Wiz’s Base44 Vulnerability Findings Spotlight a Fixable Gap: Non-Human Identity

Heather Howland

On July 29, 2025 Wiz security researchers disclosed a critical vulnerability in AI Vibe Coding Platform Base44, an AI-powered coding platform acquired by Wix earlier this year. The flaw? An attacker could gain access to private applications simply by knowing a public app_id. No authentication. No SSO. No identity verification of any kind.

This wasn’t a rare misconfiguration. It reflected a broader reality: identity controls simply hadn’t been extended to non-human actors in the system.

The vulnerability allowed unauthorized access to private applications built by its users triggering no alerts and requiring no credentials.

This wasn’t an edge case. It was an identity failure at the core of how many platforms are built today in the rush to ride the AI wave.

What Went Wrong in Base44

At its core, the Base44 vulnerability wasn’t the failure of an identity system. It was the absence of one.

  • API endpoints were exposed without authentication, allowing calls with only a public app_id
  • Registration and onboarding flows lacked verification, enabling attackers to create accounts inside restricted environments
  • Authentication was siloed to users, not services. Internal service calls were assumed to be trusted
  • No cryptographic identity binding existed between requests and verified actors

It’s like walking into a hotel, saying “Room 314,” and the front desk hands you the key. No name, no ID, just a number. That’s how little verification was happening in Base44.

Where Security Teams Must Rethink Their Defenses

This isn’t just about Base44. It’s part of a broader pattern: modern platforms are still designed with human access in mind, while non-human actors, services, bots, workloads, and increasingly, AI agents, operate without strong identity requirements.

As companies race to deploy AI-powered capabilities, it’s all too common for these systems to be granted implicit access without the same scrutiny applied to human users. The urgency to ship often outpaces the controls needed to secure what’s being built.

Security teams have hardened user access with SSO, MFA, and role-based access controls. But for non-human actors, many environments are still missing the fundamentals. It’s not just a case of weak authentication. It wasI hope nobody tries to open the door.”

And increasingly, someone does.

Non-Human Identity Is Becoming a Top Priority

In the wake of incidents like this and many others, are forcing a critical realization: most identity architectures stop at the human boundary. In today’s environments, where automation drives scale, non-human actors often outnumber people, yet remain loosely governed and implicitly trusted.

We’re now seeing more organizations elevate Non-Human Identity (NHI) as a strategic pillar. But for many, this is uncharted territory:

  • What qualifies as a non-human identity?
  • Who owns it: Security, IAM, DevOps?
  • How do we manage lifecycle without friction?
  • How do we enforce identity in systems that move faster than humans ever could?

There’s no universal playbook. But the organizations leading this shift are converging on a new set of principles; ones that embed identity into the infrastructure itself.

Strategic Shifts for Securing Non-Human Identity

  • Identity Everywhere, Not Just at the Edge
    Enforce identity for every service and API call not just human logins. Every actor must prove who it is.
  • Eliminate Static Credentials in Favor of Real-Time Identity
    Replace secrets and standing access with short-lived, verifiable identity issued at runtime.
  • Shift Trust from Environment to Proven Identity
    Don’t rely on network location or deployment context. Require cryptographic proof of identity before granting access.
  • Treat Non-Human Actors as First-Class Citizens in IAM
    Govern bots, services, and workloads with the same rigor as users: identity lifecycle, least privilege, access reviews.
  • Enforce Policy at the Infrastructure Layer, Not in App Logic
    Make access control uniform and auditable; enforced by infrastructure, not sprinkled across code.

Five Things to Try Today to Surface What’s Hiding in Plain Sight

Securing non-human actors isn’t just about managing credentials. It’s about finding where identity is missing entirely, where trust is implied, and where automation has quietly outpaced control.

These five moves can help uncover hidden risks:

  1. Red Team Your APIs Like an Attacker Would
    Simulate calls using public metadata. What responds without identity?
  2. Map Your Trust Assumptions
    Highlight where access is granted without identity proof based on location, name, or environment.
  3. Harden Registration and Onboarding Flows
    Can services self-register? Would an attacker be able to onboard a rogue workload?
  4. Quantify the Blast Radius of Unauthenticated Access
    What can an unauthenticated service touch? What can it trigger?
  5. Pressure Test Your CI/CD Systems
    Can a compromised pipeline impersonate workloads or push code unchecked?

Where Traditional IAM Stops, a New Identity Layer Begins

Human IAM systems were never designed for this. They manage human access to apps, not autonomous interactions.  Automated systems are making decisions, accessing sensitive data, and invoking APIs without proving who they are.

Security teams are finally recognizing that traditional identity models break down when non-human actors drive most infrastructure activity. Forward-thinking organizations are responding by fundamentally re-architecting identity, and platforms like SPIRL are helping lead that transformation. 

With a Non-Human Identity model in place:

  • Every call requires proof of identity
  • Access is dynamic and policy-bound
  • Onboarding flows require verification
  • Exploit paths like Base44 are closed by design

In the case of Base44, this would have made the difference. A lack of authentication on the APi endpoints would not have mattered. 

This is the shift underway: from implicit trust to verified identity for every service, workload, and automated actor.

SPIRL is leading this shift helping security leaders make non-human identity a foundational layer of modern infrastructure, not an afterthought.

Final Thoughts: Rethinking Identity for Non-Humans

Base44 didn’t break an identity system. It revealed the absence of one.

As platforms continue to automate, scale, and interact autonomously, the question isn’t whether to secure non-human actors, it’s how soon you can start.

Learn how SPIRL secures every non-human actor in your environment. See how it works →