable log that cannot be changed, cannot

SPEAKER_01 (07:54 - 08:04): be forged, cannot be deleted, so that you can see everything that happens in your environment, both human and non-human, and all of it happens in a cryptographically verified way.

SPEAKER_01 (08:06 - 08:20): The second part of what we do, we call zero trust principles for secure access. And what we mean when we say zero trust is that really authenticating the human is not enough. Authenticating the software that the human is using is also not enough.

SPEAKER_01 (08:20 - 08:49): You have to authenticate all three layers of hardware, software, and human, or non-human. Right. And so when you are talking about zero access for humans, you're talking about, OK, I want to know that that is Sarah's laptop. I want to know that that instance of Microsoft Word or Google Chrome or whatever it is that she's using is a valid instance. And I want to know that that's actually Sarah. Right. So with humans, we did we do that with a biometric with machines. We do that with hardware key.

SPEAKER_01 (08:50 - 09:18): or a key in a trusted execution environment. And so when we talk about zero trust for devices, for bots, for things that are not human, that's what we mean when we say zero trust. We want to know not just that they are authenticated, that we are sure it is the human, we're sure that it's the agent we thought it was or the bot or the script that we thought it was, but also that it's following the exact same policies that the humans have to follow. And that includes device posture.

SPEAKER_01 (09:19 - 09:36): That includes looking at security signals, which brings us to number three, right? We integrate with your existing IAM tools and your existing security tooling. So if you are someone who has already invested in CrowdStrike, you've already invested in Jamf, you've already invested in EDR, you're doing everything right.

SPEAKER_01 (09:37 - 09:49): but you have these non-human identities lying outside of your IDP, right? They're out there and they're doing work, but you don't really have a good way to audit them, to log them, to make sure they're following policy.

SPEAKER_01 (09:49 - 10:17): We integrate with your existing security tooling so that the policies that are watching your environment. So you might say, you know, everyone in environment has to have a CrowdStrike score of 90 or above, right? And, you know, What Beyond Identity policy will allow you to do is force that non-human identity to authenticate, right? And it will check that the non-human identity is on the machine or the cloud or the container that you think it's running on.

SPEAKER_01 (10:18 - 10:29): And then it will check it against all of the policies that your humans are checked against. And so you can check, like, hey, I want to make sure that that agent is running on a machine that has a CrowdStrike score of 90, right?

SPEAKER_01 (10:30 - 10:41): And so that agent will not be able to do any sensitive actions unless it has that assurance. So you can use your investments in your existing security tooling and get way more out of

SPEAKER_00 (10:41 - 10:50): them, get more value out of what you're already paying for. So how does this work? When we are talking

SPEAKER_01 (10:50 - 11:10): about non-human identities, we want to make sure that they're only operating from authorized devices or containers. And what this protects against is either a forgery attack or a man-in-the-middle attack. Right. So we don't want someone to come in and say, hi, I'm the bot from Cautious HR department and I'm just going to go change her title and her salary.

SPEAKER_01 (11:11 - 11:22): We want to know that that is an actual bot that is run by her employer and that is coming from our cloud or our bare metal or our computer. Right. So.

SPEAKER_01 (11:23 - 11:34): We want to make sure that that bot is authorized and authenticated so that we know that there's not someone sitting in the middle of that transaction, and we know that that transaction itself is not forged.

SPEAKER_01 (11:34 - 12:01): And the way that we do that is by using cryptographic attestation. So we don't just sign Cata's request and say, okay, we hear you bot. Please sign this challenge and bring it back to us. Okay, you're in. It's not that easy. Okay. that challenge also asks the computer that the bot is running on to tell us things about itself that we don't trust the bot to tell us. So the bot may be malicious, right?

SPEAKER_01 (12:02 - 12:38): If it is a malicious bot, it will just tell us, oh, yes, of course I'm running on something with a high security posture, right? We want to ask the computer itself what the posture of the machine is and what the provenance of the applications on the machine are. So, When we do that challenge, we're not just looking for the cryptographic response. We are also looking for information about the operating system, information about the applications, information about what kind of security tooling is running and active on that computer. Is it running CrowdStrike? Is that CrowdStrike active? Is it reporting back?

SPEAKER_01 (12:39 - 12:49): All of those things we can check in real time, and we get that information from the computer itself, like tested with our computer, private key so that we know that it's coming from the right computer.

SPEAKER_01 (12:51 - 13:16): So that's what cryptographic attestation is all about. It's not just a cryptographic call-on response. It's actually validating the whole machine and everything we're basing our trust on. And that prevents unauthorized environments from executing scripts or agents. So you will not see any agents able to execute from an environment that hasn't been approved by you, that hasn't been authorized by you, that's coming from someone else's cloud, that's coming from some other country.

SPEAKER_01 (13:17 - 13:30): This enables you to really restrict where those bots and agents can do their work so that you know that everything they're doing is logged, Everywhere they're coming from is valid and authorized.

SPEAKER_01 (13:31 - 13:47): So, for example, you might have a service account that's running in Azure. It's doing great. And you can use Beyond Identity to make sure that it's coming from Azure, from your Azure tenant, from the trusted execution environment in your Azure tenant so that you are absolutely sure that this is not an imposter.

SPEAKER_02 (13:49 - 14:24): Awesome. Sarah, I have a quick question for you, actually, now that we're going through this. And so... you know, technically this sounds amazing. I'm kind of trying to put myself in the shoes of like a security professional, IT professional, who's, you know, looking for solutions around this pain point. And this sounds technically great, but how do I like commandeer a team to rally behind this? How do I get my CISO to jump on board with this? What can I actually communicate across to my manager and my team to rally behind this? How do I even get budget for something like this?

SPEAKER_01 (14:24 - 14:36): That's such a great question. It comes up in our sales conversations all the time to say, like, we have people who love us in organizations, but they say, you know what, I can't just magic a budget line item out of thin air.

SPEAKER_01 (14:37 - 15:02): I have to tie it to something. I have to tie it to some sort of project. And usually where we see people getting the money for this is in – Static credentials. So if your organization does have the kind of secret sprawl that I was talking about earlier, where you have API keys and you have client credentials, that is a major vulnerability. And that is increasing the cost of your cybersecurity insurance. That is reducing the security of your environment.

SPEAKER_01 (15:02 - 15:28): And especially for companies that are starting to build out AI infrastructure and AI agents within their organization, either internal facing or external facing, if your infrastructure is based on API keys and you're giving that AI an API key and telling it, here's how you go interact. Or you're giving it a client credential and you're saying, okay, go to MCP with all of our tools and here's your client credential to go do that.

SPEAKER_01 (15:28 - 15:43): That is shockingly bad. That is building your house, your entire AI house on a very shaky foundation. And so in order to really get that firm foundation in place before you start building, you can use part of that AI budget to say, you know what?

SPEAKER_01 (15:44 - 15:59): we're not going to build on this foundation. In fact, we're going to eradicate secrets across our organization, secrets for humans, secrets for non-humans. No one is going to be in the business of making sure that API keys stay secret, that client credentials stay secret, that passwords stay secret.

SPEAKER_01 (15:59 - 16:29): Like, let's just not even try to do that because that is a fool's errand. That is not a good idea. And so the way that people get budget for this is by tying it to modernization products, tying it to AI projects, And tying it to security projects, right? So anything that will help you get to the secret sprawl problem is usually how we get the budget to really push Beyond Identity into the organization so that we can get that really firm foundation for the developers to start building on.

SPEAKER_02 (16:30 - 16:42): Yeah, that's a great point, especially with the AI agents. We even have some of our own customers that are building their own AI agents just because of confidential and PII reasons. They want to keep all of that in-house.

SPEAKER_02 (16:43 - 16:46): But then how do you secure that? You know, what's that next step? So that's a great point.

SPEAKER_01 (16:47 - 17:05): Yes, Kasia is being very nice right now, but she has an amazing webinar. Who also is here at Beyond Identity and Hui from Monolithic Power Systems talking about their rollout of AI and how they did it with Beyond Identity. So go watch that if you're interested in that aspect.

SPEAKER_02 (17:06 - 17:07): Yes, their global head

SPEAKER_01 (17:07 - 17:08): of IT.

SPEAKER_02 (17:09 - 17:19): vibe coded on weekends, on weeknights, his own AI agents that a thousand plus employees are now using. So it is a great webinar to watch. Thank you

SPEAKER_01 (17:19 - 17:24): for mentioning. Yep. And if you're thinking about doing that, you should absolutely take a look at that.

SPEAKER_00 (17:24 - 17:24): Yep.

SPEAKER_01 (17:25 - 18:02): Okay. So the last thing I want to talk about is how you have oversight over non-human identities. So we talked before about how most people do have logging and alerting of humans at this point. But they are not tracking what their non-human identities and their service accounts are doing in their environments. And so Beyond Identity will track every time a non-human identity authenticates and how it was authorized, exactly what policies allowed it to do the thing that it did and exactly what its security posture was at the time that it did that. So you can have those logs both for compliance, for regulatory reasons, and for forensic analysis.

SPEAKER_01 (18:03 - 18:14): So if there is an attacker in your system and you're using beyond identity, you know exactly where that attacker is. You know what kind of computer that attacker is using. Or if you don't have computer information, you know for sure that they're using a VM.

SPEAKER_01 (18:15 - 18:44): So we get really, really rich forensic analysis when you're trying to run it on human identity, on beyond identity. And you can detect anomalies. So you can see things that are unusual. You can use the existing security tooling that you have already purchased that you're using to dig through your logs. We will give you the raw data for those logs to detect anomalies in the way that your non-human identities are acting so that if you do see a privilege escalation, if you do see some unusual behavior, you'll be able to alert on that.

SPEAKER_01 (18:45 - 18:57): And we'll integrate with your existing SIM tools, so you can do that all from the SOC you already have, right? This isn't a whole new thing that you have to invest in. This is giving your SOC richer information about your non-human identities.

SPEAKER_01 (18:59 - 19:16): So that's what we have for you today. We would love to talk to you and get this project started with you. Non-human identities are one of the biggest return on investment you can do in identity and access management in terms of money and time spent to improve your security.

SPEAKER_01 (19:17 - 19:33): Non-human identities are very, very important and getting them in line in the same authorization scheme and the same audit place at the same log logging place as your humans is critical to having comprehensive security across your organization.

SPEAKER_01 (19:34 - 19:41): So please visit the website. Talk to me. Talk to Kasha. We would be happy to put together a demo or proof of concept for your company.

SPEAKER_02 (19:41 - 19:54): Absolutely. Yeah, I think I saw one of your insights recently that non-human identities outnumber human identities 50 to 1. So it's more critical now than ever, for sure.

SPEAKER_02 (19:54 - 20:28): One thing I forgot to mention is where to find that webinar that we just talked about with Cui. the AI agents. If you go to our YouTube channel, look up Beyond Identity on YouTube, look up on our channel, Securing Enterprise AI. It'll be the first thing that comes up. So that's actually where to find it. But yes, the next step here in terms of securing non-human identities, go to beyondidentity.com slash demo. We're happy to show you more, happy to talk about it, happy to understand what you're dealing with, what your pain points are, and work towards those. So thank you again for taking the time out of your day and excited to see you next time. Thank you.

‍