Non-Human Identity (NHI) Security Guide for German Enterprises
Non-Human Identity (NHI) Security Guide for German Enterprises
Your firewall is configured. Your endpoint agents are running. Your SOC analysts review alerts every morning.
And somewhere in your environment, a service account last rotated in 2019 is silently connecting to your production database with admin privileges — and nobody knows it exists.
This is the NHI problem. It’s the fastest-growing attack vector in enterprise security, and German enterprises are uniquely exposed.
What Is a Non-Human Identity?
A Non-Human Identity (NHI) is any digital credential or identity used by software, systems, or automated processes — not by a human being. NHIs authenticate, authorise, and operate continuously, often with more access than the humans who created them.
In practice, NHIs in a typical German enterprise include:
- Service accounts — Active Directory accounts used by applications, scheduled tasks, and middleware
- API keys — Credentials for connecting to SaaS platforms, internal APIs, and cloud services
- OAuth tokens — Delegated access tokens for Microsoft 365, Salesforce, SAP integrations
- SSH keys — Used by DevOps pipelines, servers, and automated deployment tools
- Machine certificates — TLS/mTLS certificates authenticating servers and services to each other
- Bot credentials — RPA bots (UiPath, Automation Anywhere), monitoring agents, backup jobs
- Cloud IAM roles — AWS/Azure/GCP service principals, managed identities, workload identities
- CI/CD secrets — GitHub Actions secrets, GitLab CI variables, Jenkins credentials
Each one is an identity. Each one needs to be created, managed, audited, and revoked. In most German enterprises, fewer than 30% of them are.
The Scale of the Problem
For every human identity in your organisation, you have roughly 10–45 non-human identities. A company with 300 employees doesn’t have 300 identities to manage — it has 3,000–14,000.
The growth is accelerating. Every SaaS integration you add creates new API keys. Every DevOps pipeline creates secrets. Every cloud workload creates service principals. Every RPA deployment creates bot credentials. The machine population grows faster than any team can track manually.
Why NHIs Are More Dangerous Than Human Accounts
Human identities have natural constraints. Employees follow (most) security policies. Phishing awareness training helps. MFA slows attackers down. Departing employees trigger offboarding processes.
NHIs have none of these protections:
- They don’t rotate automatically — A human password policy forces rotation. A service account password can sit unchanged for years.
- They don’t go inactive — Humans take holidays. Service accounts run 24/7, making anomaly detection harder.
- They’re over-privileged by default — Developers grant “admin” because it’s easier than scoping permissions correctly, and nobody reviews them.
- They’re invisible to traditional PAM — Most Privileged Access Management tools are built for human accounts. NHIs slip through.
- Offboarding is broken — When the developer who created that Jenkins service account leaves, the account stays — forever.
The MusterSec Reality Check
Consider MusterSec, a mid-sized German manufacturing company with 800 employees and operations across three sites.
Their CyberArk deployment covers 34 managed privileged accounts. What their security team didn’t know: there are 156 NHIs running in their environment.
That means 122 identities (78%) operate completely outside any privileged access management:
- 23 legacy service accounts in Active Directory, some dating to their ERP migration in 2017
- 41 API keys embedded in application config files (several in plaintext)
- 19 OAuth tokens granted to third-party integrations, half connected to apps no longer used
- 15 SSH keys on production servers, shared between DevOps engineers who’ve since left
- 18 certificates approaching expiry — with no automated renewal process
- 6 RPA bot credentials with domain admin privileges “because the automation kept failing”
One compromised API key in that list gives an attacker access to MusterSec’s ERP system. One expired certificate causes a production outage. One forgotten service account with admin rights becomes the lateral movement path through the entire network.
This isn’t an edge case. This is the median German enterprise.
Framework Requirements: What the Law Says About NHIs
German enterprises operating under NIS2, ISO 27001, or BSI IT-Grundschutz aren’t just facing a security problem — they’re facing a compliance mandate.
NIS2 Article 21(2)(i) — Access Control and Asset Management
NIS2 Article 21 mandates ten specific security measures for essential and important entities. Article 21(2)(i) requires “policies and procedures regarding the use of cryptography and, where appropriate, encryption” — but the access control requirements extend throughout the article.
More directly applicable: Article 21(2)(a) requires risk analysis and information security policies that cover all assets. Article 21(2)(i) explicitly includes identity and access management as part of the mandatory security baseline.
For NHIs, NIS2 compliance requires:
- Complete inventory of all identities accessing critical systems (human AND non-human)
- Access control policies that apply to machine identities
- Privileged access management covering service accounts
- Monitoring and logging of all authentication events
- Procedures for credential rotation and revocation
German implementation: The NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz) is the national transposition. Penalties reach €10M or 2% of global annual turnover. Management board members bear personal liability for NIS2 compliance failures.
The CISO brief for the Vorstand: If a compromised service account triggers a significant incident and your NHI inventory is non-existent, you have a board-level liability problem.
ISO 27001:2022 — Controls A.5.15 Through A.5.18
ISO 27001:2022 restructured access control into four specific controls that directly address non-human identities:
Establish and enforce access control rules for all identities — explicitly including non-human entities. Requires documented access control policy covering system and application accounts.
Full lifecycle management for all identities. Registration, provisioning, deprovisioning. Applies to service accounts and machine identities — not just human users.
Management of authentication credentials including passwords, keys, certificates, and tokens. Rotation schedules, secure storage, and revocation procedures required.
Provisioning, review, modification, and removal of access rights. Principle of least privilege must apply to machine identities. Regular access reviews required.
Auditor reality check: In ISO 27001 Stage 2 audits, NHI management is increasingly a focus area. Auditors ask: “Show me your service account inventory. When were these credentials last rotated? How do you detect orphaned accounts?” If you can’t answer, you get a nonconformity.
BSI IT-Grundschutz Requirements
The BSI IT-Grundschutz Kompendium addresses NHIs across multiple modules:
- ORP.4 (Identitäts- und Berechtigungsmanagement): Explicit requirements for managing technical accounts (Technische Konten), including dedicated account management separate from human identities
- APP.2.1 (Allgemeiner Verzeichnisdienst): Directory service management including service accounts in Active Directory
- CON.1 (Kryptokonzept): Certificate and key management lifecycle requirements
- OPS.1.1.2 (Ordnungsgemäße IT-Administration): Service account governance and privileged access controls
The BSI’s annual Lagebericht (situation report) has specifically called out identity-based attacks as a top threat vector for German enterprises for three consecutive years.
The Hidden Cost Structure
Let’s put concrete numbers on the NHI problem.
Breach Cost: Compromised Service Account
The Ponemon Institute and IBM data for European enterprises shows the average cost of a data breach with compromised credentials as the initial attack vector: €4.5M total. But that’s enterprise-scale.
For a mid-market German company (500–2,000 employees), the cost of an incident originating from a compromised service account breaks down as:
That’s one incident. Mid-market companies with unmanaged NHIs typically discover 3–5 security events per year attributable to machine identity issues.
Monitoring Cost: NHI Management via Security Factory
The alternative:
- IAM Agent: Continuous NHI inventory, lifecycle management, anomaly detection → €1,500/mo
- Security Assessment Agent: Automated NHI risk scoring and credential audit → included in assessment bundle
- GRC Agent: Compliance mapping to NIS2/ISO 27001, evidence collection → €1,500/mo
Full NHI coverage: €1,500–3,000/month.
One avoided incident pays for 12–24 months of continuous monitoring.
How Security Factory Agents Handle NHI
The Security Factory approach to NHI management uses three agents working in concert.
The IAM Agent builds and maintains a complete NHI inventory. It queries Active Directory for service accounts, scans cloud environments for service principals, maps API key usage via integration logs, and tracks certificate expiry dates. It runs continuously — every new API key created, every new service account provisioned, is captured in real time.
Key outputs: NHI register, orphaned account alerts, over-privileged identity flags, rotation schedule management, expiry warnings.
The Security Assessment Agent takes the IAM Agent's inventory and assigns risk scores based on privilege level, last rotation date, usage patterns, and exposure surface. A service account with domain admin privileges last rotated in 2021 that hasn't been used in 90 days scores critical. An API key embedded in plaintext in a config file scores critical. The agent generates prioritised remediation tasks, not a dump of findings.
Key outputs: NHI risk register, prioritised remediation backlog, credential exposure report, anomaly detection alerts.
The GRC Agent takes the NHI inventory and risk data and maps it to NIS2 Article 21, ISO 27001 A.5.15–5.18, and BSI requirements. It generates audit-ready evidence: control test results, access review records, rotation compliance reports. When an auditor asks for your service account review process, the GRC Agent produces the documentation in seconds.
Key outputs: NIS2 compliance status for NHI controls, ISO 27001 nonconformity tracking, BSI ORP.4 compliance evidence, audit-ready reports.
What This Looks Like in Practice: MusterSec
When dig8ital’s Security Factory agents were connected to MusterSec’s environment:
- 8 seconds: IAM Agent completes initial NHI discovery — 156 identities found
- 45 seconds: Security Assessment Agent assigns risk scores — 34 critical, 67 high, 55 medium
- 2 minutes: GRC Agent maps findings to NIS2 and ISO 27001 — 12 control gaps identified
- 3 minutes: Complete remediation roadmap generated with prioritised tasks
Manually, this work takes a security consultant 3–5 days and costs €8,000–15,000. The agents do it in 3 minutes, then monitor continuously.
The NHI Management Playbook: Practical Steps
This isn’t theory. Here’s the implementation sequence for a German enterprise starting from zero.
Phase 1: Inventory (Week 1–2)
Export all accounts with "Service Account" in description, accounts not in OU structure, accounts with non-expiring passwords, accounts used by scheduled tasks. Start with AD — it's where 60%+ of NHIs hide.
Azure: az ad sp list. AWS: IAM roles + programmatic access users. GCP: service accounts list. Cross-reference against actual workloads running — orphaned cloud identities are common after migrations.
Check: password managers, CI/CD systems (GitHub, GitLab, Jenkins), application config files, infrastructure-as-code repos. Tools: truffleHog, git-secrets for repo scanning.
Internal PKI (Microsoft CA or similar), public certificates (Certificate Transparency logs), load balancer TLS certificates, code signing certificates. Map expiry dates — certificate failures cause outages, not just security incidents.
Phase 2: Risk Classification (Week 2–3)
Apply a simple risk matrix to every NHI found:
| Risk Factor | Weight |
|---|---|
| Admin/elevated privileges | +40 points |
| Last rotation > 90 days | +20 points |
| Shared credentials (multiple users/systems) | +20 points |
| No owner documented | +15 points |
| Last used > 30 days ago | +10 points |
| Plaintext storage | +50 points (immediate critical) |
Score 0–30: Monitor. Score 31–60: Remediate within 30 days. Score 61+: Remediate immediately.
Phase 3: Governance Implementation (Month 1–2)
- Naming convention: Force descriptive naming (SVC-AppName-Function-Environment)
- Ownership: Every NHI must have a documented owner (person + team)
- Vault integration: Enrol all privileged NHIs into CyberArk, HashiCorp Vault, or Azure Key Vault
- Rotation policy: 90-day max for service account passwords; 180-day max for certificates with automated renewal
- Offboarding trigger: When an employee leaves, their owned NHIs are reviewed within 24 hours
Phase 4: Continuous Monitoring (Ongoing)
- Real-time alerting on new NHI creation (SIEM rule)
- Weekly orphaned account report
- Monthly privilege review
- Quarterly access review (ISO 27001 A.5.18 requirement)
- Automated certificate expiry alerts (60/30/14/7 day warnings)
The German Enterprise Specifics
A few points that generic NHI guides miss for the DACH context:
SAP service accounts are a significant NHI category unique to German enterprises. SAP RFCUSER and background job accounts often hold cross-system access and are routinely over-privileged. Include SAP Basis service accounts in scope.
Betriebsrat considerations: If you’re deploying automated NHI monitoring that logs employee-created service accounts, you’re processing data about employees. This touches BetrVG §87(1)(6) (monitoring via technical equipment). Get your Betriebsrat involved early. This isn’t a blocker — it’s a process step that German security teams manage routinely.
TISAX: For automotive suppliers, TISAX requirement VDA ISA 1.3.2 requires management of privileged system accounts. NHI inventory is not optional for TISAX Level 2+ assessments.
Deutsche Telekom / T-Systems as MSP: Many German mid-market companies use T-Systems or Deutsche Telekom for managed services. Service accounts used by managed service providers are still your NHIs under NIS2. Get a full account inventory from your MSP.
Start With a 15-Minute NHI Assessment
You don’t need a 6-month project to understand your NHI exposure. You need 15 minutes with the Security Factory IAM Agent.
Connect your Active Directory or Azure tenant. In under 3 minutes, the IAM Agent returns:
- Total NHI count
- Accounts with non-expiring passwords
- Last rotation dates for privileged accounts
- Accounts with no documented owner
- Credentials not enrolled in any vault
From 156 undiscovered NHIs to a complete risk-prioritised remediation plan. That’s what MusterSec got. That’s what your team can get — today.
Key Takeaways
-
The average German enterprise has 150–300 NHIs. You probably don’t know where yours are. Start with an Active Directory service account export today — it takes 10 minutes and will surprise you.
-
NIS2 Article 21, ISO 27001 A.5.15–5.18, and BSI ORP.4 all require NHI management. This isn’t optional compliance theatre — it’s a regulatory mandate with board-level liability.
-
The cost equation is simple: €50K+ per incident vs. €1,500/month for continuous monitoring. One avoided breach pays for 33 months of AI agent coverage.
-
Three Security Factory agents handle the full NHI lifecycle: IAM Agent (discovery + lifecycle), Security Assessment Agent (risk scoring), GRC Agent (compliance mapping + audit evidence).
-
Start with inventory, not tools. You can’t manage what you can’t see. Discovery comes first, governance follows.
Next in this series: AI Red Teaming — Testing Your Security Agents Before Attackers Do
Questions about NHI management for your organisation? Contact the dig8ital team — we run NHI assessments as a standalone engagement before any platform discussion.
Need help with this?
We help enterprise security teams implement what you just read — from strategy through AI-powered automation. First strategy session is free.