Paco Sepúlveda warns non-human identities
- Cybersecurity consultant Paco Sepúlveda said companies are watching employee logins while missing machine accounts that run cloud pipelines, application links and software bots. - Sepúlveda said stolen valid tokens let those automated systems keep acting with broad privileges, turning one exposed credential into process-level cloud damage. - Security guidance is shifting toward machine identities, secret rotation and behavior monitoring. (owasp.org)
A non-human identity is a login for software, not a person: service accounts, application tokens, build pipelines and software-to-software connections. Paco Sepúlveda said those identities are now a weak point in cloud security. (owasp.org) (techcommunity.microsoft.com) These accounts let continuous integration and continuous delivery systems ship code, let application programming interfaces exchange data, and let software-as-a-service tools sync with each other. Microsoft said those machine-to-machine identities have become vital to modern work and a prime target for attackers. (techcommunity.microsoft.com) The basic problem is simple: if an attacker gets a valid token or secret, the system may treat that attacker like a trusted process. OWASP’s 2025 Non-Human Identities Top 10 lists insecure authentication, secret leakage and overprivileged identities among the top risks. (owasp.org) That is the point behind Sepúlveda’s warning about “valid tokens.” A stolen token can let an automated job keep moving through cloud accounts and software services without tripping controls built mainly for human logins. (owasp.org) (cloudsecurityalliance.org) Security teams have spent years tightening sign-ins for employees with multifactor authentication and single sign-on. But GitGuardian said non-human identities often lack the same onboarding, monitoring and offboarding controls used for human accounts. (gitguardian.com) The scale is part of the risk. GitGuardian said non-human identities outnumber human identities by 45 to 100 times in large organizations, while Token Security said they represent more than 98% of identities in many enterprises. (gitguardian.com) (token.security) That leaves companies with thousands of secrets, keys and tokens spread across cloud platforms, code repositories and software integrations. OWASP and Microsoft both describe service accounts, workload identities and access tokens as foundational to business processes and attractive attack paths. (owasp.org) (techcommunity.microsoft.com) The response Sepúlveda pointed to matches the direction of current guidance: inventory machine identities, assign owners, cut privileges, rotate secrets and watch how automated processes behave after authentication. The Cloud Security Alliance said user-centric identity controls keep failing when they are applied to autonomous systems. (cloudsecurityalliance.org) (owasp.org) In plain terms, the warning is that a company can lock down employee accounts and still leave the keys in its unattended software connections. The attack surface is no longer just who logs in, but what logs in and keeps running. (techcommunity.microsoft.com) (cloudsecurityalliance.org)
