# NHI Security Non-Human Identity (NHI) Security provides comprehensive visibility and governance for service accounts, API keys, and automated systems across your infrastructure. NHI accounts often operate with elevated privileges without regular oversight, creating security risks through credential exposure, excessive permissions, and lack of ownership accountability. Organizations typically have 10-45 NHI accounts per human user, making visibility essential for reducing attack surface. ## NHI Overview Dashboard Access the centralized NHI dashboard through **NHI Security > Overview** in the navigation sidebar. The dashboard displays priority integrations with security metrics. ![NHI Security > Overview](https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-a388f9071a473f995df12ca8d61d6362fcea4a41%2FNHI-Overview.png?alt=media) ### Getting Started with the NHI Overview 1. **Review the Overview**: Navigate to **NHI Security > Overview** to assess your current NHI landscape 2. **Identify Priority Areas**: Look for integrations with high unowned account counts 3. **Establish Ownership**: Begin by assigning owners to critical NHI accounts using the bulk assignment features 4. **Set Up Monitoring**: Create [Rules and Alerts](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/rules-and-alerts) for ongoing NHI governance 5. **Implement Reviews**: Configure [Access Reviews](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews) for regular NHI validation 6. **Build Queries**: Use [Query Builder](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/vql) to create NHI-specific analysis queries ### Key Metrics * **Total NHI Accounts**: Count of discovered non-human identities * **Unowned Accounts**: Accounts requiring ownership assignment * **High-Risk Accounts**: Accounts with admin privileges or security concerns * **Keys & Secrets**: Associated cryptographic keys and credentials * **Credential Status**: Rotation compliance and expiration tracking Click any integration card to filter the NHI Accounts view to that specific platform. ## Discovery and Classification ### Automatic Detection Veza automatically identifies non-human identities using built-in detection rules across 40+ integrations. Learn how classification works in [NHI Supported Entities](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/nhi/nhi-entities). ### Supported NHI Types Veza discovers NHI entities from supported integrations, including: * **Cloud Service Accounts**: AWS IAM users, Azure service principals, Google Cloud service accounts * **Application Accounts**: Service accounts in enterprise applications * **Workload Identities**: Kubernetes service accounts, container runtime identities * **Integration Users**: System accounts for API integrations and automation * **Deploy Keys**: GitHub deploy keys, SSH keys for automated deployments ### Custom Classification with Enrichment Rules Administrators can add [Enrichment Rules](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/configuration/enrichment) to augment automatic NHI detection: * Naming conventions (e.g., accounts containing "svc-", "service-account-") * Attribute patterns (missing email addresses, specific group memberships) * Custom tags or metadata Go to **Integrations > Enrichment Rules** to create and manage rules. ## Keys and Secrets Management ### Discovery Veza identifies keys, secrets, and credentials across integrated systems. See [NHI Secrets](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/nhi/nhi-secrets) for supported entity types, including: * **Cryptographic Keys**: AWS KMS keys, Azure Key Vault keys, Google Cloud KMS keys * **Application Secrets**: Configuration secrets, API tokens, database connection strings * **Access Credentials**: Long-lived authentication tokens, certificates ## Governance and Ownership ### Assign Owners The Entity Owners feature enables human accountability for NHI by assigning human owners to accounts, individually or in bulk: 1. From the NHI Accounts view, select accounts needing ownership 2. Use **Assign Entity Owners** to link accounts to responsible teams or individuals After assigning ownership for NHI entities, you can use filters to search for entities with no owners, assign Access Reviews to owners, and create rules and alerts when new entities are detected with no owners. See [Managers and Resourcer Owners](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/managers-and-resource-owners) for more about auto-assigning Access Reviews using NHI owner metadata. ### Access Reviews You can use Veza to implement governance workflows for NHI accounts: * **Create Reviews**: Use [Access Review Configuration](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration) to set up NHI-specific reviews * **Schedule Reviews**: Establish regular review cycles with [Schedule an Access Review](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews/how-to/schedule-access-review) * **Review Intelligence**: Apply [Review Intelligence Policies](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/review-intelligence-rules) to automate NHI governance decisions ### Lifecycle Management for NHI Veza Lifecycle Management supports provisioning and deprovisioning of Non-Human Identities (NHI), enabling automated lifecycle management for service accounts and other machine identities. {% hint style="info" %} Veza's NHI provisioning currently supports identity creation, attribute synchronization, and deletion. The table below shows which actions are available for NHI entity types compared to human identities. {% endhint %} **Key Differences from Human Identity Provisioning:** | Capability | Human Identities | NHI/Service Accounts | | ------------------------ | ---------------------------------------------------- | -------------------------------------------------------------------- | | **Entity Types** | Standard user accounts (e.g., `ActiveDirectoryUser`) | Service account types (e.g., `ActiveDirectoryManagedServiceAccount`) | | **Sync Identities** | ✅ Full attribute set (30+ attributes) | ✅ Limited attributes (account name, DN, description) | | **Manage Relationships** | ✅ Add/remove group memberships | ❌ Not supported | | **Deprovision Identity** | ✅ Disable accounts, preserve audit trail | ❌ Not supported | | **Delete Identity** | ✅ Permanent removal | ✅ Permanent removal | | **Reset Password** | ✅ Password management | ❌ Not supported | | **Guest Accounts** | ✅ Create and invite guests | ❌ Not applicable | **Supported NHI Operations:** * **Provisioning**: Create and configure NHI accounts in target systems using [Sync Identities](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/lifecycle-management/policies-workflows/actions#sync-identities) actions with NHI entity types * **Deletion**: Remove NHI accounts when they are no longer needed using [Delete Identity](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/lifecycle-management/policies-workflows/actions#delete-identity) actions **Supported Integrations for NHI Provisioning:** * **Active Directory**: Managed Service Accounts (`ActiveDirectoryManagedServiceAccount`) To include NHI entities in provisioning workflows: 1. Configure your Lifecycle Management Policy with conditions that match NHI entity types 2. Select the appropriate NHI entity type (e.g., `ActiveDirectoryManagedServiceAccount`) in your Sync Identities action 3. Configure the limited attribute set available for NHI entities See [Active Directory Lifecycle Management](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/active-directory/provisioning#managed-service-accounts) for integration-specific NHI configuration. ## Analysis and Investigation Use Veza's analysis capabilities to identify security risks such as unrotated or expired credentials, keys with excessive permissions, and secrets stored outside of proper vaults: ### VQL Analysis Use [Veza Query Language (VQL)](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/vql) to create sophisticated queries for NHI analysis. These queries can be used to create Access Review Configurations, construct custom dashboards, and generate reports. ### Graph Visualization Leverage Veza [Graph](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/graph) search interface to: * Visualize NHI relationships and permissions * Trace access paths from NHI accounts to sensitive resources * Understand permission inheritance and effective access ### Comparison Analysis Use the Access Intelligence [Compare](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/compare) functionality to: * Compare permissions between similar NHI accounts * Analyze differences in access patterns * Identify permission drift or inconsistencies ## Monitoring and Alerting ### Rules and Alerts Set up proactive monitoring with [Rules and Alerts](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/rules-and-alerts): * Alert on new unowned NHI accounts * Monitor for NHI permission escalations * Detect inactive NHI accounts with active credentials ### Risk Assessment Use Access Intelligence [Risks](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/risks) to assign criticality levels to NHI queries: * Prioritize NHI security issues by risk level * Track risk trends over time * Focus remediation efforts on critical accounts ### Activity Monitoring Leverage [Activity Monitoring](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/activity-monitoring) to: * Track NHI account usage patterns * Detect unusual access behavior * Monitor for potential credential compromise ## Reporting and Dashboards ### Pre-built Dashboards Access NHI-focused dashboards through [Dashboards](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/dashboards): * NHI inventory summaries by integration * Ownership coverage overview * Risk assessment dashboards ### Custom Dashboards Create tailored dashboards using the [Dashboard Library](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/insights/dashboards#dashboard-library): * Export NHI data for compliance audits * Generate ownership assignment dashboards * Create executive summaries of NHI security posture ### Scheduled Exports Automate report delivery with [Scheduled Exports](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/dashboards/query-export-to-email) for regular compliance reporting, stakeholder updates, and integration with external systems. ## Common Use Cases ### Finding Unowned Service Accounts Use Veza Query Language to find NHI accounts lacking ownership: ```vql SHOW AwsIamUser { name, created_at, owners } WHERE identity_type = 'NonHuman' AND owners IS NULL; ``` ### Identifying High-Risk NHI Accounts Create queries to find NHI accounts with admin-level access: ```vql SHOW AwsIamUser { name, risk_level, last_login_at } WHERE identity_type = 'NonHuman' AND risk_level = 'HIGH'; ``` ### Tracking Key Rotation Monitor cryptographic key age and rotation status: ```vql SHOW AwsAccessKey { created_at, last_used_date, age_in_days } WHERE created_at < CURRENT_DATE - 90; ``` ## Remediation After identifying NHI security risks, use [Veza Actions](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/administration/administration/notifications) to trigger remediation workflows: * Create Jira tickets or ServiceNow incidents for NHI accounts that require credential rotation or deprovisioning * Send Slack or Teams alerts when new unowned NHI accounts are detected * Use custom webhooks to integrate with internal remediation pipelines Configure Veza Actions from **Integrations > Veza Actions**, and assign them to [Rules and Alerts](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/rules-and-alerts) scoped to NHI queries. ## Access AI for NHI Organizations securing AI agents and workload identities can use [Access AI](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-ai) to extend NHI visibility with generative AI capabilities. Access AI provides natural language queries for exploring NHI relationships, semantic search for discovering non-human access patterns, and AI-powered risk detection for identifying hidden NHI threats. ## Related Documentation * [NHI Supported Entities](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/nhi/nhi-entities) - Understanding how Veza classifies identities * [NHI Secrets Management](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/nhi/nhi-secrets) - Keys, secrets, and credential discovery * [Access Reviews](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews) - Governance workflows for NHI accounts * [Enrichment Rules](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/configuration/enrichment) - Customize NHI detection * [Rules and Alerts](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/rules-and-alerts) - Proactive NHI monitoring * [Access AI](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-ai) - Natural language queries and AI-powered risk detection --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/nhi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.