The explosion of Non-Human Identities (NHIs) – APIs, service accounts, tokens, and the burgeoning realm of Agentic AI – has created a sprawling, often unguarded landscape ripe for exploitation. Forget password sprays and phishing campaigns; the real juicy targets lie within these programmatic access points. This talk peels back the layers of NHI security (or lack thereof) and reveals how you, the offensive security expert, can leverage these overlooked identities to achieve deep access, lateral movement, and ultimately, complete compromise. We'll explore how the absence of a mature NHI security program is your greatest ally in modern red teaming and real-world attacks.

We'll dissect the inherent weaknesses stemming from the lack of focus on NHI security, directly mirroring the vulnerabilities highlighted in the OWASP Top 10 for Non-Human Identities (NHI:2025). Think about it: Improper Offboarding (NHI1) leaves dormant keys and tokens scattered like breadcrumbs. Secret Leakage (NHI2) in code, logs, and configurations is the low-hanging fruit you've been waiting for. Overprivileged NHIs (NHI5) grant immediate god-like access, and Insecure Cloud Deployments (NHI6) expose sensitive credentials. The emergence of Agentic AI amplifies these opportunities exponentially. These autonomous systems, operating with increasing authority, rely entirely on NHIs. Compromise the AI agent's underlying credentials, and you've effectively weaponized the AI itself.