NHI Security

Non-Human Identity (NHI) Security provides comprehensive visibility and governance for service accounts, API keys, and automated systems across your infrastructure. NHI accounts often operate with elevated privileges without regular oversight, creating security risks through credential exposure, excessive permissions, and lack of ownership accountability.

Organizations typically have 10-45 NHI accounts per human user, making visibility essential for reducing attack surface.

NHI Overview Dashboard

Access the centralized NHI dashboard through NHI Security > Overview in the main navigation. The dashboard displays priority integrations with key security metrics.

NHI Security > Overview

Getting Started with the NHI Overview

  1. Review the Overview: Navigate to NHI Security > Overview to assess your current NHI landscape

  2. Identify Priority Areas: Look for integrations with high unowned account counts

  3. Establish Ownership: Begin by assigning owners to critical NHI accounts using the bulk assignment features

  4. Set Up Monitoring: Create Rules and Alerts for ongoing NHI governance

  5. Implement Reviews: Configure Access Reviews for regular NHI validation

  6. Build Queries: Use Query Builder to create NHI-specific analysis queries

Key Metrics

  • Total NHI Accounts: Count of discovered non-human identities

  • Unowned Accounts: Accounts requiring ownership assignment

  • High-Risk Accounts: Accounts with admin privileges or security concerns

  • Keys & Secrets: Associated cryptographic keys and credentials

  • Credential Status: Rotation compliance and expiration tracking

Click any integration card to filter the NHI Accounts view to that specific platform.

Discovery and Classification

Automatic Detection

Veza automatically identifies non-human identities using built-in detection rules across 40+ integrations. Learn how classification works in NHI Identity Classification Logic.

Supported NHI Types

Veza discovers NHI entities from supported integrations, including:

  • Cloud Service Accounts: AWS IAM users, Azure service principals, Google Cloud service accounts

  • Application Accounts: Service accounts in enterprise applications

  • Workload Identities: Kubernetes service accounts, container runtime identities

  • Integration Users: System accounts for API integrations and automation

  • Deploy Keys: GitHub deploy keys, SSH keys for automated deployments

Custom Classification with Enrichment Rules

Administrators can add Enrichment Rules to augment automatic NHI detection:

  • Naming conventions (e.g., accounts containing "svc-", "service-account-")

  • Attribute patterns (missing email addresses, specific group memberships)

  • Custom tags or metadata

Go to Integrations > Enrichment Rules to create and manage rules.

Keys and Secrets Management

Discovery

Veza identifies keys, secrets, and credentials across integrated systems. See NHI Secrets for supported entity types, including:

  • Cryptographic Keys: AWS KMS keys, Azure Key Vault keys, Google Cloud KMS keys

  • Application Secrets: Configuration secrets, API tokens, database connection strings

  • Access Credentials: Long-lived authentication tokens, certificates

Governance and Ownership

Assign Owners

The Entity Owners feature enables human accountability for NHI by assigning human owners to accounts, individually or in bulk:

  1. From the NHI Accounts view, select accounts needing ownership

  2. Use Assign Entity Owners to link accounts to responsible teams or individuals

After assigning ownership for NHI entities, you can use filters to search for entities with no owners, assign Access Reviews to owners, and create rules and alerts when new entities are detected with no owners.

See Managers and Resourcer Owners for more about auto-assigning Access Reviews using NHI owner metadata.

Access Reviews

You can use Veza to implement governance workflows for NHI accounts:

Analysis and Investigation

Use Veza's analysis capabilities to identify security risks such as unrotated or expired credentials, keys with excessive permissions, and secrets stored outside of proper vaults:

VQL Analysis

Use Veza Query Language (VQL) to create sophisticated queries for NHI analysis. These queries can be used to create Access Review Configurations, construct custom dashboards, and generate reports.

Graph Visualization

Leverage Veza Graph search interface to:

  • Visualize NHI relationships and permissions

  • Trace access paths from NHI accounts to sensitive resources

  • Understand permission inheritance and effective access

Comparison Analysis

Use the Access Intelligence Compare functionality to:

  • Compare permissions between similar NHI accounts

  • Analyze differences in access patterns

  • Identify permission drift or inconsistencies

Monitoring and Alerting

Rules and Alerts

Set up proactive monitoring with Rules and Alerts:

  • Alert on new unowned NHI accounts

  • Monitor for NHI permission escalations

  • Detect inactive NHI accounts with active credentials

Risk Assessment

Use Access Intelligence Risks to assign criticality levels to NHI queries:

  • Prioritize NHI security issues by risk level

  • Track risk trends over time

  • Focus remediation efforts on critical accounts

Activity Monitoring

Leverage Activity Monitoring to:

  • Track NHI account usage patterns

  • Detect unusual access behavior

  • Monitor for potential credential compromise

Reporting and Dashboards

Pre-built Reports

Access NHI-focused reports through Dashboards:

  • NHI inventory summaries by integration

  • Ownership coverage reports

  • Risk assessment dashboards

Custom Reports

Create tailored reports using Reports:

  • Export NHI data for compliance audits

  • Generate ownership assignment reports

  • Create executive summaries of NHI security posture

Scheduled Exports

Automate report delivery with Scheduled Exports for regular compliance reporting, stakeholder updates, and integration with external systems.

Common Use Cases

Finding Unowned Service Accounts

Use Veza Query Language to find NHI accounts lacking ownership:

SHOW AwsIamUser { name, created_at, owners }
WHERE identity_type = 'NonHuman' AND owners IS NULL;

Identifying High-Risk NHI Accounts

Create queries to find NHI accounts with admin-level access:

SHOW AwsIamUser { name, risk_level, last_login_at }
WHERE identity_type = 'NonHuman' AND risk_level = 'HIGH';

Tracking Key Rotation

Monitor cryptographic key age and rotation status:

SHOW AwsAccessKey { created_at, last_used_date, age_in_days }
WHERE created_at < CURRENT_DATE - 90;

Last updated

Was this helpful?