They are using some fancy wording, but this just seems to be about regular service accounts (i.e. "bots") when they are mixed with user accounts in a SoA setting. No AI needed.
AI is not mentioned. Besides, service accounts are not bots.
The collection provides a structured approach to self audit the security practice regarding non-human identities. The recent CCC showcased breach of a VW connected car repository based on the exploitation of those NHI.
I agree. A bot is a program or an application that provides some sort of functionality that appears automated or autonomous in some way. A service account could be the primary identity of a bot, but that doesn't make it a bot.
> Non-human identities (NHIs) are used to provide authorization to software entities such as applications, APIs, bots, and automated systems to access secured resources. Unlike human identities, NHIs are not controlled or directly owned by a human. Their identity object and authentication often work differently to human, and common human user security measures do not apply to them.
I think it's just a fancy description for service accounts, but possibly extended to any kind of access that is used for machine-to-machine interaction rather than for users; I guess tokens used by IoT devices to access an API would also count as NHI. I guess that "Non-Human" doesn't imply any AI around (nor other animals or extraterrestrials, although I guess nobody thought that...).
The collection provides a structured approach to self audit the security practice regarding non-human identities. The recent CCC showcased breach of a VW connected car repository based on the exploitation of those NHI.