When AI Attacks — Digital Content Series #7

“Your identity program was built for people who log in, get verified, and leave. None of these do.”

Human identity gave your security team something to verify. Non-human identity gave it something to provision and forget. AI agents give it something it was never built to govern — autonomous actors that don’t log in, don’t get offboarded, and increasingly mint their own credentials inside your environment. Machine identities now outnumber the people on your payroll by as much as a hundred to one, and the fastest-growing, least-governed class of all of them is the AI agent.

Before You Read Further — Know the Difference

Most identity programs treat every identity as if a person sits behind it. These are three distinct things — and the controls you trust were built for only the first.

Human Identity

Someone you can fire.

A person. Verified by login and MFA, tied to a name, governed by HR and IAM, offboarded on a known date. Every control you trust quietly assumes this.

Non-Human Identity

Something you forgot you provisioned.

A credential — service account, API key, token, certificate. Authenticates with a secret, never answers MFA, rarely rotates. Frequently owned by no one and invisible to IAM.

AI Agent Identity

Something that provisions itself.

An autonomous actor with delegated authority. Inherits credentials, mints new ones, and spawns more identities as it works. It doesn’t just authenticate — it acts.

The Operation

It is a Tuesday afternoon — inside your organization, not outside it. A mid-market SaaS company stands up an internal AI integration agent to keep customer data in sync across its CRM, billing platform, and analytics warehouse. To ship it fast, the team mints a service account with a long-lived OAuth token and grants it broad scopes: read and write across all three systems, plus the right to issue downstream tokens. The same credential is reused for two later integrations, because it already works.

Months pass and the agent runs flawlessly. Then a developer forks an internal repository to a personal account to finish something over a weekend. The fork carries a config file. The token goes with it. An attacker scraping public and near-public repositories finds the secret, tests it, and assumes the agent’s identity. There is no login event to flag, no new device, no impossible-travel alert — machine identities don’t generate those signals. The activity looks exactly like the integration agent doing its job, because functionally it is.

From the agent’s inherited scopes, the attacker reads the warehouse — every customer record — pulls billing data, and mints three fresh service tokens to guarantee persistence. Forty-one days later, a routine secrets scanner flags the original token in the forked repo. By then the original credential is almost beside the point. Nobody ever offboarded the identity, because nobody had a list it belonged on.

The breach wasn’t a hack. It was a credential nobody owned, scoped to everything, that never expired — doing exactly what it was provisioned to do, for an attacker instead of for you.

Three Perspectives

The Trusted Leader

“I authorized a sync job. I didn’t realize I was creating a credential with access to every customer record we have — one that would still be live long after I’d forgotten it existed.”

The agent did exactly what we needed. It kept the CRM, billing, and warehouse in sync, and the team stopped doing reconciliation by hand. I approved the access the way everyone does — enough to make it work. Nobody told me “enough to make it work” meant read-write across all three systems plus the right to issue its own tokens. There was no expiry. There was no owner. By the time security asked who provisioned it, the person who had was gone.

The Defender

“My stack was built to catch a human behaving strangely. This identity has no human behind it — every action it takes is, by definition, normal.”

One service account. One long-lived OAuth token, scoped far past the job, reused across three integrations, last rotated never. It never appears in joiner-mover-leaver, because nothing about it joins, moves, or leaves. My UEBA models human baselines; this thing has none. I found the compromise the way everyone does — a secrets scanner flagged the token in a forked repo, forty-one days after it leaked. I had no inventory of what it had done.

The AI-Native Diamond Model reframes this correctly. The traditional IR question is: whose account was compromised? For a non-human identity, the right question is: which identity acted, who delegated it, and what does it inherit if we kill it? That is a different investigation — and it requires an identity inventory most organizations have never built.

The Attacker

“I don’t phish your people anymore. I don’t need to. Your machines keep their passwords in config files.”

Your employees have MFA, training, suspicion. Your service accounts have a secret sitting in a repo, a CI log, a forked branch — and the moment I hold it, I am the agent. No login prompt, no second factor, no anomaly. I inherit everything it can reach, I mint fresh tokens so revoking the original changes nothing, and I look exactly like the automation you trust most. I’d been the machine for six weeks before a scanner noticed the key.

Technical Assessment

The Threat Architecture

Non-human identities break the assumptions identity governance rests on. An NHI is a credential, not a person: it authenticates with a secret rather than a second factor, it is provisioned in minutes and lives for years, and it frequently has no owner once its creator moves on. AI agents intensify every part of this. They don’t merely hold a credential — they act on it, inherit adjacent scopes, and mint downstream tokens, multiplying the identity surface every time they run.

The attack surface maps almost one-for-one onto the OWASP Non-Human Identities Top 10: (1) secret leakage — credentials exposed through repositories, CI logs, and config files; (2) overprivileged and reused identities, where one credential is scoped far beyond its job and shared across integrations, so a single theft inherits everything; (3) long-lived secrets that are never rotated; and (4) improper offboarding — identities nobody owns and nobody decommissions, live long after their purpose ended. None of these are exotic. The novelty is the scale and autonomy AI agents add to a problem the enterprise never finished solving for static machines.

The Diamond Model Applied to Non-Human Identities

Non-Human Identities — Diamond Model of Intrusion Analysis

Adversary

External actor harvesting leaked machine credentials at scale. Requires no network intrusion — only a secret exposed in a repo, log, or fork. Operates as the identity, not against it, and is indistinguishable from sanctioned automation.

AI-Native IR shift: “Whose account was compromised?” → “Which non-human identity acted, and who — or what — delegated it?”

Capability

Assumed service-account credential with inherited, overprivileged scopes. Reused across integrations and never rotated. Token-minting for downstream persistence so that revoking the original changes nothing.

AI-Native IR shift: “Was the password stolen?” → “Was the secret leaked, inherited, or minted by the agent itself?”

Infrastructure

Victim’s own CRM, billing, and warehouse, reached through a valid OAuth token. No attacker-controlled systems post-theft — the enterprise’s own integration fabric executes every read and write.

AI-Native IR shift: “What C2?” → “Which authorized integration did the identity move through, and what did it inherit along the way?”

Victim

SaaS firm. A service account with read-write access across three platforms and no human owner. No baseline of normal behavior, no audit trail of decisions, and no offboarding path anyone had defined.

AI-Native IR shift: “When did the user last log in?” → “This identity never logs in — what is its baseline, and can we offboard it without breaking what depends on it?”

Detection Gap Analysis

Control	Covers Human Identity	Covers Non-Human Identity
MFA / login anomaly detection	Yes	No — machines never log in or answer MFA
Joiner-mover-leaver provisioning	Yes	No — NHIs don’t join, move, or leave
UEBA / user behavior analytics	Yes	Partial — tuned for human baselines; machine anomalies slip through
Secrets scanning / leak detection	No	Yes — only if repos, CI, and logs are all in scope
NHI inventory & lifecycle governance	No	Yes — purpose-built; most organizations have not deployed

The Inheritance Multiplier

The risk compounds through inheritance and reuse. A credential scoped to one job but shared across three integrations is not one identity — it is one key to three doors. An AI agent that can mint downstream tokens is not one identity — it is a factory for more. Kill the original and the minted ones persist. The attack surface is not the credential you found. It is everything that credential could reach, and everything it spawned.

— Debrief —

CISO Debrief

“Nobody hacked you. A credential you never offboarded, scoped to everything, did exactly what it was built to do — for someone else.”

Non-human identity is not a technology problem. It is a governance gap that technology is exploiting at scale. The credential was valid. The OAuth grant was legitimate. The agent operated exactly as designed. What was missing was any layer that knew the identity existed, who owned it, what it could reach, and how to retire it. Machine identities now outnumber your people by as much as a hundred to one. You cannot govern by memory at that ratio.

IR Directives

Build a machine-identity inventory before you do anything else. You cannot govern what you cannot see. Enumerate every service account, API key, token, certificate, OAuth app, workload identity, and AI agent. If it can authenticate and it isn’t a person, it’s on the list. This is not a quarterly exercise — it is a gap you have right now.

Assign an owner to every non-human identity. An ownerless NHI is the finding, not a footnote. Tie each identity to a named human and a business purpose, or revoke it. The person who created it leaving the company cannot mean the identity outlives all accountability.

Stop treating “the credential was valid” as “the action was authorized.” Your logs attribute machine actions to the credential, not the actor behind it. IR must ask not just “what did this token do” but “was this the sanctioned automation, or someone wearing it.” That is a different investigation methodology.

Eliminate long-lived secrets and credential reuse. Move to short-lived, auto-rotated credentials and workload federation (OIDC) wherever the platform allows. One identity, one job, one blast radius — kill reuse across integrations so a single theft doesn’t inherit three systems.

Bound AI agent authority explicitly. Define what each agent can reach, what it is allowed to mint, and a hard time-to-live. Authority without a TTL is authority forever. Treat agents as their own identity tier — they act, inherit, and spawn in ways a static API key does not.

Test offboarding before you need it. When you revoke an identity, know in advance what breaks and what inherits its access. Run dormant-NHI sweeps — expired is not deactivated, and a silent credential is a live one until you prove otherwise.

Close the Governance Gap

Identity Governance — NHI Lifecycle. Extend joiner-mover-leaver to machines. Every non-human identity gets a provisioning record, an owner, a scope, and a decommission trigger tied to the service or project — not to the employee who happened to create it.

Least Privilege — Machine Scope. Scope every NHI to a single job and eliminate standing reuse. Replace persistent secrets with just-in-time, auto-rotated credentials and federation wherever possible. Overprivileged and long-lived are the two conditions that turn a leak into a breach.

AI Agent Authorization — Distinct Category. Add a review category for AI agents with autonomous action and token-minting capability, separate from service accounts and SaaS. The risk profile is different: these identities don’t just hold access — they create more of it.

Five Questions for Your Next Executive Meeting

1. How many non-human identities do we have, and who owns them? If we can’t answer that, that is the answer.

2. What share of our machine identities sit outside our identity team’s visibility and lifecycle today?

3. Which AI agents hold privileged or sensitive access — and what can each one reach beyond its stated job?

4. Can we offboard a machine identity as fast and as reliably as we offboard a departing employee?

5. If a machine credential were assumed tomorrow, how long until we’d notice — and what would the attacker inherit in the meantime?

Technical Reference

Threat Category: Identity Governance & Machine Credentials

Techniques: Secret Leakage · Overprivileged NHI · Credential Reuse · Long-Lived Secret Abuse · Token Minting for Persistence · Improper Offboarding

OWASP Non-Human Identities Top 10 (2025): NHI1 — Improper Offboarding · NHI2 — Secret Leakage · NHI5 — Overprivileged NHI · NHI7 — Long-Lived Secrets · NHI9 — NHI Reuse

MITRE ATT&CK: T1078 — Valid Accounts · T1078.004 — Cloud Accounts · T1552 — Unsecured Credentials · T1552.001 — Credentials In Files · T1528 — Steal Application Access Token

Detection Controls: Machine Identity Inventory · Secrets Scanning at Repo / CI / Log Layer · Credential Rotation & Short-Lived Tokens · NHI Behavioral Baselining · Dormant Identity Sweeps

Framework: AI-Native Diamond Model — IR question reframing for non-human identity incidents

owasp.org · attack.mitre.org · NIST AI · Diamond Model

“When AI Attacks” is a practitioner-grade security intelligence series written for CISOs, security leaders, and defenders navigating the AI threat landscape.

The scenarios described in this series are grounded in documented, publicly reported threat intelligence patterns. They do not reflect confidential information from any employer.