Heather Howland
July 31, 2025
On July 29, 2025 Wiz security researchers disclosed a critical vulnerability in AI Vibe Coding Platform Base44, an AI-powered coding platform acquired by Wix earlier this year. The flaw? An attacker could gain access to private applications simply by knowing a public app_id. No authentication. No SSO. No identity verification of any kind.
This wasn’t a rare misconfiguration. It reflected a broader reality: identity controls simply hadn’t been extended to non-human actors in the system.
The vulnerability allowed unauthorized access to private applications built by its users triggering no alerts and requiring no credentials.
This wasn’t an edge case. It was an identity failure at the core of how many platforms are built today in the rush to ride the AI wave.
At its core, the Base44 vulnerability wasn’t the failure of an identity system. It was the absence of one.
It’s like walking into a hotel, saying “Room 314,” and the front desk hands you the key. No name, no ID, just a number. That’s how little verification was happening in Base44.
This isn’t just about Base44. It’s part of a broader pattern: modern platforms are still designed with human access in mind, while non-human actors, services, bots, workloads, and increasingly, AI agents, operate without strong identity requirements.
As companies race to deploy AI-powered capabilities, it’s all too common for these systems to be granted implicit access without the same scrutiny applied to human users. The urgency to ship often outpaces the controls needed to secure what’s being built.
Security teams have hardened user access with SSO, MFA, and role-based access controls. But for non-human actors, many environments are still missing the fundamentals. It’s not just a case of weak authentication. It was “I hope nobody tries to open the door.”
And increasingly, someone does.
In the wake of incidents like this and many others, are forcing a critical realization: most identity architectures stop at the human boundary. In today’s environments, where automation drives scale, non-human actors often outnumber people, yet remain loosely governed and implicitly trusted.
We’re now seeing more organizations elevate Non-Human Identity (NHI) as a strategic pillar. But for many, this is uncharted territory:
There’s no universal playbook. But the organizations leading this shift are converging on a new set of principles; ones that embed identity into the infrastructure itself.
Securing non-human actors isn’t just about managing credentials. It’s about finding where identity is missing entirely, where trust is implied, and where automation has quietly outpaced control.
These five moves can help uncover hidden risks:
Human IAM systems were never designed for this. They manage human access to apps, not autonomous interactions. Automated systems are making decisions, accessing sensitive data, and invoking APIs without proving who they are.
Security teams are finally recognizing that traditional identity models break down when non-human actors drive most infrastructure activity. Forward-thinking organizations are responding by fundamentally re-architecting identity, and platforms like SPIRL are helping lead that transformation.
With a Non-Human Identity model in place:
In the case of Base44, this would have made the difference. A lack of authentication on the APi endpoints would not have mattered.
This is the shift underway: from implicit trust to verified identity for every service, workload, and automated actor.
SPIRL is leading this shift helping security leaders make non-human identity a foundational layer of modern infrastructure, not an afterthought.
Base44 didn’t break an identity system. It revealed the absence of one.
As platforms continue to automate, scale, and interact autonomously, the question isn’t whether to secure non-human actors, it’s how soon you can start.
Learn how SPIRL secures every non-human actor in your environment. See how it works →