A managed vault is a controlled repository for storing and sharing credentials with explicit access rules, logging, and revocation capability. It reduces the need for passwords in email, spreadsheets, or browsers, while giving teams a clearer view of who can reach sensitive systems.
Expanded Definition
A managed vault is more than a secure place to store credentials. In NHI operations, it is a controlled system for issuing, rotating, revoking, and auditing access to secrets such as API keys, tokens, certificates, and service account passwords. Its value comes from centralised policy enforcement, not simple encryption at rest.
Definitions vary across vendors, but the operational pattern is consistent: a managed vault applies identity-aware access controls, logs retrieval events, supports short-lived credential delivery, and reduces dependence on human memory or static storage. That makes it a core control in NHI programmes documented in NHIMG guidance such as the Guide to the Secret Sprawl Challenge and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
It is often discussed alongside zero trust and secrets governance, but it is not the same as password storage alone. The closest external baseline is the NIST Cybersecurity Framework 2.0, which emphasizes protected assets, access control, and continuous monitoring. The most common misapplication is treating a managed vault as a static password repository, which occurs when teams fail to enforce rotation, scoped retrieval, and revocation.
Examples and Use Cases
Implementing a managed vault rigorously often introduces integration and operations overhead, requiring organisations to weigh tighter control against application refactoring, onboarding effort, and change management.
- Application teams retrieve database credentials at runtime from a vault instead of embedding them in config files or pipelines, reducing exposure from code commits and shared documents.
- Security teams enforce per-app access rules so one workload cannot read another workload’s secrets, even if both use the same vault service.
- Operations teams use a vault to rotate certificates and API keys on schedule, supporting the lifecycle discipline described in NHIMG’s NHI Lifecycle Management Guide.
- Incident responders revoke a compromised token centrally, rather than hunting through email threads, spreadsheets, and browser stores for every copy.
- Platform engineers align vault usage with NIST Cybersecurity Framework 2.0 practices for access governance and recovery, while avoiding ad hoc secret distribution.
In mature NHI environments, a managed vault also helps distinguish between static secrets and dynamic credentials, which is important because secret handling patterns are still evolving across the industry. NHIMG’s Ultimate Guide to NHIs — Static vs Dynamic Secrets is useful when choosing between long-lived storage and just-in-time delivery.
Why It Matters in NHI Security
Managed vaults matter because unmanaged secrets are one of the fastest paths from convenience to compromise. When credentials live in chat tools, tickets, spreadsheets, or source code, access expands beyond intended operators and auditing becomes incomplete. NHIMG research shows that 88% of security professionals are concerned about secrets sprawl, and 54% are dissatisfied with current secrets management because not all secrets are secured or centrally managed.
That operational reality is why managed vaults are a governance control, not just an infrastructure utility. They support least privilege, make revocation practical, and create an evidentiary trail for audit and incident response. They also help surface hidden NHI problems such as duplicated secrets, stale tokens, and overused identities, which NHIMG highlights in its work on the Top 10 NHI Issues. The same governance logic appears in the regulatory lens of the Ultimate Guide to NHIs — Regulatory and Audit Perspectives.
Organisations typically encounter the need for a managed vault only after a secret is leaked, at which point central revocation, attribution, and rotation become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Managed vaults address secret storage, access, and rotation risks covered by NHI secret controls. |
| NIST CSF 2.0 | PR.AC | Vaults implement protected access and continuous control over sensitive credentials. |
| NIST Zero Trust (SP 800-207) | Vault access should follow zero trust principles of explicit verification and minimal privilege. |
Centralise secrets, restrict retrieval, and rotate exposed credentials under NHI-02 governance.
