π€NHI Security
Last updated
Was this helpful?
Last updated
Was this helpful?
Non-Human Identity (NHI) Security provides comprehensive visibility and governance for service accounts, API keys, and automated systems across your infrastructure. NHI accounts often operate with elevated privileges without regular oversight, creating security risks through credential exposure, excessive permissions, and lack of ownership accountability.
Organizations typically have 10-45 NHI accounts per human user, making visibility essential for reducing attack surface.
Access the centralized NHI dashboard through NHI Security > Overview in the main navigation. The dashboard displays priority integrations with key security metrics.
Review the Overview: Navigate to NHI Security > Overview to assess your current NHI landscape
Identify Priority Areas: Look for integrations with high unowned account counts
Establish Ownership: Begin by assigning owners to critical NHI accounts using the bulk assignment features
Set Up Monitoring: Create Rules and Alerts for ongoing NHI governance
Implement Reviews: Configure Access Reviews for regular NHI validation
Build Queries: Use Query Builder to create NHI-specific analysis queries
Total NHI Accounts: Count of discovered non-human identities
Unowned Accounts: Accounts requiring ownership assignment
High-Risk Accounts: Accounts with admin privileges or security concerns
Keys & Secrets: Associated cryptographic keys and credentials
Credential Status: Rotation compliance and expiration tracking
Click any integration card to filter the NHI Accounts view to that specific platform.
Veza automatically identifies non-human identities using built-in detection rules across 40+ integrations. Learn how classification works in NHI Identity Classification Logic.
Veza discovers NHI entities from supported integrations, including:
Cloud Service Accounts: AWS IAM users, Azure service principals, Google Cloud service accounts
Application Accounts: Service accounts in enterprise applications
Workload Identities: Kubernetes service accounts, container runtime identities
Integration Users: System accounts for API integrations and automation
Deploy Keys: GitHub deploy keys, SSH keys for automated deployments
Administrators can add Enrichment Rules to augment automatic NHI detection:
Naming conventions (e.g., accounts containing "svc-", "service-account-")
Attribute patterns (missing email addresses, specific group memberships)
Custom tags or metadata
Go to Integrations > Enrichment Rules to create and manage rules.
Veza identifies keys, secrets, and credentials across integrated systems. See NHI Secrets for supported entity types, including:
Cryptographic Keys: AWS KMS keys, Azure Key Vault keys, Google Cloud KMS keys
Application Secrets: Configuration secrets, API tokens, database connection strings
Access Credentials: Long-lived authentication tokens, certificates
The Entity Owners feature enables human accountability for NHI by assigning human owners to accounts, individually or in bulk:
From the NHI Accounts view, select accounts needing ownership
Use Assign Entity Owners to link accounts to responsible teams or individuals
After assigning ownership for NHI entities, you can use filters to search for entities with no owners, assign Access Reviews to owners, and create rules and alerts when new entities are detected with no owners.
See Managers and Resourcer Owners for more about auto-assigning Access Reviews using NHI owner metadata.
You can use Veza to implement governance workflows for NHI accounts:
Create Reviews: Use Access Review Configuration to set up NHI-specific reviews
Schedule Reviews: Establish regular review cycles with Schedule an Access Review
Review Intelligence: Apply Review Intelligence Policies to automate NHI governance decisions
Use Veza's analysis capabilities to identify security risks such as unrotated or expired credentials, keys with excessive permissions, and secrets stored outside of proper vaults:
Use Veza Query Language (VQL) to create sophisticated queries for NHI analysis. These queries can be used to create Access Review Configurations, construct custom dashboards, and generate reports.
Leverage Veza Graph search interface to:
Visualize NHI relationships and permissions
Trace access paths from NHI accounts to sensitive resources
Understand permission inheritance and effective access
Use the Access Intelligence Compare functionality to:
Compare permissions between similar NHI accounts
Analyze differences in access patterns
Identify permission drift or inconsistencies
Set up proactive monitoring with Rules and Alerts:
Alert on new unowned NHI accounts
Monitor for NHI permission escalations
Detect inactive NHI accounts with active credentials
Use Access Intelligence Risks to assign criticality levels to NHI queries:
Prioritize NHI security issues by risk level
Track risk trends over time
Focus remediation efforts on critical accounts
Leverage Activity Monitoring to:
Track NHI account usage patterns
Detect unusual access behavior
Monitor for potential credential compromise
Access NHI-focused reports through Dashboards:
NHI inventory summaries by integration
Ownership coverage reports
Risk assessment dashboards
Create tailored reports using Reports:
Export NHI data for compliance audits
Generate ownership assignment reports
Create executive summaries of NHI security posture
Automate report delivery with Scheduled Exports for regular compliance reporting, stakeholder updates, and integration with external systems.
Use Veza Query Language to find NHI accounts lacking ownership:
Create queries to find NHI accounts with admin-level access:
Monitor cryptographic key age and rotation status:
NHI Identity Classification Logic - Understanding how Veza classifies identities
NHI Secrets Management - Keys, secrets, and credential discovery
Access Reviews - Governance workflows for NHI accounts
Enrichment Rules - Customize NHI detection
Rules and Alerts - Proactive NHI monitoring
