As SaaS ecosystems expand, not every user is human anymore. AI assistants, automation bots, integration services, and API tokens now perform countless actions across business cloud applications, often with the same or greater access privileges as employees.
These non-human identities (NHIs) are silently driving productivity while introducing a new class of risk: unmonitored, long-lived, and often misunderstood access. These machine credentials (service accounts, API keys, OAuth tokens, etc.) are essential for automation and integrations, but their growth far outpaces the oversight and security controls applied to them.
The result is a widening visibility gap. A lot of NHI types enjoy broad permissions within SaaS apps, sometimes more privileges than a human user, yet they rarely get the same scrutiny as employee accounts. Over-privilege is common: about one-third of SaaS app integrations have access to sensitive data that exceeds their needs.
Let's examine a few notable data breaches where compromised non-human identities were the weak link.
Examples of Data Breaches Involving NHIs
The risks posed by unmanaged NHIs are far from theoretical, attackers have already begun targeting these hidden identities in high-profile breaches. Below are a few notable examples where non-human credentials were the weak link:
Salesloft/Drift OAuth Token Breach (2025)
In August 2025, hackers breached Salesloft's SaaS platform and stole OAuth access tokens for its Drift chatbot integration with Salesforce. By hijacking these tokens (which function as a trusted non-human identity between Drift and Salesforce), the attackers were able to impersonate the integration and access Salesforce CRM data at hundreds of organizations. Over a ten day campaign, they used this backdoor to query and exfiltrate sensitive records, even pulling stored credentials like AWS keys and Snowflake tokens from support case attachments.
New York Times GitHub Token Leak (2024)
In January 2024, the New York Times suffered a breach not through a phished password or zero day exploit, but via an exposed GitHub API token. Attackers discovered a token credential for the Times' cloud code repository, which had inadvertently been made public, and used it to access about 270 GB of internal source code and data. This token acted as a non-human identity with broad privileges, allowing direct repository access without any interactive login. The incident, effectively an attacker logging in with an unmanaged machine credential, shows how powerful these tokens can be if left unprotected.
Cloudflare Atlassian Compromise (2023)
The fallout from the 2023 Okta breach revealed the danger of orphaned and unrotated service credentials. Cloudflare, an Okta customer, had rotated some 5,000 user credentials after the incident. However, an overlooked non-human account (an API token tied to a service account) remained active. Attackers leveraged that one leftover token (with its associated service credentials) to gain access to Cloudflare's Atlassian suite (Jira, Confluence, Bitbucket), effectively bypassing the human password reset effort. This example shows how a single forgotten machine identity can undermine an otherwise strong incident response, offering attackers a stealthy backdoor into systems.
How Dynamic SaaS Security Platforms Can Help
Addressing the NHI challenge means rethinking traditional identity and SaaS security. This is where Dynamic SaaS Security Platforms come into play. Unlike static controls or one-off audits, a dynamic approach adapts to the complex web of SaaS apps, identities, and integrations in your environment. In practice, a Dynamic SaaS Security Platform (for example, one with identity threat detection and response capabilities) provides multiple layers of defense against NHI-related risks:
Unified Visibility of All Identities
You can't secure what you don't know exists. Security teams need real-time visibility into all non-human identities in their SaaS stack. This means automatically discovering third-party app connections, service accounts, API tokens, and scripts across every SaaS application. By mapping out these NHIs and their access permissions, organizations can finally illuminate the shadow identities lurking in their environment.
Least Privilege Enforcement
Not all integrations or tokens are created equal, some carry far more privileges than they need. Dynamic SaaS security tools analyze NHI permissions and usage context to flag overly permissive or high-risk access. For instance, the platform might detect an OAuth app that requests an unusual scope of data or a service account with admin-level API rights, and then alert or automatically restrict it. Enforcing least privilege for NHIs (e.g., ensuring an integration only has access to the specific data it requires) can dramatically reduce the blast radius if that credential is compromised.
Continuous Anomaly Monitoring
Dynamic security means constantly monitoring identity behaviors across your SaaS ecosystem. The platform establishes a baseline for how each NHI typically behaves, which systems it connects to, from where, and how often, and then watches for deviations. If an API key suddenly starts pulling massive data at 2 AM, or a normally quiet integration account begins accessing sensitive finance records, those anomalous activities are instantly flagged.
Remediation and Rotation
Speed is everything once a machine identity is compromised. Dynamic SaaS Security Platforms integrate with your SaaS applications to automate response actions. Upon detecting a high-risk event (say, a suspected malicious OAuth app installation or a leaked key in use), the platform can automatically revoke the token, disable the app integration, or quarantine the account, cutting off the attacker's access immediately. These platforms also help enforce hygiene by automating the rotation of credentials and expiration of tokens.
A Security Checklist - Mitigating NHI Proliferation
You can use this security checklist for preventative first steps:
| Checklist Item | Y/N |
|---|---|
| Discover all non-human identities across your SaaS stack Inventory OAuth apps, API keys, service accounts, and automation bots. Don't rely on manual discovery, use automated tooling for full visibility | |
| Classify each NHI by type and function Label identities as integrations, AI assistants, RPA bots, etc., to tailor risk controls accordingly | |
| Assess privilege scope for each NHI Flag identities with admin or sensitive data access. Audit scopes granted via OAuth and usage context of service accounts | |
| Enforce least privilege across all NHIs Ensure tokens and apps can only access what they need, no more. Remove broad, unused, or risky scopes | |
| Monitor identity behavior for anomalies Establish usage baselines and flag deviations such as unusual access times, IP addresses, or data volumes | |
| Apply multi-factor-like protections to NHIs where possible Even if MFA isn't available, enforce compensating controls like IP restrictions, scoped access, or monitored sessions | |
| Automate credential rotation and expiration Use platforms that detect stale tokens, rotate secrets regularly, and auto-expire unused credentials | |
| Detect and disable orphaned or ghost NHIs Find and revoke credentials not tied to active workflows or users. These are prime targets for attackers | |
| Respond automatically to suspicious activity Leverage dynamic security platforms to quarantine suspicious tokens, disable rogue apps, and trigger alerts in real time | |
| Maintain a real time inventory of all third-party integrations Track new apps as they're connected, especially those via user consent (OAuth), and verify they are approved and safe |
Finally - Secure Your SaaS, Humans and Beyond
If you're looking for a Dynamic SaaS Security Platform that does this all for you, try out Reco.
Reco delivers end-to-end visibility into human and non-human identities, automatically enforces least privilege, detects anomalies in real time, and revokes risky access before it's exploited. With Reco, you can finally take back control of your SaaS environment, without slowing down the innovation and automation that drive your business.
Book a demo or start a free trial at reco.ai today.
About the Author: Gal is the Cofounder & CPO of Reco. Gal is a former Lieutenant Colonel in the Israeli Prime Minister's Office. He is a tech enthusiast, with a background of Security Researcher and Hacker. Gal has led teams in multiple cybersecurity areas with an expertise in the human element.
Gal Nakash — CPO and Cofounder at Reco https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuQWbnqXQszfF7Ro1ckEfpJAt4R_6RI4pi_EParenaMvBTPNTZ5vs91QXTU7w_7mZukKntRojMFYpgQRTBFYFTFRnP9zaj8KrlfFrkG8Rwo_GjkEFsNt4pbGhmI2aoJHB-ENuTVLOKGQUDy_hxD3Fiy4dSlhRlnZA5jyqfkyKbUpdUx6ZCD8op9n6uo90/s728-rw-e365/Gal.png
