E-book

Protect your GitHub from identity threats

The Wake-Up Call You Didn't Know You Needed

Featured event: A CISO’s take

Join Jim Alkove and Ramy Houssaini to learn how forward-thinking security teams are addressing Enterprise AI Copilot risks.

40%
of Microsoft 365 Copilot rollouts are being delayed due to security concerns
Microsoft Security, 2021 State of Cloud Permissions Risks Reports

Attackers aren't hacking in - they're logging in

Right now, a threat actor could be browsing your company's private GitHub repositories — not because they found a zero-day exploit or launched a sophisticated attack, but because they're logged in with stolen credentials. In 2023 alone, over 12 million authentication secrets were leaked on GitHub. Major brands including Uber, Okta, Samsung, and LastPass learned this the hard way.

If you're thinking,"We have MFA enabled, we're safe," think again. This guide was created because we've seen too many organizations discover critical identity security gaps only after a breach. By then, their code, credentials, and API keys were already exposed.

This guide is for you if:

  • You worry if your team's GitHub access is actually secure
  • You need to make changes to your repository permissions but don't know where to start
  • Your developers keep asking for admin access "just for this one project"
  • You suspect former employees or contractors might still have access
  • Your audit team is asking questions you can't confidently answer
  • You can’t easily answer key questions about GitHub access: Who has access to what? What are they doing with that access? And do they actually need that access?
12M+
In 2023 alone…
authentication and sensitive secrets were leaked on GitHub
1.2 billion
of attacks recorded that the
root case was from
compromised credentials

The common blind spot in code hygiene & supply chain security

The shift-left movement has transformed how organizations approach security, bringing unprecedented focus to code hygiene and supply chain security. Development teams are writing more secure code than ever before, integrating security scans into their pipelines, and catching vulnerabilities before they reach production.

While organizations have fortified their code, many have one dangerous blind spot: identity security within their development environments.

Critical exposure points:

  • Compromised credentials (now the #1 attack vector)
  • Privilege abuse from insider threats
  • Unauthorized access through legitimate logins
  • Complex permission structures that hide security gaps

Whether it’s a malicious external actor using stolen credentials or a disgruntled insider who has been planning a sabotage for months, if you can’t see who has access to what across your GitHub environment, you’re bound to be reacting too late to these incidents.

86%
of security breaches involving web-based apps and platforms involve stolen credentials
118 days
Average detection time for unauthorized access

The GitHub configurability paradox

GitHub's greatest strength — its incredible flexibility — has become security teams' biggest challenge. The platform's extensive configurability means that even small changes to deployment settings can have massive, often unexpected impacts on who can access what and how. This complexity creates a perfect storm where security teams struggle to:

  • Track permission inheritance patterns
  • Audit access effectively
  • Maintain least-privilege principles
  • Respond quickly to security incidents

Security and IT teams also feel pressure to enable development teams and support their Agile development workflows. Developers want rapid access to repositories, fast onboarding of new users, speedy rollout of new tools — and minimal friction through it all.

Over-provisioning becomes the default leaving risky open doors

This leads to a common but dangerous pattern: over-provisioning access "just to be safe" or "just for now" — temporary solutions that become permanent security risks. In short, misconfigurations around access permissions, repository settings, and workflows can lead to unintended access. Identities have more access than necessary, and security teams often lack the visibility and capabilities to clean up those excessive permissions proactively.

The hidden access crisis: alarming findings

When we audit GitHub and other environments, we consistently find the same dangerous patterns hiding in plain sight that organizations have suspected but lacked the tools to identify. We are able to discover tens or even hundreds of excess permissions, dormant accounts still holding sensitive access, and authentication tokens that never expire.

The scope of this crisis is staggering:

95%

of permissions are unused

80%

of breaches use compromised identities

71%

year-over-year increase in attacks targeting identities

But these aren't just statistics – they're ticking time bombs. Every unused permission, every dormant account, and every excessive access right represents an attack vector waiting to be exploited.

The MFA misconception

Do you mandate MFA for external users?

External collaborators and third parties present significant risk when MFA is not enabled, because any SSO requirement (and resulting MFA management) does not apply. Third parties that don’t use MFA or use a weak MFA factor could create potential attack vectors.

Many security leaders look at stats on unauthorized access and think, “We have MFA enabled, we're safe." This dangerous assumption overlooks two unfortunate realities: Many organizations do not have clear visibility to ensure MFA is enabled for all accounts; and not all MFA factors are created equal. While basic MFA provides a layer of protection, modern attackers have evolved their tactics to bypass traditional second factors.

If you're thinking,"We have MFA enabled, we're safe," think again. This guide was created because we've seen too many organizations discover critical identity security gaps only after a breach. By then, their code, credentials, and API keys were already exposed.

Understanding the MFA hierarchy:

  • SMS Authentication: Vulnerable to interception and social engineering
  • Time-based OTP: Better, but still phishable
  • FIDO2/WebAuthn: The current gold standard in MFA

Critical gaps in traditional MFA:

  • No protection against authenticated session hijacking
  • Limited visibility into access patterns post-authentication
  • Bypass potential through personal access tokens
  • Inconsistent enforcement across integration points

Building your GitHub defense strategy

Securing identity and access across your GitHub environment requires a multi-layered approach that balances security priorities with developer productivity demands.

Layer 1: Foundation

Implement these critical controls immediately:

  • Enforce FIDO2/WebAuthn MFA organization-wide
  • Audit and revoke all permanent access tokens
  • Set default repository permissions to none
Layer 2: Access Structure

Build a sustainable permission model:

  • Implement GitHub Teams for all access management
  • Define clear role templates
  • Create automated onboarding/offboarding workflows
  • Establish regular access reviews
Layer 3: Monitoring & Detection

Deploy continuous oversight:

  • Monitor authentication patterns
  • Track repository access
  • Alert on suspicious activities
  • Review admin actions
  • Tracks access utilization across GitHub
  • Single intuitive visualization of all of your GitHub identities and permissions

[fs-toc-omit]Layer 1: Foundation

The foundation of GitHub security requires attention some critical control areas that can help form your first line of defense. Here is a set of foundational best practices for helping your organization address identity and access risks within your GitHub environment:

Enforce MFA

Mandate MFA for all users including third-party collaborators.  Even if users are managed externally through single sign-on (SSO), The higher the security level of your MFA e.g. those based on phishing resistant FIDO2 or WebAuthn, the better. But don't stop at basic implementation. Create a robust compliance monitoring system that tracks MFA adoption and usage patterns across your entire GitHub environment.

Audit and revoke all unlimited lifetime access tokens

Personal Access Tokens (PATs) represent one of the most overlooked security risks in GitHub environments. Begin by conducting a comprehensive audit of existing tokens using GitHub's API. Many organizations are shocked to discover hundreds of tokens with unlimited lifespans and broad permissions scopes. Implement a mandatory 90-day expiration policy for all new tokens, and systematically review and revoke existing permanent tokens.

Set default repository permissions to none

Default repository permissions form the backbone of your access control strategy. Configure your organization's default permission level to "none" for new repositories, forcing explicit permission grantsfor each team or user. This zero-trust approach prevents accidental exposure of sensitive code. Implement repository templates that come pre-configured with appropriate permission structures and branchprotection rules.

[fs-toc-omit]Layer 2: Access Structure

A well-designed access structure is essential for maintaining security at scale and can help simplify management. This layer focuses on creating sustainable, manageable permission systems that grow with your organization while maintaining security integrity.

GitHub Teams architecture

Your Teams architecture should mirror your organization's structure while accommodatingproject-based collaboration.

  • Implement nested teams to create logical permission inheritance paths that reflect real-world reporting and responsibility structures. For example, a product development group might have child teams for frontend, backend, and DevOps, each with their ownpermission sets.
  • Create clear, documented naming conventions that encode team purpose and scope (e.g., 'product-payment-dev' or 'infra-security-admin').
  • Each team should have a detailed description documenting its purpose, required approvals for membership, and standard permission levels. This documentation becomes crucial during access reviews and audit processes.
Role templates & automation

Standard role templates form the foundation of consistent access management.

  • Create comprehensive role definitions that align with job functions while following least-privilege principles. Each role template should define not just permissions but also the approval chain, review requirements, and automatic expiration policies where applicable.
  • Build automated workflows for access provisioning that integrate with your identity provider. These workflows should handle both onboarding and offboarding, automatically adjusting permissions based on HR status changes.
  • Implement self-service access requests with appropriate approval chains, and create automated expiration for temporary access grants.

[fs-toc-omit]Layer 3: Monitoring & Detection

Effective monitoring requires sophisticated tools and well-defined processes to maintain security posture while enabling rapid response to potential threats.

Comprehensive activity monitoring
  • Implement deep and continuous monitoring of authentication patterns, repository access, and administrative actions.
  • Your monitoring system should establish baseline activity patterns for different user types and alert on significant deviations.
  • Track not just successful operations but also failed attempts, unusual access patterns, and suspicious behavior sequences.
  • Create detailed audit trails of all sensitive operations, including repository clones, fork creation, and branch operations.
  • Pay special attention to mass download operations and unusual access patterns that might indicate data exfiltration attempts.
  • Implement geographic access monitoring to detect and alert on suspicious login locations or impossible travel scenarios.
Advanced threat detection
  • Deploy behavioral analytics to identify potential security threats before they become breaches.
  • Monitor for patterns that might indicate compromise, such as unusual commit patterns, suspicious file modifications, or abnormal API usage.
  • Create sophisticated alert rules that consider multiple factors including time of access, location, repository sensitivity, and user role.
  • Implement automated response workflows for common security scenarios, such as unusual admin actions or suspicious after-hours access.
  • Create escalation paths for different types of alerts, ensuring that critical security events receive immediate attention while managing alert fatigue.

How Oleria simplifies effective GitHub identity security

On the surface, this long list of best practices can look daunting — particularly given how GitHub’s extensive configurability makes it difficult to stay on top of all of these access and identity hygiene principles. More to the point, implementing this framework — and doing it continuously — likely requires a new set of tools and capabilities built for the future that many organizations do not have today.

Oleria transforms GitHub security from a manual, time-consuming process into an automated, intelligence-driven system that proactively identifies and mitigates risks. With Oleria you get a single intuitive visualization of all of your GitHub identities and permissions that is plug and play – no long and expensive installation and onboarding.

Intelligent access management

Oleria's platform provides unprecedented visibility into your GitHub environment through sophisticated permission mapping and relationship analysis. The system automatically identifies risky permission combinations, unused access rights, and potential security gaps. Rather than manually tracking permissions, security teams get real-time insights into who has access to what, how that access is being used, and where potential risks exist.

Risk response

The platform goes beyond simple monitoring by providing rapid incident investigation with fine-grained details options. When risky patterns are detected — whether it's unused permissions, excessive access rights, or suspicious behavior — Oleria can help you implement corrections or initiate review workflows. This proactive approach helps maintain your GitHub security without creating additional work for security teams.

Track group & user activity

Oleria offers a powerful solution to enhance security and streamline access management on GitHub. By automatically tracking user activity and identifying unused or dormant permissions, you can proactively eliminate security risks and optimize your organization's security posture. With Oleria, you can easily identify and remove "ghost accounts," enforce least-privilege principles, and gain valuable insights into user behavior. By analyzing group utilization, you can optimize role-based access policies and ensure that permissions are granted only to those who truly need them.

A secure GitHub environment

Protect your GitHub environment with Oleria’s comprehensive security solutions, empowering you to understand, identify, detect, and accelerate responses to risks.

Understand

Visualize access and permissions for all users (internal and external)in a single pane of glass.

Identify

Quickly identify risks like over-provisioned or inactive accounts and prioritizefor remediation.

Detect

Accelerate incident investigation and remediation with immediate visibility to the “who, what and when” of actions performed on all GitHub resources.

Accelerate

Detect anomalous login activities with alerts and advanced analytics.

Oleria reimagines identity security, providing organizations with the clarity and control needed to protect their most critical assets.

Executive Brief

Solving the non-human identity crisis: Securing your organization's invisible workforce

By the numbers

80:1
NHIs outnumber human identities by as much as 80 to 1
80%
Percentage of breaches involve compromised identities
46%
Organizations that have experienced a security breach related to NHIs
2 .7
Average number of NHIrelated security incidents per enterprise in the past year
40%
Repositories with Copilot enabled were found to have a 40% higher incidence rate of secret leaks compared to those without AI assistance
15%
Organizations that feel highly confident they can prevent NHI attacks

Understanding the NHI risk

In today's enterprise environments, the majority of identities accessing systems and resources are no longer human — they're machines. These non-human identities (NHIs) — service accounts, applications, API keys, bots, agentic AI, scripts, and more — form the backbone of modern business operations. They enable automation, integration, and cloud operations that drive digital transformation.

Yet they remain largely unmanaged, invisible, and over-permissioned. In fact, a recent study showed 85% of organizations are not highly confident in their ability to prevent NHI attacks.

Why? Because while organizations have spent decades refining their approach to human identity management, NHIs have proliferated in the background with minimal governance. Traditional IAM tools, created primarily to support human identities, were never designed to handle the unique challenges posed by machine identities operating across hybrid environments.

The sprawling, ungoverned web of NHIs represents cybersecurity's fastest-growing blind spot — and an increasingly popular entry point for attackers. With the rise of AI (and agentic AI in particular), this problem is growing exponentially. Tools like GitHub Copilot and other AI assistants are dramatically increasing the creation of NHIs — often without any of the identity governance or lifecycle management that covers human identities.

Strategic snapshot

The challenge:

Non-human identities (NHIs) now outnumber human users by 80:1 in enterprise environments, creating a massive, largely invisible attack surface.

Why it happens:

Traditional identity management tools weren’t designed for NHIs operating across hybrid ecosystems. The lack of visibility and stewardship allows NHIs to accumulate excessive permissions and use persistent credentials buried in code or configurations.

The solution:

Unified identity security that provides comprehensive visibility, intelligent governance, and rapid remediation for both human and non-human identities.

How NHIs fall through the gaps

Unmanaged and often overprovisioned NHIs create significant business exposure that goes beyond typical security concerns:

Why it matters: Business-critical impacts

Unmanaged and often overprovisioned NHIs create significant business exposure that goes beyond typical security concerns:

  • Overprovisioning and credentials in code. NHIs are frequently granted far more access than required. This rampant overprovisioning is compounded by poor credential hygiene management — like credentials buried in code or configurations — creating persistent and unmonitored backdoors.
  • Toxic combinations & undetected lateral movement. The interplay between human identities and NHIs can create “toxic combinations” where individual vulnerabilities escalate into critical exposures. Whether a compromised NHI gains control or a breached human identity exploits an NHI, the result allows bad, combined actors to potentially gain access to critical resources — often beyond the detection of traditional IAm solutions.
  • Compliance & governance failures. NHIs often operate outside established governance frameworks. They lack clear ownership, structured lifecycle management, and regular access reviews.
  • Operational disruption. As organizations become increasingly dependent on automation and AI, unmanaged NHIs introduce operational and security risks that can disrupt critical business functions. In fact, security incidents involving NHIs are particularly challenging to investigate and remediate due to limited visibility and unclear ownership.
  • Innovation barriers. Security concerns around NHIs can slow digital transformation initiatives. Without a robust framework for managing machine identities, organizations must choose between business agility and security assurance — a false choice that constrains business potential.

VISIBILITY GAPS

Limited inventory capability:
Most organizations cannot answer the fundamental question: Which NHIs exist, and who owns them? This visibility gap in complex on-prem, cloud, and hybrid enterprise environments hinders IAM and security teams from establishing the desired security posture and enforcing transparent governance.
Unique complexities:
NHIs span diverse technical implementations — machine accounts, service accounts, applications, API keys, tokens, AI models — each with distinct behaviors.
Rapid proliferation:
NHIs outnumber human identities by orders of magnitude, creating significant blind spots.
Complex lateral attack paths:
Compromised human identities often lead to NHI compromise (and vice-versa), enabling lateral movements that are difficult to identify and trace with traditional tools.

Agentic AI amplifies — and transforms — the NHI problem

The rapid emergence of agentic AI amplifies existing NHI risks. But agentic AI also transforms the NHI challenge in a critical way: unlike traditional NHIs that operate in a deterministic manner — executing predefined actions with predictable outcomes — AI-powered identities function non-deterministically, making autonomous decisions based on learning and context that can vary with each execution.

This fundamental shift from predictable to unpredictable behavior creates an entirely new security paradigm. When a traditional service account accesses a database, security teams can model the exact actions it will take. With AI-driven NHIs, that predictability disappears, introducing novel risks that conventional security controls weren't designed to address. This is a growing reality that, if not addressed proactively and effectively now, will soon become a crisis for every enterprise.

Advancing autonomy increases economic value — and business risk

As agentic AI progresses — from simple query-based assistants to more sophisticated GenAI copilots and ultimately toward truly autonomous agents operating without a human in the loop — their economic and business value grows. But this increasing autonomy also escalates the complexity of the identity and access challenges:

The path forward: Essential capabilities to secure NHIs

Organizations can close a critical identity security gap by bringing both non-human and human identities under a single intelligent framework. NHI access can be continuously monitored, right-sized, and enforced with least-privilege principles, enabling businesses to move faster, innovate boldly, and stay secure.

To effectively secure NHIs, organizations need:

Comprehensive discovery of NHIs across environments with fine-grained visibility down to the permission and resource level.

Lifecycle management including access review, proper onboarding, credential rotation and timely offboarding.

Rapid remediation capabilities to neutralize suspicious activity in seconds, not days or weeks.

GOVERNANCE CHALLENGES

Lack of stewardship:
NHIs frequently lack clear human ownership, making it difficult to assign accountability and drive corrective action.
Over-privileging by default:
NHIs are granted excessive permissions due to coarse-grained legacy systems, reuse across multiple resources, or just developer convenience.
Delegation without audit:
NHIs perform tasks on behalf of humans without transparent chains of responsibility. 
Highly privileged by design:
Many NHIs operate with broad, highly privileged access to multiple resources by necessity.
Persistent credentials:
NHIs often rely on hard-coded or long-lived credentials buried in code or configurations, creating hidden and persistent risks that are hard to detect, rotate, or manage

The Oleria Approach

Oleria's Trustfusion platform addresses these challenges through a graph-native architecture that connects to identity providers and applications across on-premises, SaaS, cloud, and hybrid environments. It unifies accounts, groups, resources, and permissions into a single access graph enriched with fine-grained usage insights.

Oleria enables organizations to:

  • Discover NHIs with unparalleled visibility in minutes across the entire identity ecosystem
  • Govern NHIs intelligently to find and fix over-permissioned, dormant, or ownerless identities.
  • Remediate in seconds to reduce NHI risks with recommended actions.

From blind spot to strategic advantage

Securing NHIs isn't just about closing a security loophole — it's about re-architecting identity security for a future where machines act with autonomy and impact at scale. Organizations addressing this challenge now will gain security and competitive advantages in an increasingly automated world.

The rise of agentic AI and automation means NHIs will continue to grow in importance and risk. Enterprises that wait to address this will be left vulnerable, while those who act now can get ahead of the curve.

Download PDF

Build your future-ready identity
security solution with Oleria