Term · 28. International Regulations
OWASP NHI Top 10
Definition
OWASP Non-Human Identities (NHI) Top 10 (2025) — community-curated catalogue of the most critical risks affecting non-human identities (service accounts, API keys, OAuth secrets, machine certificates, workload identities). The ten risks: NHI1 (Improper Offboarding), NHI2 (Secret Leakage), NHI3 (Vulnerable Third-Party NHI), NHI4 (Insecure Authentication), NHI5 (Overprivileged NHI), NHI6 (Insecure Cloud Deployment Configurations), NHI7 (Long-Lived Secrets), NHI8 (Environment Isolation), NHI9 (NHI Reuse), NHI10 (Human Use of NHI).
- Synonyms
-
- OWASP Non-Human Identities Top 10
- Discouraged variants
-
- **OWASP NHI Top 10 (2025)**
- Application
- Regulatory: OWASP NHI Top 10 (2025) / SAMM
- Standards & regulations
-
- OWASP
- Sources
-
- OWASP Non-Human Identities Top 10 (2025) primary source
Related terms
-
Entitlement Creep
Gradual accumulation of access rights beyond what's needed for current job, as users change roles without losing prior a …
-
Over-provisioning
Granting access beyond what's needed for the role — common cause of attack surface expansion and SoD violations. Sources …
-
DIRM (DIRM)
Digital Identity Risk Management — the NIST SP 800-63-4 process for managing digital identity risk. Replaces the static …
-
FAL (FAL)
NIST SP 800-63C Federation Assurance Level — measures the strength of federated identity assertions between identity pro …
-
Orphan Account
Account in a target system that cannot be correlated to any identity in the identity warehouse — abandoned by previous o …
-
Remediation (Rem)
Action taken to correct an identified identity risk or policy violation — disable orphan account, revoke excessive entit …