Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because exploitation of NHI gaps is not confirmed in this item but the attack surface is structurally broad — machine credentials are pervasive, often long-lived, and frequently over-privileged with no MFA backstop, making them attractive targets where they exist; impact is rated high because a single compromised service account or API key can provide persistent, authenticated lateral movement across cloud and SaaS environments, directly threatening operational continuity, data confidentiality, and regulatory standing.
Treatment rationale: NHI exposure is an addressable structural gap through inventory, least-privilege enforcement, and credential lifecycle controls — avoidance is not operationally viable given machine identities are foundational to cloud and SaaS operations, and acceptance is inappropriate given the potential for high-impact, silent compromise.
Third-Party / Supply-Chain Risk
SaaS and cloud platform integrations are primary NHI exposure vectors — OAuth tokens, API keys, and service account credentials issued to third-party applications create supply-chain risk where a compromised vendor environment or a misconfigured OAuth grant can yield persistent access to first-party systems; organizations using shared SaaS platforms (e.g., Salesforce, GitHub, Workday) with undiscovered or unrotated machine credentials face inherited exposure from vendor-side incidents (NIST SP 800-161 Tier 2/3 dependency risk).
Loss Exposure (illustrative)
Magnitude: moderate to high — illustrative $250K–$3M per incident for an organization with undiscovered NHI exposure leading to confirmed unauthorized access, reflecting incident response, forensic investigation, potential regulatory engagement, and customer notification costs
Frequency: For an organization with no NHI inventory program and broad cloud/SaaS integration footprint, illustrative frequency of one material NHI-related incident per 3–5 years is plausible given current threat-actor targeting of machine credentials
Annualized: Illustrative ALE: $50K–$600K/year, derived from midpoint loss magnitude (~$1.25M) divided across a 2–5 year mean time between events
Basis: Magnitude derived from typical IR engagement scope for a credential-based intrusion (containment, forensics, notification readiness) scaled to mid-market and enterprise contexts; frequency derived from observed industry shift toward non-human credential targeting as human identity controls mature, increasing relative attacker interest in machine credential paths; no third-party actuarial or research dollar figures used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Discovery of unmanaged NHI credentials with access to systems containing regulated data (PII, PHI, PCI-scoped) may invoke breach-notification assessment obligations if exposure is confirmed — verify with counsel.
• Cyber-insurance policies with identity or privileged-access conditions may require NHI governance controls as a coverage prerequisite or material representation — verify with broker.
• Contracts with enterprise customers or cloud providers may include security-posture attestation clauses that NHI gaps could implicate — verify with counsel.
