Cosmikal’s Endurance Added to NATO’s NIAPC Catalogue as the First Spanish Access Control Solution
4 de June de 2026
Bots, microservices and AI agents are proliferating across corporate networks. Managing their identity and access is no longer optional.
What is a Non-Human Identity (NHI)?
When we talk about identities in cybersecurity, the classic image is that of an employee with a username and password. But that image is obsolete. Today, for every person accessing an organization’s systems, there are dozens, or hundreds, of automated entities doing the same: RPA bots processing invoices, microservices communicating with one another in the cloud, CI/CD pipelines deploying code, artificial intelligence agents querying databases, and scripts synchronizing platforms. All these entities have one thing in common: they need credentials to operate. Those credentials are non-human identities, NHIs, and today they represent one of the most underestimated attack vectors in the modern enterprise.
Technically, an NHI can take the form of an Active Directory service account, an API token, an AWS IAM access key, a client certificate in an mTLS communication, a secret stored in a vault, or a long-lived JWT used by an automated process. The form varies; the risk does not.
Why NHIs are a critical security problem
Their volume already exceeds human identities
Non-human identities vastly outnumber employee identities in most organizations. In environments with microservice architectures or significant RPA deployments, the ratio can exceed 50:1. API tokens, service accounts, certificates, secrets embedded in code, cloud access keys… the proliferation is silent but constant. Every new integration, every newly deployed bot, every added microservice contributes more NHIs to the inventory, generally without anyone maintaining a systematic record.
They are outside the usual radar
Traditional IAM (Identity and Access Management) processes are designed for people. Access review cycles, password policies, offboarding processes… none of these naturally apply to a service account. The result is predictable: credentials that never rotate, accesses that nobody reviews, and permissions that accumulate over time without control.
A common scenario: a microservice is deployed with a service account that has read and write permissions on a sensitive data store. Six months later, the team that created it no longer exists. The account remains active. Nobody reviews it. Nobody knows exactly what it can do.
The consequences of compromise are serious
An attacker who obtains the credentials of a microservice with privileged access can move laterally across the network without raising alarms. There is no human behavior to analyze, no unusual schedules to detect, no suspicious geolocation to correlate. Compromised NHIs are invisible to many conventional detection systems precisely because their anomalous behavior is indistinguishable from operational behavior if no well-defined baseline exists.
Recent high-impact attacks have leveraged exactly this vector: compromised CI/CD pipeline credentials used to inject malicious code into the build process, API tokens leaked in public repositories and used weeks later to exfiltrate data, or service accounts with excessive privileges used as a pivot point during lateral movement.
The three main risks in managing bot and RPA access
1. Static and long-lived credentials. RPA bots and service accounts usually operate with passwords or tokens that are configured once and never changed. The reason is operational: rotating credentials in complex automation environments can break integrations, and teams prefer stability. But a credential that never rotates is a credential that, if leaked,through a misconfigured repository, an exposed log, or a targeted attack,grants indefinite access to an attacker.
2. Accumulated excessive privileges. Following the implicit principle that “more permissions = less operational friction,” automation accounts tend to accumulate privileges that are never reviewed. An account created for a specific integration can end up with access to systems completely unrelated to its original function. In practice, applying the Principle of Least Privilege (PoLP) to NHIs is more difficult than applying it to people: automated processes have less predictable access patterns and their actual requirements are difficult to define without specific analysis.
3. Lack of traceability and governance. Who created this service account? For which process? Is it still necessary? What has it accessed in the last 30 days? In most organizations, these questions do not have easy answers. Without traceability, auditing is impossible, anomaly detection is impossible, and incident response becomes extremely difficult. The account may have been compromised for months without anyone noticing.
How to protect non-human identities in the enterprise
A solid NHI security strategy does not require reinventing identity management, but rather extending it consistently to non-human entities. The pillars are:
Inventory and continuous discovery
You cannot protect what you do not know exists. The first step is an up-to-date catalogue of all NHIs: service accounts in Active Directory, active API tokens, issued certificates, cloud environment keys, secrets in vaults, or, worse, in environment variables or code repositories. This inventory must be dynamic: NHIs continuously appear and disappear.
Principle of least privilege applied to machines
Every non-human identity should have access exclusively to the resources required for its function, with the minimum level of permissions necessary. This involves regularly reviewing granted access and revoking permissions that are no longer required, with the same discipline applied to human access.
Managed rotation and lifecycle
Credentials should have expiration dates and automated rotation processes, preferably without manual intervention. Inactive NHIs should be deprovisioned. Long-lived secrets should be replaced, wherever possible, by authentication mechanisms based on ephemeral credentials: short-lived tokens, certificates with short TTLs, or federated authentication through OIDC or SAML.
Strong machine-to-machine authentication
In service-to-service communications, simple username-and-password authentication should be replaced by mechanisms such as mTLS (mutual TLS), where both ends present certificates, or by signed access tokens with limited validity. Authentication must be bidirectional: the calling service authenticates itself, but it must also verify the identity of the service it is calling.
Monitoring, alerts, and traceability
Record what accesses what, when, and from where. Establish behavioral baselines for every NHI and alert on deviations: a microservice that suddenly accesses a resource it has never accessed before, or does so at an unusual frequency, is a signal that should not go unnoticed.
NHI, cybersecurity, and technological sovereignty
For organizations operating with sensitive data, public sector, defense, critical infrastructure, banking,the management of non-human identities has an additional dimension: trust in the solution managing them. Entrusting credential and access control to foreign platforms introduces dependencies that can compromise both operational security and regulatory compliance under frameworks such as ENS, NIS2, or the National Industrial Security Framework.
In highly sensitive environments, the chain of custody of credentials, who issues them, who stores them, who can access them, and under what conditions, must be auditable, sovereign, and traceable end-to-end.
Endurance: access governance with complete traceability, also for NHIs
Endurance, Cosmikal’s secure workspace platform, addresses from its architecture the structural problems that make non-human identities dangerous: opacity in credential access, lack of governance over service accounts, and lack of traceability regarding which entity accesses which resource and at what moment.
Custody and centralized credential management
Endurance centralizes the storage and management of credentials, both for human users and for service accounts and automated processes, within a controlled and audited environment. No credential is scattered across local configurations, environment variables, or repositories: there is a single governance point with strict access control over who can consult, modify, or use each secret, and under which conditions.
Robust authentication and granular access control
The solution implements strong authentication mechanisms that go beyond static passwords, applicable to both people and processes. Access control is granular: it is possible to define precisely which identity, human or non-human, can access which resource, from what context, and during which time window. This makes it possible to implement the principle of least privilege operationally, not merely declaratively.
Audited and continuous access traceability
Every access to credentials or resources protected by Endurance generates an audited, immutable, and searchable record. This provides two critical capabilities: anomaly detection, unusual access by service accounts or bots deviating from their normal pattern, and incident response, with a precise timeline of which entity accessed what, facilitating both forensic analysis and regulatory compliance.
Made in Spain, certified by the CCN, validated by NATO
Endurance is not merely a technically robust solution. It is the only Spanish solution included in the NATO Information Assurance Product Catalogue (NIAPC) in the access control category, the catalogue of security products evaluated against the most demanding standards of the Atlantic Alliance. For organizations operating in regulated environments or handling classified or critical information, that validation is not a detail: it is the guarantee that the platform has been subjected to the most rigorous evaluation criteria within the European security context.
In an environment where bots, microservices, and AI agents exponentially multiply the attack surface, having a platform that governs all access, human and non-human, with complete traceability and built in Spain is both a security decision and a technological sovereignty decision.
Would you like to know how Endurance can help you govern access across your organization?
Cosmikal is a Spanish cybersecurity company headquartered in Santander, founded in 2013 and part of Grupo PITMA. Its flagship product, Endurance, is included in NATO’s NIAPC catalogue as the only Spanish access control solution.
