What breaks is governance. General chat and email create uncontrolled copies of secrets, remove lifecycle oversight, and make revocation nearly impossible. Once a password, seed phrase, or recovery code is pasted into an informal channel, it behaves like an exposed secret even if it never leaves the organisation.
Why This Matters for Security Teams
When sensitive credentials move through chat, email, tickets, or shared docs, they stop behaving like governed secrets and start behaving like copied content. That breaks lifecycle control, auditability, and revocation in one step. The issue is not just leakage; it is loss of identity binding. A password or API key pasted into a collaboration tool can be forwarded, archived, indexed, or retained long after the original task is over.
This matters because informal distribution is still common. NHIMG’s The 2024 Non-Human Identity Security Report found that 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which is a clear signal that the control gap is operational, not theoretical. In the wider industry view, the OWASP Non-Human Identity Top 10 treats weak secret handling as a core NHI risk because credentials are often the fastest path from convenience to compromise.
In practice, many security teams encounter secret misuse only after a forwarded message, mailbox export, or chat retention hold has already turned a temporary share into an enduring exposure.
How It Works in Practice
Normal collaboration tools are designed for conversation, not credential governance. They replicate content across endpoints, preserve history, and often sync to search, backups, mobile devices, and third-party integrations. Once a secret is pasted, the organisation usually loses visibility into who viewed it, whether it was copied, and when it should be invalidated. That is why shared channels are poor substitutes for purpose-built secret delivery and why current guidance increasingly favours ephemeral, task-bound access over static sharing.
For non-human identities, the better pattern is short-lived delivery tied to workload identity and a defined purpose. The Ultimate Guide to NHIs — Static vs Dynamic Secrets explains why dynamic secrets reduce exposure by limiting the window in which a credential is useful. In practice, this means issuing a secret through a controlled broker, attaching a TTL, and revoking it automatically when the task ends or the risk posture changes. The NIST SP 800-63 Digital Identity Guidelines support the broader principle that identity proofing and authentication must remain tied to the assurance level of the transaction, not the convenience of the channel.
- Use a secret manager or vault, not chat, for delivery and rotation.
- Issue per-task credentials with short TTLs and automatic revocation.
- Record access events in an audit trail that preserves who requested, approved, and consumed the secret.
- Separate human collaboration from secret transport so retention settings do not become a hidden control failure.
These controls tend to break down when teams must share credentials across contractors, emergency responders, or legacy systems that cannot consume short-lived tokens because the operational pressure to “just paste it” overwhelms governance.
Common Variations and Edge Cases
Tighter secret controls often increase friction, requiring organisations to balance faster collaboration against lower exposure. That tradeoff is real in incident response, small teams, and legacy environments where a vault integration is not yet available. Current guidance suggests that exceptions should be explicit, time-bound, and monitored rather than informal. If the exception becomes routine, the organisation has effectively normalised secret sprawl.
One edge case is recovery material, such as seed phrases or account recovery codes. These are often treated like ordinary messages, but they deserve the same or higher protection than operational credentials because compromise can permanently bypass normal access controls. Another edge case is multi-party troubleshooting, where a secret may be needed by support, engineering, and vendor staff. In those situations, a brokered handoff is preferable to posting the credential in a channel, especially when chat retention, forwarding, or eDiscovery could extend exposure for years.
NHIMG’s Guide to the Secret Sprawl Challenge is a useful reference for understanding how informal sharing expands the attack surface, while the report on LLMjacking: How Attackers Hijack AI Using Compromised NHIs shows how quickly exposed credentials can be weaponised. In practice, collaboration-tool sharing breaks hardest in environments with broad retention, weak DLP coverage, and high-turnover access paths because copied secrets outlive both the task and the trust decision.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret sharing in chat drives poor rotation and revocation hygiene. |
| OWASP Non-Human Identity Top 10 | NHI-07 | Insecure secret transport is a direct non-human identity exposure path. |
| NIST CSF 2.0 | PR.AC-1 | Access is lost when secrets are copied outside governed identity systems. |
Prevent secret sprawl by banning collaboration tools for credential distribution.
Related resources from NHI Mgmt Group
- Why do collaboration tools create such a large secrets risk?
- What breaks when AI agents are connected through personal accounts or shared credentials?
- What breaks when AI can query sensitive data directly through enterprise tools?
- How should teams govern shared credentials across the full identity lifecycle?