๐NHI Security
Non-Human Identity (NHI) Security provides comprehensive visibility and governance for service accounts, API keys, and automated systems across your infrastructure. NHI accounts often operate with elevated privileges without regular oversight, creating security risks through credential exposure, excessive permissions, and lack of ownership accountability.
Organizations typically have 10-45 NHI accounts per human user, making visibility essential for reducing attack surface.
NHI Overview Dashboard
Access the centralized NHI dashboard through NHI Security > Overview in the navigation sidebar. The dashboard displays priority integrations with security metrics.
Getting Started with the NHI Overview
Review the Overview: Navigate to NHI Security > Overview to assess your current NHI landscape
Identify Priority Areas: Look for integrations with high unowned account counts
Establish Ownership: Begin by assigning owners to critical NHI accounts using the bulk assignment features
Set Up Monitoring: Create Rules and Alerts for ongoing NHI governance
Implement Reviews: Configure Access Reviews for regular NHI validation
Build Queries: Use Query Builder to create NHI-specific analysis queries
Key Metrics
Total NHI Accounts: Count of discovered non-human identities
Unowned Accounts: Accounts requiring ownership assignment
High-Risk Accounts: Accounts with admin privileges or security concerns
Keys & Secrets: Associated cryptographic keys and credentials
Credential Status: Rotation compliance and expiration tracking
Click any integration card to filter the NHI Accounts view to that specific platform.
Discovery and Classification
Automatic Detection
Veza automatically identifies non-human identities using built-in detection rules across 40+ integrations. Learn how classification works in NHI Identity Classification Logic.
Supported NHI Types
Veza discovers NHI entities from supported integrations, including:
Cloud Service Accounts: AWS IAM users, Azure service principals, Google Cloud service accounts
Application Accounts: Service accounts in enterprise applications
Workload Identities: Kubernetes service accounts, container runtime identities
Integration Users: System accounts for API integrations and automation
Deploy Keys: GitHub deploy keys, SSH keys for automated deployments
Custom Classification with Enrichment Rules
Administrators can add Enrichment Rules to augment automatic NHI detection:
Naming conventions (e.g., accounts containing "svc-", "service-account-")
Attribute patterns (missing email addresses, specific group memberships)
Custom tags or metadata
Go to Integrations > Enrichment Rules to create and manage rules.
Keys and Secrets Management
Discovery
Veza identifies keys, secrets, and credentials across integrated systems. See NHI Secrets for supported entity types, including:
Cryptographic Keys: AWS KMS keys, Azure Key Vault keys, Google Cloud KMS keys
Application Secrets: Configuration secrets, API tokens, database connection strings
Access Credentials: Long-lived authentication tokens, certificates
Governance and Ownership
Assign Owners
The Entity Owners feature enables human accountability for NHI by assigning human owners to accounts, individually or in bulk:
From the NHI Accounts view, select accounts needing ownership
Use Assign Entity Owners to link accounts to responsible teams or individuals
After assigning ownership for NHI entities, you can use filters to search for entities with no owners, assign Access Reviews to owners, and create rules and alerts when new entities are detected with no owners.
See Managers and Resourcer Owners for more about auto-assigning Access Reviews using NHI owner metadata.
Access Reviews
You can use Veza to implement governance workflows for NHI accounts:
Create Reviews: Use Access Review Configuration to set up NHI-specific reviews
Schedule Reviews: Establish regular review cycles with Schedule an Access Review
Review Intelligence: Apply Review Intelligence Policies to automate NHI governance decisions
Lifecycle Management for NHI
Veza Lifecycle Management supports provisioning and deprovisioning of Non-Human Identities (NHI), enabling automated lifecycle management for service accounts and other machine identities.
Veza's NHI provisioning currently supports identity creation, attribute synchronization, and deletion. The table below shows which actions are available for NHI entity types compared to human identities.
Key Differences from Human Identity Provisioning:
Entity Types
Standard user accounts (e.g., ActiveDirectoryUser)
Service account types (e.g., ActiveDirectoryManagedServiceAccount)
Sync Identities
โ Full attribute set (30+ attributes)
โ Limited attributes (account name, DN, description)
Manage Relationships
โ Add/remove group memberships
โ Not supported
Deprovision Identity
โ Disable accounts, preserve audit trail
โ Not supported
Delete Identity
โ Permanent removal
โ Permanent removal
Reset Password
โ Password management
โ Not supported
Guest Accounts
โ Create and invite guests
โ Not applicable
Supported NHI Operations:
Provisioning: Create and configure NHI accounts in target systems using Sync Identities actions with NHI entity types
Deletion: Remove NHI accounts when they are no longer needed using Delete Identity actions
Supported Integrations for NHI Provisioning:
Active Directory: Managed Service Accounts (
ActiveDirectoryManagedServiceAccount)
To include NHI entities in provisioning workflows:
Configure your Lifecycle Management Policy with conditions that match NHI entity types
Select the appropriate NHI entity type (e.g.,
ActiveDirectoryManagedServiceAccount) in your Sync Identities actionConfigure the limited attribute set available for NHI entities
See Active Directory Lifecycle Management for integration-specific NHI configuration.
Analysis and Investigation
Use Veza's analysis capabilities to identify security risks such as unrotated or expired credentials, keys with excessive permissions, and secrets stored outside of proper vaults:
VQL Analysis
Use Veza Query Language (VQL) to create sophisticated queries for NHI analysis. These queries can be used to create Access Review Configurations, construct custom dashboards, and generate reports.
Graph Visualization
Leverage Veza Graph search interface to:
Visualize NHI relationships and permissions
Trace access paths from NHI accounts to sensitive resources
Understand permission inheritance and effective access
Comparison Analysis
Use the Access Intelligence Compare functionality to:
Compare permissions between similar NHI accounts
Analyze differences in access patterns
Identify permission drift or inconsistencies
Monitoring and Alerting
Rules and Alerts
Set up proactive monitoring with Rules and Alerts:
Alert on new unowned NHI accounts
Monitor for NHI permission escalations
Detect inactive NHI accounts with active credentials
Risk Assessment
Use Access Intelligence Risks to assign criticality levels to NHI queries:
Prioritize NHI security issues by risk level
Track risk trends over time
Focus remediation efforts on critical accounts
Activity Monitoring
Leverage Activity Monitoring to:
Track NHI account usage patterns
Detect unusual access behavior
Monitor for potential credential compromise
Reporting and Dashboards
Pre-built Dashboards
Access NHI-focused dashboards through Dashboards:
NHI inventory summaries by integration
Ownership coverage overview
Risk assessment dashboards
Custom Dashboards
Create tailored dashboards using the Dashboard Library:
Export NHI data for compliance audits
Generate ownership assignment dashboards
Create executive summaries of NHI security posture
Scheduled Exports
Automate report delivery with Scheduled Exports for regular compliance reporting, stakeholder updates, and integration with external systems.
Common Use Cases
Finding Unowned Service Accounts
Use Veza Query Language to find NHI accounts lacking ownership:
Identifying High-Risk NHI Accounts
Create queries to find NHI accounts with admin-level access:
Tracking Key Rotation
Monitor cryptographic key age and rotation status:
Remediation
After identifying NHI security risks, use Veza Actions to trigger remediation workflows:
Create Jira tickets or ServiceNow incidents for NHI accounts that require credential rotation or deprovisioning
Send Slack or Teams alerts when new unowned NHI accounts are detected
Use custom webhooks to integrate with internal remediation pipelines
Configure Veza Actions from Integrations > Veza Actions, and assign them to Rules and Alerts scoped to NHI queries.
Access AI for NHI
Organizations securing AI agents and workload identities can use Access AI to extend NHI visibility with generative AI capabilities. Access AI provides natural language queries for exploring NHI relationships, semantic search for discovering non-human access patterns, and AI-powered risk detection for identifying hidden NHI threats.
Related Documentation
NHI Identity Classification Logic - Understanding how Veza classifies identities
NHI Secrets Management - Keys, secrets, and credential discovery
Access Reviews - Governance workflows for NHI accounts
Enrichment Rules - Customize NHI detection
Rules and Alerts - Proactive NHI monitoring
Access AI - Natural language queries and AI-powered risk detection
Last updated
Was this helpful?