A strong indicator is that a complete usable secret exists in browser memory long enough for malware or local tooling to recover it. If the control relies on keeping the endpoint clean, or if decrypted secrets persist beyond the task that needs them, the model is too dependent on endpoint trust.
Why This Matters for Security Teams
Secret handling is too endpoint-dependent when the endpoint becomes the de facto trust boundary for credentials that should have been scoped, short-lived, and auditable. That usually shows up as browser-stored tokens, copied API keys, or decrypted material lingering in memory after the task is complete. NHI Mgmt Group’s Ultimate Guide to NHIs notes that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage.
The risk is not just theft. Endpoint-dependent secret handling also makes containment weak: if malware, browser extensions, local debugging tools, or a compromised workstation can read the secret, then the security model depends on perfect endpoint hygiene. Current guidance suggests treating this as a design flaw, not an operational nuisance, because the secret is still usable outside the task that required it. The patterns behind Guide to the Secret Sprawl Challenge and the OWASP Non-Human Identity Top 10 both point to the same failure mode: secrets are treated like static user credentials instead of ephemeral workload controls. In practice, many security teams discover the problem only after a browser dump, endpoint scan, or supply-chain incident has already exposed the secret.
How It Works in Practice
A practical test is to follow the secret lifecycle from issuance to revocation. If a secret is retrieved once and then remains available in the browser, local storage, shell history, or in-memory cache long enough to be reused, the architecture is still endpoint-centric. That means the real control is the endpoint, not the secret. Better practice is to issue short-lived credentials only when a task requires them, bind them to the workload or session where possible, and revoke them automatically when the task ends.
For teams assessing their current model, the question is not whether a device is managed. The question is whether compromise of that device also compromises the secret. In mature designs, secrets are replaced or narrowed by workload identity, runtime policy, and just-in-time access. That aligns with the direction described in the Ultimate Guide to NHIs — Static vs Dynamic Secrets and the runtime policy emphasis in OWASP Non-Human Identity Top 10. External implementation guidance also points in the same direction: short-lived credentials, workload-bound access, and aggressive revocation matter more than forcing users or apps to “stay clean.”
- Secrets should be retrievable only at the moment of use, not preloaded into the endpoint.
- Tokens should have tight TTLs and be invalid once the task completes.
- Decrypted material should not persist in browser memory, local files, or logs after use.
- Access should be evaluated at request time, not granted as a static standing entitlement.
These controls tend to break down in browser-based developer workflows and long-lived CI runners because the secret often outlives the action that needed it.
Common Variations and Edge Cases
Tighter secret controls often increase operational friction, so organisations have to balance developer convenience against reduced blast radius. That tradeoff is real, especially in environments where browsers, plugins, and desktop tooling are part of the approved workflow. Best practice is evolving, but there is no universal standard for how much endpoint exposure is acceptable when users must interactively approve actions.
Some edge cases are easy to miss. A secret may be endpoint-dependent even if it is stored in a vault, because the endpoint still unwraps and caches the usable form. Likewise, remote desktop, VDI, and browser isolation reduce exposure but do not eliminate it if the browser session can still reveal the credential. The strongest signal is whether a compromise of the endpoint immediately grants reusable access elsewhere. If yes, the control is still too dependent on endpoint trust. That concern is reinforced by NHI Mgmt Group’s finding that only 20% of organisations have formal offboarding and revocation processes for API keys, which makes short-lived handling even more important.
For teams dealing with supply-chain or CI/CD exposure, the relevant lesson from Shai Hulud npm malware campaign and the Reviewdog GitHub Action supply chain attack is simple: if secrets can be harvested from a toolchain component, the endpoint was never the right place to trust them in the first place.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers static secrets and poor rotation, both linked to endpoint-dependent handling. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is central when endpoint compromise exposes usable secrets. |
| NIST Zero Trust (SP 800-207) | PR.AC | Zero Trust rejects implicit trust in the endpoint as the security boundary. |
Replace long-lived endpoint-readable secrets with short-lived, task-scoped credentials and enforced rotation.
Related resources from NHI Mgmt Group
- How can teams tell whether workload access is still too secret-driven?
- How can security teams tell whether their remote access model is still too dependent on perimeter trust?
- How can organisations reduce secret leakage in ServiceNow at scale?
- How do organisations reduce false positives in secret detection pipelines?
