Subscribe to the Non-Human & AI Identity Journal

Exposure age

The amount of time a known vulnerability or misconfiguration remains unaddressed after discovery. Longer exposure age usually means higher organisational risk because attackers have more time to identify, weaponise, and use the weakness before it is closed.

Expanded Definition

Exposure age measures how long a discovered weakness stays open after it is identified, whether that weakness is a vulnerable API key, an unrotated certificate, a misconfigured vault, or an exposed service account. In NHI security, the clock starts when the issue is known internally, not when it is first exploited. That makes exposure age a governance metric as much as a technical one, because remediation speed reflects ownership, inventory quality, and change control discipline.

The concept overlaps with patch latency and remediation age, but it is more precise for secrets and machine identities because the risk often persists even when no software patch is involved. Definitions vary across vendors, especially when discovery, triage, and closure are reported in different systems. NIST’s Zero Trust Architecture guidance reinforces the need to continuously verify and reduce standing risk, which is the same operational logic behind reducing exposure age. The most common misapplication is treating discovery as remediation, which occurs when teams mark an issue “resolved” after logging it instead of revoking access, rotating secrets, or correcting the misconfiguration.

NHIMG’s research on Guide to the Secret Sprawl Challenge shows why this distinction matters in practice: the problem is not just that secrets exist, but that they remain exposed long enough to be found and abused.

Examples and Use Cases

Implementing exposure-age tracking rigorously often introduces operational friction, requiring organisations to balance rapid remediation against service stability, approval bottlenecks, and dependency cleanup.

  • A leaked API key is discovered in a code repository, and exposure age is measured from the moment the security team confirms the finding until the key is revoked and replaced.
  • A cloud storage bucket is made public by mistake, and exposure age captures the period between detection and the permissions fix, even if no download activity is seen.
  • An expired certificate is left active in a legacy workload, and the exposure age reflects how long the invalid or weak trust state remains reachable to clients and attackers.
  • A service account keeps excessive privileges after a project ends, and exposure age continues until access is reduced or the account is offboarded.
  • NHIMG’s 52 NHI Breaches Analysis is useful for comparing how long known identity weaknesses persisted before they were fully contained, while the CISA Known Exploited Vulnerabilities Catalog helps teams prioritize issues that are already being weaponised in the wild.

Used well, exposure age becomes a triage signal: high-impact weaknesses with long exposure windows should outrank low-risk findings with short-lived exposure.

Why It Matters in NHI Security

Exposure age is one of the clearest indicators of whether an organisation can actually govern NHI risk, because attackers do not need a perfect breach chain when a known weakness remains available long enough. NHIMG reports that 91.6% of secrets remain valid five days after notification, which suggests that many teams identify exposure faster than they remove it. That gap is especially dangerous for service accounts, API keys, and certificates because these identities often have broad machine-to-machine reach and can be abused without raising obvious user-facing alerts.

Long exposure age also weakens Zero Trust outcomes. If a secret remains active after discovery, the organisation still has standing access that an attacker can exploit, replay, or chain into lateral movement. In governance terms, exposure age exposes whether asset ownership, rotation, offboarding, and incident response are actually working together. It is a practical measure of remediation maturity, not just vulnerability management hygiene.

Practitioner insight: organisations typically encounter exposure age as a critical metric only after a discovered secret, misconfiguration, or leaked credential is later used in an incident, at which point rapid closure becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Focuses on secret exposure, rotation, and remediation speed for non-human identities.
NIST CSF 2.0 RS.MI-3 Measures how quickly identified issues are contained and mitigated after detection.
NIST Zero Trust (SP 800-207) Zero Trust requires continuous reduction of standing risk, including known exposures.

Track discovery-to-remediation time for secrets and service accounts, then shorten it with rotation and revocation SLAs.