Session on Ghost in the Machine: Attacking Non-Human Identities in the Age of AI Agents

In this eye-opening talk - DEF CON Pune (DCG-9120) held at Indira Group of Institutes, Mr. Kalpesh Hiran, VP of Technology at miniOrange, exposes the hidden dangers of Non-Human Identities (NHIs) - the API keys, service accounts, OAuth tokens, and AI agents powering your infrastructure. He spoke on organizations create 92 NHIs for every human user, Yet 97% are over-privileged, lack MFA, and linger as "orphans" post-project, fueling 80% of cloud breaches.

In this Video, Know more about the real-world attacks like the 2025 Salesforce phishing scam (exposing Google & Adidas CRM data), TJ Actions' GitHub token theft from 23K repos, and the Amazon Q Agent VS Code exploit threatening 1M users.

He also talked about the battle-tested defenses: short-lived credentials, Just-In-Time access, and tools like TruffleHog, Gitleaks, SPIFFE, Falco, LLM Guard, and Cloud Mapper.

Watch this complete video to know more.

#NonHumanIdentities #Cybersecurity #AI Agents #CloudSecurity #NHIRisks #miniOrange #KalpeshHiran #IdentitySecurity #DefConPune