The NHI Kill Chain Series
Nine recurring patterns in how non-human identity security fails
Modern organizations break credential management the same ways, over and over. The Cremit research team documented nine structural patterns of NHI security failure, with detection, prevention, and recovery approaches for each.
Why credentials fail in production, again and again
The hard part of NHI security is not that new threats appear weekly. It is that the same patterns recur, in different companies, at different times. A departed developer's AWS key stays active for ninety-plus days. A password is hardcoded next to the secrets manager. A single key, never rotated for three years, holds up an entire production stack.
This series documents nine structural failure modes the Cremit research team has observed inside customer environments. Each post takes one credential failure pattern and walks through how it leads to compromise in practice — case study, detection technique, response runbook. Not abstract best practices. Patterns you will recognize immediately if you have seen even one incident.
The final post (#9, the series summary) shows how the eight patterns chain into each other to produce real incidents, and what single principle unifies the fix across all of them.
Real incidents combine two or three patterns at once
Break down a real breach and you will rarely find one cause. The April 2026 Bitwarden CLI npm supply-chain incident combined a Public Key (exposed package), an Aged Key (unrotated CI token), and an Over-shared Key (the same token across several environments). The 2025 tj-actions/changed-files compromise was a Drifted Key (dev-to-prod credential flow) made unrecoverable by an Unattributed Key (no owner could be paged).
You can read each post as a standalone risk and get value. Read the series as a whole and you start being able to debug live incidents in the same vocabulary. Postmortems become "this was a Ghost Key, with an Aged Key on top" — which is much faster than re-deriving the failure shape from first principles every time.
9 Episodes
Orphaned API Keys
Credentials with no owner and no lifecycle, sitting in production indefinitely.
Shadow Service Accounts
Machine identities created outside your inventory, running privileged workloads.
Unrotated (Aged) Keys
Credentials years past their intended lifespan, still granting full production access.
Over-privileged Keys
Single credentials granting far more access than any single workload needs.
Zombie Keys
Credentials marked expired or revoked that still authenticate successfully.
Drifted Keys
UpcomingCredentials that start in dev and drift into staging and production with no audit trail.
Publicly Exposed Keys
Credentials discoverable in public repositories, package registries, or client bundles.
Unattributed Keys
UpcomingCredentials in use whose owner, purpose, or rotation cadence nobody can answer.
Series Summary + Playbook
UpcomingThe full NHI Kill Chain synthesis with a downloadable response playbook.
Where to start
Different starting points make sense for different goals. You do not have to read the series in order.
- If you just had an incident: Start with Zombie Key (#5) and Public Key (#7). Those two patterns show up in postmortems most often.
- If you are heading into an audit: Ghost Key (#1), Unattributed Key (#8), and Aged Key (#3). They cover the three gaps an audit will probe — inventory, ownership, rotation policy.
- If NHIs are new to your team: Start with the Series Summary (#9). It shows the whole nine-part picture and links into individual posts for the patterns most relevant to you.
- If you are focused on CI/CD security: Drifted Key (#6) and Over-shared Key (#4). Both walk through how pipelines flatten and duplicate credentials in ways that survive after the pipeline itself is gone.
Each post stands alone. They take the same kind of incident and decompose it from different angles, so reading two or three side by side gives you the pattern- recognition fastest.
Frequently asked questions
What exactly is a non-human identity (NHI)?
An NHI is any credential a system uses to authenticate to another system — API keys, service accounts, OAuth tokens, certificates, CI/CD bot tokens, machine SSH keys. Organizations typically have 50–100x more NHIs than human users, and they rotate less often, are owned less clearly, and are inventoried much less rigorously than human accounts.
How is this different from the OWASP NHI Top 10?
The OWASP NHI Top 10 is a threat taxonomy. The NHI Kill Chain is a scenario-level decomposition of how those threats become breaches in practice. The two views are complementary — the Top 10 tells you what to worry about; the Kill Chain shows you how the same patterns produce real incidents over and over.
How long does it take to read the whole series?
About 8–12 minutes per post, roughly 90 minutes for all nine. Most teams do not read them in one sitting — each post stands alone, so one or two per week works well as part of a security weekly. The length is also a fit for using a single post as a security-team discussion seed.
Can these patterns be detected automatically?
Cremit Argus is built to detect all nine patterns — it scans public and private repositories, CI/CD secrets, and cloud IAM, maps credential ownership, and runs rotation workflows. Each post in this series spells out the signals that indicate the pattern, so the writeups also work as a reference if you want to build the detection rules yourself.
Who wrote this and is the content peer-checked?
Written by the Cremit security research team. Each pattern is grounded in incidents observed inside customer environments. When external incidents are cited (Bitwarden CLI, tj-actions, Trivy supply chain), the original sources are linked inline. Statistics carry citations to their primary source.
Detect every pattern in this series, automatically
Argus continuously scans public and private repos, maps credential ownership, and automates rotation. 14-day free trial.
Try Argus