The Disposable Identity: Eliminating Non-Human Identity Risk in Federal Healthcare Pipelines

Non-Human Identity is the fastest-growing attack surface in cloud data environments — and the least discussed. While zero-trust implementations focus on user authentication and network segmentation, the persistent service accounts powering automated pipelines remain long-lived, over-privileged, and largely unexamined. In federal healthcare environments processing genomic and clinical data under FedRAMP High constraints, a single compromised ingestion role means bucket-wide access for up to 90 days. That is not least privilege. That is a liability.

This talk is a production case study, not a proposal. We deployed an Identity-Per-Transaction (IPT) pipeline for a federal life sciences agency, generating a unique cryptographically scoped ephemeral credential for every file ingestion event and destroying it milliseconds later. We present the operational reality of running this in production: STS AssumeRole latency averaging 180ms, peak issuance rates during batch windows, the race condition we hit under high concurrency, and what happens when you need to debug a system whose credentials no longer exist.

We also address two hard problems directly. First, the secret-zero problem: the broker that issues ephemeral credentials is itself a root of trust. If it's compromised, the blast radius is bounded to 900 seconds rather than 90 days, but it is not zero. Second, the genomic privacy boundary: tokenizing 18 HIPAA identifiers does not anonymize a VCF file. This architecture eliminates credential-mediated access risk. It is not a genomic privacy framework. Those are different problems.

Attendees leave with a concrete reference pattern for eliminating Non-Human Identity risk in high-compliance storage systems, an honest accounting of where the architecture holds and where it defers, and open questions about trust bootstrapping that the field has not yet resolved.