Look for credentials in records, attachments, ticket fields, code repositories, and integration logs. If a business platform can be queried by a connected app and the platform contains secrets, then the secrets are already part of the attack surface. The key signal is not storage location alone but whether those credentials are discoverable through ordinary application access.
Why This Matters for Security Teams
Secrets in the wrong place are rarely a vault problem alone. They become a discovery problem, an access problem, and eventually a blast-radius problem when ordinary application paths expose them to people, apps, or agents that never needed them. The practical test is whether a credential can be reached through normal business workflows, not whether it was originally entered “temporarily” or “for convenience.”
This is why secret sprawl shows up so often in tickets, chat exports, source control, and integration logs. NHIMG’s Guide to the Secret Sprawl Challenge frames the issue as one of uncontrolled replication, while the OWASP Non-Human Identity Top 10 treats exposed or mismanaged secrets as a direct identity risk, not just a housekeeping issue. The 2025 NHIMG research on NHIs and secrets found that 44% of NHI tokens are exposed in the wild through platforms like Teams, Jira, Confluence, and code commits, which is a strong indicator that “wrong place” usually means “reachable by the wrong workflow.”
In practice, many security teams discover the problem only after a token has been replayed from a ticket, repo, or log rather than through intentional inventory and control testing.
How It Works in Practice
Teams usually start by asking where credentials are stored, but the better question is where they can be discovered. A secret is in the wrong place if a connected application, support workflow, or automated search path can retrieve it without a dedicated secrets control. That includes records fields, file attachments, incident notes, build logs, CI variables, wiki pages, and code repositories. If those places are indexed, synced, exported, or queried, they are part of the attack surface.
Operationally, teams should pair content discovery with identity and access review. Search for secret patterns, then validate whether the location has ordinary read access, broad integrations, or downstream replication. A single exposed value may be enough, because copied secrets often persist long after the original owner forgets them. NHIMG’s 2024 State of Secrets Management Survey reports that 88% of security professionals are concerned about secrets sprawl, which matches the reality that visibility gaps are often larger than vault coverage gaps.
- Check whether secrets appear in records, attachments, or ticket fields that normal users can query.
- Review code repositories, build output, and integration logs for tokens, API keys, certificates, and session material.
- Trace whether one stored secret is duplicated into downstream systems, exports, or chat tools.
- Confirm whether access is truly limited, or merely hidden behind a business process with broad readership.
Best practice is evolving toward continuous discovery plus short-lived credentials, because static secrets are easier to copy than to govern. These controls tend to break down in high-volume collaboration environments where tickets, chat, and automation all mirror the same data because the organisation values speed over containment.
Common Variations and Edge Cases
Tighter secret controls often increase workflow friction, requiring organisations to balance faster collaboration against lower exposure. That tradeoff becomes visible in environments where teams use incident tools, knowledge bases, or shared inboxes as informal coordination layers. Guidance suggests treating those systems as regulated storage locations when they can display, search, or export credentials, but there is no universal standard for exactly which platforms must be blocked versus monitored.
Edge cases matter. A secret embedded in an attachment may be less risky than one indexed in a searchable ticket field, and a credential masked in a log may still be retrievable by a privileged integration. The same applies to agentic workflows: an AI agent or automation with read access to a business platform can turn accidental storage into active exposure. Current guidance suggests combining detection with context-aware access policy, rather than relying on simple location-based rules alone. For implementation detail, the Ultimate Guide to NHIs – Static vs Dynamic Secrets is especially useful when teams are deciding whether to replace long-lived credentials with ephemeral ones.
When the environment includes developer tooling, chat exports, or machine-readable support systems, secrets can spread faster than they can be cleaned up. In those conditions, location alone stops being a reliable signal because discoverability is the real control failure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers exposed and mismanaged non-human credentials in common storage locations. |
| NIST CSF 2.0 | PR.AC-3 | Access enforcement is central when stored secrets are discoverable by ordinary application access. |
| NIST AI RMF | GOV-4 | Governance is needed when automation or AI agents can discover secrets through connected workflows. |
Inventory secret locations and remove or mask any credential reachable through normal business access.
Related resources from NHI Mgmt Group
- How should security teams reduce secrets sprawl without disrupting delivery?
- How should security teams decide whether JIT access is safe for non-human identities?
- How should teams reduce the risk from exposed NHI secrets?
- How should security teams protect NHI secrets stored in AI workflow platforms?
