The Accounts Nobody Owns Are Running Your Business

One forgotten bot token. Twenty-three thousand victims.

In March 2025, a security researcher noticed something wrong in the build logs of thousands of software projects. A widely used developer tool called tj-actions/changed-files, running inside CI/CD pipelines across more than 23,000 repositories, had been secretly modified to print credentials directly into its own output logs. API keys, cloud access tokens, private RSA keys: all of it exposed in plaintext.

The root cause was not sophisticated. An attacker stole a single personal access token belonging to a bot account. No human owner. No MFA. No rotation policy. One forgotten machine credential, and 23,000 organisations scrambled to rotate their secrets. CISA catalogued it within four days as CVE-2025-30066.

The account had no owner. That is the entire story.

The problem your IAM programme was not built for

A non-human identity (NHI) is any credential used by a machine, application, or automated process rather than a person. Service accounts, API keys, OAuth tokens, bot credentials, CI/CD pipeline secrets, and the certificates your microservices use to talk to each other. All of them are identities. Almost none of them are governed like one.

Your IAM programme was built for people. People have managers, onboarding processes, and departure dates. When someone leaves, HR triggers offboarding. When a service account is no longer needed, nothing happens automatically. These accounts accumulate access across systems they were never intended to touch, and they sit there until someone thinks to look.

According to CyberArk's 2025 Identity Security Landscape, surveying 2,600 security decision-makers across 20 countries, machine identities now outnumber human identities by more than 82 to 1. Nearly half carry sensitive or privileged access.

OWASP's Non-Human Identity Top 10, published in 2025, codifies what follows from that gap: improper offboarding, secret leakage, long-lived credentials, and excessive privilege are the four most common NHI failure modes. They are not exotic attack vectors. They are the default outcome when machine identities grow faster than governance.

Why attackers go after machines before people

The Verizon 2025 Data Breach Investigations Report, analysing over 22,000 incidents, found that stolen credentials were the single largest initial access vector, involved in 22% of all confirmed breaches. Third-party breaches doubled year-over-year, rising from 15% to 30% of all cases, with many traced directly to stolen machine credentials abused across supply chain connections.

The tj-actions attacker understood this logic precisely. They did not target the most protected identity in an organisation. They targeted a CI/CD bot token because a compromised pipeline provides write access to production code across every project it touches. One credential, chosen specifically for its downstream reach, compromised 23,000 environments.

IBM's Cost of a Data Breach Report 2025 gives the financial dimension: credential-based incidents take an average of 276 days to identify and contain. At a global average breach cost of USD 4.44 million, that detection gap is where the damage accumulates.

The shift security leaders need to articulate clearly to their boards: attackers are not getting smarter about breaking defences. They are getting better at finding the identities that defences were never applied to.

What your board needs to understand

Three things translate this into board-level decisions.

1. Supply chain exposure is your exposure. Your NHI risk extends well beyond your own environment. The Verizon 2025 DBIR found third-party breaches now account for 30% of all cases, doubling in a single year. Every third-party tool and development dependency you connect to through an API key creates a potential entry point. Your vendors carry the same governance problem, and their incidents land in your environment.

2. AI is multiplying the problem this year. CyberArk found that 94% of organisations lack identity security controls specifically for AI agents. Microsoft Copilot, custom LLM deployments, and RPA bots deployed by individual business teams access CRM systems, financial data, and customer records, often with permissions nobody reviewed before deployment. Every AI agent is a new NHI. Most organisations are adding dozens a quarter with no governance framework in place.

3. Insurers are already asking the questions you cannot yet answer. CyberArk's 2025 research found 88% of security professionals facing increased insurer pressure to mandate enhanced privilege controls. The question "how many non-human identities do you have with admin-level access?" is now a standard part of cyber insurance renewal conversations. Most organisations cannot answer it. That gap is a coverage risk, not just a security risk.

Three questions to ask your team this week

Before any programme or tooling conversation, a security leader needs an honest current-state assessment. These three questions will tell you where you stand.

Do you have a complete inventory of your machine identities? Not just cloud IAM roles. Service accounts, API keys, OAuth grants, CI/CD tokens, bot accounts, TLS certificates, and AI agent credentials. If the answer is partial or uncertain, you are at Level 1. Discovery is week one.

Does every machine identity have a named human owner on record? The tj-actions token had no owner. That is not an isolated circumstance. CyberArk research found the majority of NHIs are orphaned within months of creation. If ownership is not a provisioning requirement in your environment, stale accounts are accumulating now.

When were your highest-privilege machine identities last rotated? IBM's research identified credentials over ten years old still active in enterprise environments. If you cannot state the last rotation date for your top-privilege service accounts, that credential is, for practical purposes, permanent.

If the answer to any of these is "we are not sure," that is where the programme starts. Not with tooling. With those three questions put to the IAM and cloud security leads before the end of the week.

Key concepts for your internal discussions

The terminology around non-human identities is still settling across the industry. The definitions below reflect current usage in OWASP and CISA guidance, and are intended to give your team a shared language before bringing this topic to a board or risk committee.

What is a non-human identity (NHI)?

A non-human identity is any credential used by a machine, application, or automated process rather than a person. Examples include service accounts, API keys, OAuth tokens, bot credentials, CI/CD pipeline secrets, and certificates used for machine-to-machine authentication.

Why are NHIs more dangerous than compromised human accounts?

Machine identities operate continuously without breaks, have no behavioural baseline that triggers anomaly detection, and rarely have a defined owner or expiration date. When compromised, they enable lateral movement at machine speed. IBM's 2025 Cost of a Data Breach Report found credential-based incidents take an average of 292 days to detect and contain — nearly three times longer than other breach types.

What was the tj-actions attack?

In March 2025, attackers compromised the tj-actions/changed-files GitHub Action used by over 23,000 repositories. The attack originated from a single stolen bot token with no owner record and no rotation history. It exposed CI/CD secrets including API keys, cloud credentials, and private RSA keys in plaintext. CISA listed it as CVE-2025-30066. Palo Alto Networks Unit42 traced the original target to Coinbase, with 23,000 other organisations caught in the blast radius.

How many NHIs does a typical enterprise have?

CyberArk's 2025 survey of 2,600 organisations found a machine-to-human identity ratio exceeding 80:1 in most enterprise environments. In financial services, that ratio reaches 500:1 in some organisations. The gap is expected to widen as cloud adoption, automation, and AI agent deployment accelerate.

What is identity sprawl?

Identity sprawl is the accumulation of machine identities, credentials, and permissions across an enterprise that exceeds the organisation's capacity to govern them. OWASP's NHI Top 10 identifies this as the primary structural risk in modern enterprise IAM, driven by improper offboarding, long-lived credentials, and excessive privilege at provisioning.

Sources

• Verizon, "2025 Data Breach Investigations Report," May 2025. verizon.com/business/resources/reports/dbir/

• CyberArk, "2025 Identity Security Landscape," April 2025. cyberark.com/press/machine-identities-outnumber-humans-by-more-than-80-to-1-new-report-exposes-the-exponential-threats-of-fragmented-identity-security/

• IBM, "Cost of a Data Breach Report 2025," July 2025. ibm.com/reports/data-breach

• CISA, "Supply Chain Compromise of Third-Party GitHub Action CVE-2025-30066," March 2025. cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066-and-reviewdogaction

• Palo Alto Networks Unit42, "GitHub Actions Supply Chain Attack: tj-actions/changed-files Incident Threat Assessment," April 2025. unit42.paloaltonetworks.com/github-actions-supply-chain-attack/

• OWASP, "Non-Human Identity Top 10," 2025. owasp.org/www-project-non-human-identities-top-10/

Disclaimer: This article is intended for informational purposes only and does not constitute legal, compliance, or technical advice. Statistics and incident details cited reflect publicly available information as of the date of publication. Organisations should conduct their own assessment and consult qualified advisors before making cybersecurity or identity governance decisions. AKATI Sekurity makes no representations regarding the completeness or accuracy of third-party sources referenced herein.