Why Service Accounts Are the New Attack Surface
The average microservice deployment carries 40+ service accounts, most created by engineers who have since left the company.
Blog
Non-human identity, zero trust for workloads, and the security engineering behind modern service architectures.
The average microservice deployment carries 40+ service accounts, most created by engineers who have since left the company.
SPIFFE is a standard, SPIRE is an implementation. Here is what the difference means when you are trying to authenticate your Kubernetes services without stored credentials.
Mutual TLS proves both ends of a connection have valid certificates. It does not tell you which workload made the call, under which policy.
A step-by-step guide to removing every long-lived AWS access key from your CI pipelines and replacing them with scoped, per-run tokens.
Every team knows they should rotate service credentials every 90 days. Almost no team actually does it on schedule. This is a system design failure.
Service accounts in Kubernetes are workload identities, but they are also a common source of over-provisioned RBAC and stale permissions.
When a LangChain agent calls your internal data API, it is authenticating with something. In most deployments today, that something is a shared API key.
AWS Lambda execution roles handle Lambda-to-AWS-service authentication. They do not handle Lambda calling your own APIs cleanly.
The BeyondCorp model that inspired zero trust architectures was built around eliminating implicit network trust for machine traffic.
Envoy proxy intercepts all outbound traffic from your service. That interception point is exactly where workload identity should be attached.
Before your next SOC 2 audit, you should be able to answer: what service credentials exist, who created them, when they expire, and what they access.
Data pipelines authenticating to Snowflake with stored passwords are a common weak point in analytics infrastructure.
What actually happens inside a 15-minute OIDC token: claims, scoping, validation, and what to log.
AI pipelines that spawn sub-agents, call external APIs, and retrieve documents need a coherent identity model.
A practical runbook for platform teams managing workload identity at scale: inventory, migration priority, legacy services, and measuring progress.
Aembit's policy language gives you fine-grained control over which workloads can call which services under which conditions.
Security auditors are starting to ask about AI agent authentication. Most teams fail. The issues are predictable: shared keys, no audit trail, no scoping.
Istio and Linkerd both provide mTLS between services. But they do not provide the policy layer, the audit trail, or the non-Kubernetes workload support.
Each cloud provider has its own workload identity primitive. Managing them separately means three audit trails and three places for misconfiguration.
Agentic AI deployments are outpacing the security infrastructure around them. Non-human identity management is the missing layer.