CFOtech Australia - Technology news for CFOs & financial decision-makers
Australia

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Harb 1
#
Breach Prevention
#
API
#
Cybersecurity

Non-human identities: The invisible security threat reshaping identity access management

Tue, 18th Nov 2025
By George Harb, Vice President-Australia and New Zealand, OpenText

The explosion in digital automation, particularly the rise of non-human identities (NHIs) such as bots, APIs, service accounts and machine agents, is creating a new security blind spot in Australia's digital ecosystem.

In some cases, these digital entities outnumber human users by 50:1, an exponential imbalance that is creating growing risks for organisations as they scale up their integration of automation and agentic AI.

We are now seeing these risks play out across Australian industries, from universities to banks and airlines, with attacks that often result in significant financial and reputational fallout.

This underscores the urgent need for stronger cyber governance across sectors, and the Australian Government's forthcoming AI Assurance Framework, coupled with new privacy and national security compliance regulations, are drawing a much tighter net.


New identities bring new risks

As agent-to-agent communication becomes a standard feature of enterprise workflows, NHIs are quickly emerging as one of the most significant attack vectors. But most organisations still treat NHIs as secondary, without the same safeguards applied to human accounts.

For many organisations, this is unfamiliar territory. Identity and credentials management typically focus on human users. A compromised employee account can be used to bypass controls, access sensitive systems, or move laterally, often without immediately raising red flags.

But NHIs introduce an entirely new kind of threat. Unlike human users, NHIs operate continuously in the background and at machine speed, often with persistent access across multiple systems. When a bot, script, or API token is compromised, the impact on an organisation can be immediate and far-reaching.  

The most common blind spots for Australian organisations when it comes to managing non-human identities are:

  •  Limited visibility: Many security teams lack centralised visibility of NHIs across cloud and on-prem systems, making it difficult to assess exposure or enforce policy.
  • Weak credential hygiene: Static credentials, long-lived tokens, and hard-coded secrets are still common and often reused across environments without rotation.
  • Excessive access: NHIs frequently receive broad, persistent privileges because their roles are not clearly defined, expanding the blast radius in cases of compromise.
  • No lifecycle ownership: Unlike human identities, NHIs rarely follow a formal lifecycle. Orphaned accounts linger long after they are needed, creating low-hanging fruit for attackers.

Even active identities can lack accountability, as it is not always clear who owns an NHI's access decisions or who is responsible for retiring it when its role changes. These conditions create a perfect storm of highly privileged identities operating across critical systems, often without the same oversight or auditability that gets applied to human users.


Rethinking insider threats in an automated landscape

Automation has changed the definition of an insider threat. What used to mean a human with malicious intent now includes compromised scripts and machine agents acting autonomously.

They hold privileged credentials and operate autonomously, meaning a single compromise can ripple across systems before detection.

We cannot apply human assumptions to machine identities as they behave differently, and our monitoring tools must evolve to recognise that. Traditional detection tools and access monitoring are not necessarily tuned to pick up anomalies in automated behaviour, and least-privileged principles are not always extended to machine actors.

Rethinking insider risk through the lens of automation requires a shift in how teams think about behaviour, intent and identity, especially in environments where agent-to-agent communication is normalised and rarely policed.

Incorporating NHIs in identity-first security
Securing non-human identities does not mean we have to reinvent IAM, it is about applying the same fundamentals that already protect human users - verifying every identity, limiting access based on need, and maintaining clear ownership throughout the lifecycle.

For Australian CISOs, visibility across both human and machine identities is now fundamental to maintaining trust, compliance, and resilience. As privacy expectations tighten and AI automation expands, this balance will define how secure and accountable modern organisations truly are.
 

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Exclusive: Yealink's Jeremy Chen on expanding into Australian retail
Avast warns of surge in fake online shops in Australia
Cloudera predicts industrial AI boom in Australia by 2026
One in three Australians open to AI shopping assistants
Canon expands imageFORCE range with new A3, A4 printers

Top stories

Why every business needs an AI strategy (even if AI isn’t the strategy)
Employment Hero tests real-time super ahead of 2026
How to detect fake players in online gaming
AI's next phase in Australia: 4 Predictions for 2026
Xero rolls out AI bank reconciliation with JAX tool