In today’s cloud native and microservices-driven world, the number of Non-Human Identities (NHIs) requiring authentication and authorization has exploded. From API tokens and service accounts for microservices, to the inter-agent communications we’re beginning to see with the rapid deployment of AI, these NHIs now vastly outnumber human users - recent estimates indicate there are over 50 times as many NHIs as human identities (source). Yet despite the terminology we use, there’s a fundamental problem with how we approach ‘identity’ for these digital entities.

The Current ‘Identity’ Misnomer

When we talk about Non-Human Identity (NHI), we’re often referring to credentials that merely prove possession—not actual identity. API keys, service account credentials, and even many OAuth tokens function as bearer instruments: whoever possesses them gains access, regardless of who or what they actually are - including attackers. This is not really identity, but rather authorization by proxy.

True identity requires cryptographic proof that an entity is who it claims to be, not just that it possesses a secret value. However, our infrastructure is filled with these “pseudo identities”—a sprawl of credentials that provide access, which is all too often highly permissive, but lack the cryptographic binding to establish genuine identity. Non-human identities today typically include:

• API Keys: Long-lived tokens that grant access to specific APIs
• Service account credentials: Username/password or key files used by applications
• Hard-coded secrets: Credentials embedded directly in code or configuration
• OAuth client secrets: Values that identify applications to authorization servers

All of these mechanisms suffer from the same fundamental flaw: they authenticate the possession of a secret, not the identity of the workload or service. A server typically has no way to verify that the entity presenting the token is the legitimate workload it was originally issued to, or even that it’s operating in the expected context. This approach has created a security house of cards, with compromised credentials ranking as a leading cause of breaches.

In recent years, we’ve seen significant organisational effort and investment in secrets management. Whilst this is necessary and remains recommended in the current security paradigm, especially for secrets or third-party credentials that don’t yet support workload identity, relying solely on managing static, possessable secrets for workload-to-workload authentication addresses the symptom, not the root cause of weak identity.

The OWASP NHI Top 10 underscores the real-world dangers stemming from this weak foundation, including secret leakage, the persistence of long-lived credentials, and insecure authentication. When NHIs are compromised, attackers gain the exact same level of access as the workload and cause havoc with lateral movement across cloud environments.

An Identity-First Approach with Open Standards

How do we move beyond these limitations? The answer lies in transitioning from credentials that workloads merely possess (ie ‘bearer’ credentials) to cryptographic identity. We already have the tried-and-tested foundation of PKI, and open standards in the form of SPIFFE, OAuth and more, to help us.

SPIFFE is an open source standard, part of the CNCF, for securely identifying workloads (software systems) in dynamic and heterogeneous environments. At its core, SPIFFE defines a way to securely identify and authenticate services, using credentials such as an X.509 certificate or JWT token, referred to as a SPIFFE Verifiable Identity Document (SVID).

In practice, SPIFFE enables workloads – such as a Kubernetes pod, cloud VM, or serverless function – to automatically obtain a cryptographically-verifiable identity. This process begins with platform attestation, where the workload securely proves its attributes to the SPIFFE infrastructure (a form of workload MFA, if you will). Instead of being issued static secrets, the workload then receives short-lived SVIDs (either X.509 certificates or JWT tokens) via the secure SPIFFE Workload API.

These SVIDs allow workloads to prove their identity to other services, replacing vulnerable long-lived bearer tokens.

• When using an X.509-SVID (common for establishing mTLS), the workload actively uses its unique, securely managed private key in the cryptographic handshake. This directly proves possession of the key associated with the presented certificate.
• When presenting a JWT-SVID, the identity claim is cryptographically secured by the signature of the trusted SPIFFE authority that issued the token. The receiving service verifies this signature against a known trust bundle.

In both cases, the identity presented by the workload is cryptographically verified, ensuring authenticity far beyond simply possessing a secret. This shifts from authenticating possession to authenticating identity.

While standards like SPIFFE provide the framework, implementing and managing a robust workload identity system (often using tools like SPIRE) requires careful planning, secure bootstrapping of trust, and ongoing operational management. It is a significant undertaking for an organisation. However this investment shifts effort from constantly managing vulnerable secrets to building a more inherently secure foundation.

The Human Authentication Parallel

The challenges we face with non-human identity aren’t unique. In human authentication, we’ve recognised the same fundamental flaws with passwords - they’re essentially bearer tokens for humans that authenticate based on knowledge rather than true identity.

This is why the industry has embraced FIDO standards and Passkeys as the future of human authentication. With Passkeys, authentication is cryptographically bound to a physical device using public-private key pairs. Your identity is verified through possession of a device with a private key that never leaves it - not through a shareable secret that anyone could use.

Non-human workloads deserve the same evolution. Just as we’re transitioning humans from easily-compromised passwords to device-bound cryptographic credentials, our services and applications need to move from bearer tokens to true cryptographic identity.

Give Your Workloads the Identity They Deserve

Relying on NHIs, such as bearer tokens, API keys, and other shared secrets, for authenticating the exponentially growing number of non-human interactions in modern systems is fundamentally flawed and introduces significant, often unmanaged, risk.

At a time when attackers are increasingly targeting non-human identities and infrastructure complexity continues to grow, we need a paradigm shift. We need to move away from reactively managing vulnerable shared secrets to proactively assuring workload identity at its source with strong, verifiable, short-lived cryptographic identities built on open standards. We can fundamentally reduce, or even eliminate, the need for complex secret management infrastructure for workload authentication.

Workload identity is no longer merely a security enhancement for a platform, it is becoming an operational necessity. It sets the foundations for resilient, interoperable systems based on explicit trust, paving the way for Zero Trust architectures where identity, not the network perimeter, serves as the primary security control. It’s time to move beyond simple possession and provide our critical systems with the strong, verifiable identities they deserve.

Successfully navigating this shift requires practical solutions designed to manage cryptographic identities seamlessly across diverse environments.

Ready to eliminate your NHI security risks?

At Cofide, we’re developing Connect, a workload identity platform that delivers on this vision. Request early access to Cofide Connect today and join forward-thinking organisations already securing their workloads across multi and hybrid-cloud environments.