Subscribe to the Non-Human & AI Identity Journal

Secret history

A retained record of changes made to a credential or its associated metadata over time. It supports auditability, incident review, and accountability by showing when values changed, who changed them, and whether governance processes actually executed.

Expanded Definition

secret history is the retained change record for a credential and its related metadata, including rotation events, revocation, owner changes, scope updates, and policy exceptions. In NHI operations, it is not just an audit trail for the secret value itself. It is the evidence that governance actions were actually executed across the lifecycle.

Definitions vary across vendors on how much detail belongs in secret history, but the core idea is stable: a trustworthy record should show what changed, when it changed, and which identity or process made the change. That distinction matters because a secret can appear current while its governing controls are stale. For example, a service account may have been marked for rotation, yet the underlying token was never replaced. In practice, secret history helps separate intended state from actual state, which is essential for incident review and for proving control operation. The OWASP OWASP Non-Human Identity Top 10 treats secret handling as part of the broader NHI risk surface, not a narrow vault concern.

The most common misapplication is treating secret history as a passive log, which occurs when teams record changes but never reconcile them against access policy, rotation schedules, or offboarding actions.

Examples and Use Cases

Implementing secret history rigorously often introduces operational overhead, requiring organisations to weigh stronger forensics and accountability against extra logging, storage, and review work.

  • A platform team rotates an API key after deployment, and the history records the old value, new value reference, approver, and the automation job that executed the change.
  • A security analyst reviews a leaked credential and uses the history to confirm whether the key was ever revoked, when it was last rotated, and whether a temporary exception extended its lifetime.
  • A CI/CD pipeline writes metadata into the secret record whenever a build agent updates a token, helping detect unauthorized secret changes during supply chain investigations, as seen in the Reviewdog GitHub Action supply chain attack.
  • An operations team correlates history entries with vault events to verify that an access review was not just approved but actually enforced, similar to the lifecycle concerns discussed in the Ultimate Guide to NHIs — Static vs Dynamic Secrets.
  • A third-party integration is decommissioned, and the history shows who removed its token, when the change occurred, and whether downstream systems still referenced the old credential.

Secret history is especially useful when an NHI incident spans multiple systems. It creates a timeline that can be compared with the vault, source control, and identity platform records. The NHIMG Guide to the Secret Sprawl Challenge shows why scattered credentials make this traceability harder. For implementation guidance, teams also look to the OWASP OWASP Non-Human Identity Top 10 when defining audit expectations for non-human credentials.

Why It Matters in NHI Security

Secret history is what turns credential management into provable governance. Without it, organisations cannot reliably answer whether a token was rotated on time, whether a privileged key was ever reused after compromise, or whether revocation actually happened after offboarding. That gap becomes especially dangerous because NHI environments move faster than human identity systems and often contain long-lived, highly privileged secrets.

NHIMG research shows that 71% of NHIs are not rotated within recommended time frames, and 97% carry excessive privileges, which means weak history records can hide both duration risk and privilege risk. Secret history becomes a control signal for investigating breach paths, proving remediation, and detecting process failure in vaults, pipelines, and automation workflows. It also supports lessons learned after incidents such as the Shai Hulud npm malware campaign and the CI/CD pipeline exploitation case study, where hidden credential changes can make root cause analysis slower and containment harder.

Organisations typically encounter the operational importance of secret history only after a leaked credential, audit failure, or incident review reveals that no one can prove who changed the secret, at which point the concept becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Secret history underpins secure secret lifecycle tracking and auditability.
NIST CSF 2.0 PR.DS Data protection controls depend on traceable handling of credentials and secrets.
NIST Zero Trust (SP 800-207) Zero Trust assumes continuous verification, which secret history helps evidence.

Record every secret change and verify rotations, revocations, and ownership updates are traceable.