Machine Identities and Secrets

AI and the Crisis of Machine Credentials (and How to Avoid It)

Tom McNamara

April 24, 2025

Hopr.co's Cloud Native AMTD provides enterprises with security advantages for controlling access to AI machines and NHIs

We are rapidly entering an era where the majority of interactions across digital systems are no longer human-to-human, but machine-to-machine. Non-human identities (NHIs) — which include APIs, service accounts, bots, containers, virtual machines, and autonomous agents — now outnumber human identities by an astonishing 45 to 1. This shift represents not just a transformation in how software systems operate, but also in how organizations must think about identity, security, and trust.

As NHIs proliferate, so too does the complexity of managing and securing them. Today’s enterprises often manage over 100,000 machine identities, and the complexity of securing these entities isn’t linear — it’s multiplicative. Each new entity introduces countless potential interactions and connections in a vast, entangled web. Without deliberate governance and modern identity security practices, this machine mesh becomes an attractive target for attackers — and a ticking time bomb for enterprises.

A Static Threat in a Dynamic World

One of the most urgent vulnerabilities associated with NHIs is their reliance on static credentials. A recent study found that up to 75% of secrets in use today remain unchanged for long periods, in some cases years. These unrotated credentials — often API keys, SSH keys, or long-lived tokens — create a low-effort, high-reward opportunity for threat actors. Once compromised, these credentials provide prolonged, often undetected access to systems, data, and operations.

But this is just the beginning of the crisis.

The AI Multiplier

The stakes grow exponentially as Artificial Intelligence (AI) becomes increasingly operationalized. AI systems — whether chatbots, decision engines, or autonomous agents — are fundamentally non-human identities. And unlike traditional NHIs, these virtual employees are persistent, memory-capable, and autonomous.

Anthropic, a leader in AI development, predicts that AI-powered virtual employees will soon be integrated into corporate networks, executing tasks and making decisions without human checkpoints. These AI agents will authenticate using static credentials, operate independently, and potentially outpace humans in their ability to consume, correlate, and act on data.

In such an environment where trust is paramount, verification must be frequent. Relying on fixed machine credentials is no longer acceptable. These virtual employees are not immune to machine-targeted attacks. They are, in fact, ideal victims. And unless new forms of access control are used (such as high-frequency credential hopping) and static secrets eliminated, the security gap will be massive and exploitable.

The Three Critical Challenges of Securing AI Machines

There are three primary challenges in mitigating the risk posed by non-human entities:

1. Excessive and Unchecked Privileges

Machine entities are often over-provisioned. Many NHIs possess broad, unrestricted access to sensitive data and systems far beyond what their roles require. This is often the result of outdated policies, lack of visibility, or sheer convenience during development and deployment.

The danger? These overprivileged identities become high-value targets, and once compromised, can facilitate lateral movement across the environment, exfiltration of sensitive data, or systemic disruption.

2. Inapplicability of Multi-Factor Authentication (MFA)

Unlike humans, machines can’t be prompted to pull out their phones or respond to push notifications. MFA — one of the core pillars of human identity protection — is largely inapplicable to NHIs. Instead, machines authenticate using long-lived static secrets like tokens, certificates, and SSH keys.

The problem? Once these secrets are stolen, the attacker gains persistent, undetected access. Behavioral analytics are less effective, and there are often no real-time alerts or flags. Attackers love machine credentials because they’re silent, durable, and invisible.

3. Governance Blind Spots and Sprawl

Machine identity sprawl is rampant. Many organizations lack a complete inventory of their machine identities (i.e., certificates or ‘certs’), don’t assign owners to them, and don’t know which are still active. This happens because creating certs is very easy for a developer to do, and often, it’s done ‘on the fly’ just to get machines to interact with one another and exchange data. Dormant service accounts often retain permissions indefinitely and are rarely revoked or reviewed.

The risk? Without governance, you’re flying blind. Attackers know this and actively seek out forgotten, over-permissioned service accounts to exploit.

OWASP’s 2025 NHI Top Ten Risks

Recognizing the severity of the machine threat landscape, The Open Worldwide Application Security Project (OWASP) released its first-ever Non-Human Identity (NHI) Top Ten Risks in January 2025. Here’s a summary of the top 5 risks and how Hopr.co’s technology addresses them:

Hopr.co significantly mitigates the top five risks in the 2025 OWASP NHI Top Ten list

Hopr.co’s Approach: Security for the Machine Age

Hopr.co has pioneered a Cloud Native Automated Moving Target Defense (AMTD) that is purpose-built to handle the scale, speed, and autonomy of non-human interactions. Three foundational elements set their approach apart:

1. Synchronous Ephemeral Encryption (SEE™)

At the core of Hopr.co’s identity security model is Synchronous Ephemeral Encryption (SEE) — a breakthrough method that eliminates the need for traditional secrets entirely. SEE allows two workloads (or virtual employees) to establish a secure, mutually authenticated session without passing any token, password, or certificate. The encryption keys are generated and verified in real time and vanish once the session ends.

This is a Zero-Trust-compliant solution that replaces “authenticate once, trust forever” with “authenticate always, trust never.”

2. High-Frequency Credential Hopping

Even in cases where secrets must be used (e.g., legacy systems), Hopr’s sidecar-based Workload Security Proxy (WoSP) ensures that machine credentials are hopped at high frequency, invalidating previous tokens and credentials after each interaction. This makes credential theft useless because there’s nothing static to steal. And even if a static API key is stolen, Hopr’s WoSP can immediately recognize this and prevent its misuse, eliminating the risk that a machine would leak data to an untrusted entity.

3. Automated Trust Verification and Governance

Through integrations with Kubernetes, service meshes, and policy engines, Hopr’s WoSP gives security teams:

  • Real-time observability into machine-to-machine communications.

  • Automated identity verification for every workload interaction.

  • Policy-based access controls that operate independently of cloud providers or vendors.

AI and Preparing for the Virtual Employee Future

The future of work is increasingly virtual. As AI-powered virtual employees become a reality, enterprises must re-engineer their trust models. These entities will behave autonomously — executing code, accessing databases, making decisions — all without human intervention.

You wouldn’t hire a human employee without verifying their identity, training them, and limiting their access based on role. Yet we are on the verge of deploying AI agents with full backend access, using static secrets as their key to the kingdom.

That must change.

Virtual employees should not only be authenticated — they should be verified every time they act, with credentials that are ephemeral, unforgeable, and useless outside a single transaction.

If a virtual employee can’t be trusted to authenticate every time, they should be terminated — just like an untrustworthy human employee.

Best Practices for Organizations

To avoid falling into the machine credential trap, organizations must take a proactive approach:

1. Audit and Catalog All Machine Identities

Start by identifying every non-human identity in your environment. Assign owners, define roles, and evaluate whether their access is still necessary. Eliminate dormant service accounts.

2. Automate Secrets Management and Credential Rotation

Manually rotating secrets is impractical. Use solutions like Hopr to automate high-frequency credential hopping, ensuring that secrets are short-lived and regularly replaced.

3. Eliminate Static Credentials Wherever Possible

Move toward secret-less authentication. Protocols like Hopr’s SEE™ eliminate the need for long-lived credentials, providing a frictionless and secure authentication experience.

4. Implement Identity-Based Policy Enforcement

Control access based on who (or what) is making a request, not where it comes from. Combine identity-based policies with zero-trust enforcement to reduce risk.

5. Prepare for AI Identity Management

Virtual employees are coming. Enterprises should begin building systems that can manage, monitor, and verify autonomous agents — treating them not just as apps, but as identity-bearing actors in their own right.

Final Thoughts: Avoiding the Inevitable Crisis

The machine identity and trust crisis isn’t coming — it’s already here. The combination of static secrets, ungoverned NHIs, and autonomous AI agents is creating a perfect storm of complexity, risk, and trust gaps.

Organizations that wait for a breach before acting will find themselves overwhelmed. But those who act now — embracing ephemeral credentials, zero-trust principles, and machine-native identity security — will emerge stronger, more resilient, and future-ready.

Hopr.co offers a blueprint for how to secure this new world — where machines talk to machines, and trust is earned in real time, not assumed forever.

Keep Reading

Redefining Multi-Cloud Application Networking with a Workload Security Proxy

Most enterprises operate with applications in different cloud environments and may even be part of a digital ecosystem that shares application data with third party organizations. But conventional credential management make this a complicated and vulnerable task. Hopr.co's Workload Security Proxy is a solution that simplifies and secures multi-cloud application networks.

Author Avatar
Tom McNamara

January 1, 2025

Why TLS 1.3 and Automated PKI Fall Short of Zero Trust Principles

Enterprises running sensitive business operations in the cloud confront difficult security and privacy challenges. One of them is data loss prevention. While it's true that cloud providers do offer experienced security professionals and tools, it is not true that cybersecurity will be stronger. This article explains some of the reasons why CISOs and security professionals need to take a close look at their application networks and cloud infrastructure. The good news is that innovative solutions to overcome the vulnerabilities and gaps exist and are easy to adopt and implement.

Author Avatar
Tom McNamara

September 26, 2024

Machine Identity - Avoid the Crisis

Machines operating across the Internet outnumber humans by a ratio of three-to-one. This will rise dramatically as more Internet of Things (IOT) devices arrive. Existing approaches for managing identity and trust for a massive number of machines rely on centralized and legacy solutions that won't work for the machine era. A decentralized solution capable of speed, trust, and agility is needed to avoid a crisis and enable a graceful transition to high trust machine identities.

Author Avatar
Tom McNamara

August 31, 2024

IAM in a Box

Containers are an important part of modern cloud engineering. They evoke the idea of portability and relocation. But in the cloud this is often inhibited because they become anchored to external services within a particular cloud environment, and it becomes difficult to relocate them to a different environment. This article describes how containers can be freed and portability restored.

Author Avatar
Tom McNamara

August 31, 2024

An Unintentional Secret - Automated TLS and its Zero Trust Fallacy

Transport Layer Security (TLS) and its companion, mutual TLS (mTLS) are stalwart security protocols known for encrypting communications over the Internet. When they are applied to root domains (such as is the case for Web domains and browsers) they represent identity trust. However when they are implemented with automated PKI certificates, they lose an important security quality: identity trust. Due to the speed and scale of cloud automation, the intermediate certificate authorities that issue PKI certificates eliminate vetting of the receiving identity (a containerized workload).

Author Avatar
Tom McNamara

September 26, 2024

Machine Identity - Who’s Who in the Cloud?

Identities for machines operating in the cloud, like humans in the natural world, are an important quality that is essential to trust, authorization, and authentication. Machines are identified by cryptographic material that takes the form of a certificate. But in the cloud, it is challenging to find, track, and manage the many certificates that are dynamically assigned and used. New approaches to managing machine identities in a zero trust cloud environment are needed to realize secure business operations in the cloud.

Author Avatar
Tom McNamara

August 31, 2024

Keeping Secrets Is Hard

Keeping secrets is hard because they have to stay secret to deliver security. And for machines and workloads in the cloud the consequences to lost secrecy can ripple through the entire business and bring down many digital operations in an instant. Leakage of digital secrets occurs almost naturally over time; disclosure eventually happens and secrecy is lost. But the risk of lost secrecy and the impact to cloud operations is minimized with the right tools.

Author Avatar
Tom McNamara

August 31, 2024

When Zero is a Good Thing

As businesses migrate more of their critical processes and data to the cloud and procure SaaS solutions, their attack surface grows significantly. This makes it harder to achieve a zero trust posture, and more risk occurs for employees with the Secret Zero to everything. While tools such as Machine Identity Managers and Secrets Managers (vaults) are improvements for today, they do not solve the growing problem of competition between zero trust and ever-scaling attack surfaces. A strategic solution that responds to the challenges in new ways is needed. (click to read more)

Author Avatar
Tom McNamara

August 31, 2024

Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Use CasesHow It WorksUnique FeaturesHopr ConnectHopr Connect GatewayPricingContact usSecurityWeb Retriever OSSAboutPrivacy policiesTerms of service
Hopr enables on-demand, verified-trust, ultra-secure application networking across clouds, organizations, and ecosystems.

Our Zero Trust and quantum-proof solutions form a future ready Cloud Native Automated Moving Target Defense (AMTD) around workloads, APIs, and data in transit.

Hopr easily and securely networks applications located in any environment, proactively disrupts cyber attacks, and strengthens cyber resilience.
copyright 2021-2024 | Hopr Corporation
CHIPS™, MAID™, and SEE™ are trademarks of Hopr Corporation
CHIPS™ technology, and the MAID™ and SEE™ protocols
are protected by US Patents and patents pending.