[ALLTaken]

I am confused with the wording. Is there an official description of Non-Human Identities?

I only known service accounts, which pose similar threat. Both AI and Humans can use service accounts and api-keys to pose the same threats.

But it's ultimately known and wide-spread as service accounts from what I know. Is non-human identity referring to a special case or attack vector?

[chillax]

Here is how OWASP define it:

> Non-human identities (NHIs) are used to provide authorization to software entities such as applications, APIs, bots, and automated systems to access secured resources. Unlike human identities, NHIs are not controlled or directly owned by a human. Their identity object and authentication often work differently to human, and common human user security measures do not apply to them.

https://owasp.org/www-project-non-human-identities-top-10/20...

[ale42]

I think it's just a fancy description for service accounts, but possibly extended to any kind of access that is used for machine-to-machine interaction rather than for users; I guess tokens used by IoT devices to access an API would also count as NHI. I guess that "Non-Human" doesn't imply any AI around (nor other animals or extraterrestrials, although I guess nobody thought that...).