The Invisible Workforce You Haven’t Secured 

Non-human identities now greatly outnumber human ones. For SMBs and MSPs, they represent the fastest-growing, least-governed attack surface in modern IT.  

Ask any IT manager at a small or mid-sized business to list the identities they need to protect, and you’ll get a familiar answer: usernames, passwords, maybe MFA tokens. The list is usually measured in dozens, one per employee, a few for contractors.  

They are almost always wrong.  

Lurking behind every SaaS integration, every CI/CD pipeline, every automated backup script, and every AI-powered workflow is a second workforce: one that never clocks out, never questions unusual instructions, and almost never gets its credentials rotated. These are non-human identities (NHIs): service accounts, API keys, OAuth tokens, machine certificates, and bots that act on behalf of humans without any human in the loop.  

For SMBs and Managed Service Providers (MSPs), this invisible workforce has become the defining security challenge of the decade, and AI is pouring fuel on an already dangerous fire.  

NHIs grew 44% year-over-year and now outnumber human identities at a ratio of 144 to 1, up from 92 to 1 in the first half of 2024. 

23.77 million new secrets were leaked on GitHub in 2024 alone — a 25% surge from the prior year. Notably, repositories using secrets managers still had a 5.1% incidence rate of leaked secrets. 

In March 2025, attackers compromised the tj-actions GitHub Action via a stolen personal access token, injecting malicious code that silently exfiltrated secrets from CI/CD logs across more than 23,000 repositories. 

90% of global leaders now cite identity attacks as their top cybersecurity concern, as non-human identities expand the attack surface faster than security teams can keep up. 

What exactly is a non-human identity?  

A non-human identity is any digital credential assigned to a system, application, or automated process rather than a person. The taxonomy is broad and growing:  

Why SMBs and MSPs are especially exposed  

Large enterprises aren’t immune to NHI risks, but they tend to have dedicated IAM teams, PAM solutions, and security budgets to address them. SMBs and MSPs operate in a fundamentally different reality.  

The proliferation is invisible  

When a developer at a 50-person company connects Slack to their project management tool, Zapier to their CRM, and an AI writing assistant to their email — they’ve created six or more new non-human identities in an afternoon. No ticket was opened. No security review was performed. No one owns those credentials tomorrow, let alone next year.  

The sprawl problem: The average SMB using modern SaaS tooling has accumulated hundreds of OAuth grants, API keys, and service account tokens — most of which were created by employees who have since left the company. These are orphaned identities: fully functional, widely trusted, and completely forgotten. . 

MSPs are the ultimate target multiplier  

For attackers, compromising a managed service provider isn’t just one breach — it’s hundreds. MSPs hold credentials, RMM agent access, and administrative tokens across every client environment they manage. A single compromised MSP service account can give a threat actor keys to dozens of SMB networks simultaneously.  

The 2021 Kaseya VSA attack was a preview of this threat at scale. But the attack surface has grown enormously since then, as MSPs have layered more integrations, automation tools, and now AI-powered workflows on top of already complex credential ecosystems.  

No dedicated IAM function  

Most SMBs don’t have an identity security team — or even a full-time security person. NHI governance requires someone to maintain an inventory, enforce rotation policies, monitor for anomalous access, and revoke credentials when services are decommissioned. Without ownership, these tasks simply don’t happen.  

AI is rewriting the threat equation  

Artificial intelligence was supposed to make security easier. In some ways it has — AI-powered detection tools genuinely catch threats that rule-based systems miss. But AI is simultaneously creating a new generation of NHI risk that most organizations are completely unprepared for.  

AI agents present a new non-human identity class  

Modern AI agents don’t just passively wait for instruction, they’re built to take actions. An AI assistant integrated into your business operations might read and send email, create and modify files, execute code, query databases, or call third-party APIs. Each of those capabilities requires a credential. Each credential is a potential attack surface.  

Unlike traditional service accounts, AI agents often have dynamic, context-dependent permissions. Their behavior is harder to baseline. And because they’re designed to act autonomously, there may be no human review of individual actions, only outcomes.  

AI accelerates the NHI sprawl problem  

AI-powered development tools like GitHub Copilot, Cursor, and similar assistants dramatically accelerate the creation of integrations, scripts, and automations. Developers ship more code, faster — and that code creates more service accounts, more API keys, and more secrets embedded in more places. The velocity of NHI creation has increased without any corresponding investment in NHI governance.  

AI lowers the barrier to credential-based attacks  

Threat actors now use AI to automate the discovery and exploitation of exposed credentials. Tools can scan public repositories, dark web dumps, and misconfigured cloud storage at scale, automatically testing found credentials against target environments. What once required skilled human attackers can now be weaponized by less sophisticated actors — dramatically expanding the threat landscape for resource-constrained SMBs.  

Shadow AI: ungoverned NHIs at speed  

Employees at SMBs are connecting AI tools to company systems without IT awareness. Every time a team member authenticates an AI assistant with their Google Workspace, Microsoft 365, or Salesforce credentials, they’re creating an OAuth grant — a non-human identity with access to sensitive business data. Shadow AI is producing shadow NHIs at a rate that no manual governance process can track.  

The anatomy of an NHI breach  

Understanding how NHI compromises unfold helps illustrate why they’re effective and particularly damaging. The pattern is almost always the same:  

1. Discovery: Attacker finds an exposed API key in a public GitHub repo, a misconfigured cloud bucket, or a response to a phishing attack targeting a developer.  

2. Validation: Automated tooling tests the credential against target services within seconds of discovery.  

3. Lateral movement: The service account or token grants access beyond its intended scope due to over-privileged permissions.  

4. Persistence: Attacker creates additional backdoor credentials. Because NHIs aren’t routinely audited, these may remain active for months.  

5. Impact: Ransomware deployment, data exfiltration, or credential harvesting across connected client environments (particularly catastrophic for MSPs).  

What good NHI governance looks like  

The good news is that NHI security doesn’t require a Fortune 500 budget. It requires process discipline and the right tooling priorities. Here’s what SMBs and MSPs should focus on:  

1. Build a complete NHI inventory. You cannot govern what you cannot see. Use automated discovery tools to enumerate every service account, API key, OAuth grant, and machine certificate across your environment. This is the non-negotiable starting point.  

2. Assign human ownership to every NHI. Every non-human credential should have a named human owner responsible for its lifecycle — creation, rotation, and revocation. Orphaned credentials are the enemy.  

3. Enforce least-privilege rigorously. Service accounts and API tokens should have only the permissions they need for their specific function — nothing more. Review and reduce permissions quarterly.  

4. Implement automated secret rotation. Long-lived credentials are inherently risky. Adopt a secrets manager (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) and enforce rotation policies. Short-lived credentials should be the default.  

5. Monitor NHI behavior, not just human behavior. Configure anomaly detection for service account activity. Unusual access times, unexpected data volumes, or new API calls from known service accounts are early warning signals.  

6. Govern AI agent access explicitly. Treat every AI tool integration as a new identity requiring security review. Audit OAuth grants, limit scopes, and maintain a registry of approved AI integrations.  

7. For MSPs: segment client credential stores. Never use shared credentials across client environments. Each client’s NHIs should be isolated, inventoried separately, and subject to client-specific rotation policies.  

The perimeter has always been an identity problem. And for most SMBs and MSPs, the identity they’ve completely neglected belongs to a machine.  

The organizations that get ahead of this problem will be positioned to safely embrace the AI-powered automation that will define competitive advantage in every industry. The ones that don’t will find that their invisible workforce was working for someone else all along.