By NHI Mgmt Group Editorial TeamPublished 2026-04-20Domain: Best PracticesSource: Infisical

TL;DR: Breaches at Trivy, LiteLLM, Axios, and Vercel show the same pattern: secrets, tokens, and keys were easy to copy and hard to verify after exposure, according to Infisical. The real failure is not developer carelessness but a security model built on static credentials that cannot fail safely.


At a glance

What this is: This is a blog post arguing that static secrets no longer scale for AI-accelerated software delivery and that identity-based, short-lived access is the safer model.

Why it matters: It matters because IAM, NHI, and platform teams need controls that assume leakage will happen and limit blast radius when it does, across code, CI/CD, and workload identity.

By the numbers:

👉 Read Infisical's analysis of static secret risk in AI-assisted software delivery


Context

Static secrets are credentials that stay valid until someone changes them, which makes every leak a standing access problem rather than a one-time mistake. In AI-assisted development, the pace of code generation and review makes that model increasingly fragile for NHI governance, secrets management, and workload identity.

The article frames the issue through a safety-engineering analogy: if systems keep failing in the same way, the right response is to redesign the system so failure is contained. For identity programmes, that means treating leaked API keys, tokens, and certificates as a structural risk, not an exception.

The governance question is broader than secrets rotation alone. It affects how teams provision access, scope privileges, detect leaked credentials, and decide when to replace static authentication with identity-based flows that do not leave reusable secrets behind.


Key questions

Q: How should security teams reduce risk from secrets exposed in code and CI/CD pipelines?

A: Security teams should remove reusable secrets from code and CI/CD wherever possible, then replace them with short-lived, scoped credentials issued at runtime. Where static secrets still exist, they need automated discovery, rapid revocation, and clear ownership so exposure becomes a contained event rather than a standing access problem. The goal is to reduce blast radius, not rely on perfect developer behaviour.

Q: Why do static credentials create more risk in AI-assisted software delivery?

A: Static credentials create more risk because AI-assisted delivery increases the volume of generated code and the chance that secrets appear in places humans do not fully review. Once a secret is copied, it can be reused outside the original context until someone finds and revokes it. That makes long-lived access a scaling problem, not just an operational inconvenience.

Q: What do security teams get wrong about secrets rotation?

A: Teams often treat rotation as the primary control, when the bigger issue is whether the secret should exist at all. Rotating a long-lived credential still leaves a reusable secret in circulation, and delays between exposure and revocation can make the control ineffective. If the environment supports it, removal and replacement are stronger than repeated rotation.

Q: Who is accountable when a leaked API key is reused for broader compromise?

A: Accountability should sit with the team that owns the credential lifecycle, not just the application that used it. That means platform, IAM, and application owners need a shared revocation path, clear ownership for every secret, and evidence that offboarding and replacement happened when the secret’s purpose changed.


Technical breakdown

Why static secrets fail under AI-accelerated delivery

A static secret is a credential that remains reusable until it is rotated or revoked. That model assumes code paths are reviewed carefully, leaks are rare, and the organisation can reliably find every copy after exposure. AI-generated code breaks those assumptions because it increases the volume of code, the speed of review, and the chance that credentials appear in places humans miss, such as .env files, CI configs, and dependency manifests. Once copied, the secret becomes independent of the original system boundary. Practical implication: treat any static credential in code or pipelines as a latent incident, not a convenience.

Practical implication: Move static credentials out of code and pipelines before exposure becomes a routine operational condition.

Identity-based authentication and ephemeral access for machine workloads

Identity-based, tokenless authentication removes the reusable secret as the primary object of trust. Instead of storing a long-lived password-like value, the workload proves who it is at runtime and receives narrowly scoped access for the task at hand. This changes the failure mode from secret theft to short-lived access abuse, which is easier to contain if the privilege boundary is tight. For machine identity, the control objective is no longer just rotation. It is eliminating standing credentials where a workload can authenticate through federation, attestation, or short-lived issuance. Practical implication: prefer workload identity patterns that do not leave durable bearer secrets behind.

Practical implication: Use federated or short-lived workload identity where the platform can support it, especially for CI/CD and agentic systems.

Crumple zones for credentials: fail safely when leakage happens

The article’s core analogy is sound: modern security should absorb failure rather than pretend it can eliminate it. In identity terms, a crumple zone is a design that limits what a stolen credential can do, even if it was exposed. That means short TTLs, strict scoping, rapid revocation, and separation between discovery and privilege. It also means recognising that revocation speed matters as much as issuance discipline because leaked secrets often remain valid long after discovery. Practical implication: design credential lifecycles so compromise has a small and observable blast radius.

Practical implication: Build revocation and scope limits first, then measure how quickly leaked credentials stop being usable.


Threat narrative

Attacker objective: The attacker wants reusable access that survives the original leak and can be redeployed across systems without further authentication.

  1. Entry occurs when attackers or automation copy a static secret from source code, CI configuration, developer machines, or build artefacts.
  2. Escalation follows when the copied credential grants access to cloud APIs, databases, package registries, or internal tooling beyond the original application boundary.
  3. Impact arrives when the stolen secret is reused for data access, malware distribution, supply chain tampering, or broader environment compromise.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Static secret trust has become a broken premise, not just a weak control. Static credentials were designed for environments where code moved slowly, review was deep, and human operators could keep pace with exposure. That assumption fails when AI accelerates code creation and attackers can search for secrets at machine speed. The implication is that identity programmes need to stop treating leaked credentials as rare exceptions and start treating them as an expected state condition.

Ephemeral credential trust debt: the longer a secret lives, the more governance debt the programme accumulates. Long-lived API keys, tokens, and certificates create an unbounded exposure window because their validity outlasts the context that justified them. This is not just a secrets-management issue. It is a lifecycle failure in OWASP-NHI terms and a resilience failure under NIST-CSF because revocation and recovery are too slow to contain the breach. Practitioners should read that as a mandate to reduce standing validity, not merely improve rotation discipline.

Identity-based authentication is now a control-plane requirement for machine access. The article’s argument is strongest where it stops trying to make people more careful and instead changes the credential model itself. For NHI governance, that means shifting from copyable secrets to short-lived, scoped, runtime-issued access wherever the platform allows it. Teams that keep layering process on top of static credentials are protecting the wrong object. The practitioner conclusion is to redesign the access path, not the review queue.

Leaked secrets are no longer edge cases in AI-assisted development. The volume of code, packages, and pipeline artefacts makes accidental exposure structurally predictable. That changes how IAM, PAM, and platform security should be organised: controls must assume discovery failure, not depend on perfect detection. The practical conclusion is that blast-radius reduction is the primary design goal, because prevention alone will not keep up.

Named concept: credential crumple zones. The article’s safety analogy maps cleanly to identity security. A crumple zone is a credential design that limits damage when exposure happens by shortening validity, narrowing scope, and removing durable bearer tokens. The implication is that identity governance should be measured by how safely it fails, not by how confidently it assumes failure will never occur.

From our research:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
  • Static secret governance becomes materially weaker when the majority of identity breaches already involve machine credentials, so practitioners should align lifecycle controls with NIST Cybersecurity Framework 2.0 respond and recover functions.

What this signals

Credential crumple zones: the useful design pattern here is not just short-lived access, but access that can fail safely when it leaks. That means tighter issuance, narrower scope, and faster revocation across code, CI/CD, and workload identity. Teams that still depend on static secrets are carrying avoidable exposure debt.

The programme signal is clear. If secrets can be copied faster than they can be reviewed, then lifecycle ownership becomes more important than manual approval. That is why NHI governance, secrets management, and platform security need to converge around runtime-issued access and automated containment.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, the next control conversation is not whether a secret exists but how much it can do before revocation. That is the practical boundary teams should measure.


For practitioners

  • Eliminate static secrets from code paths Inventory repositories, CI/CD variables, and build artefacts for long-lived API keys, tokens, and certificates, then replace them with runtime-issued or federated credentials wherever the platform supports it.
  • Shorten credential validity windows Set aggressive TTLs for machine credentials and tie them to task scope so a leaked secret expires before it can be reused across environments.
  • Treat leaked secrets as active incidents Automate detection, revocation, and replacement workflows so exposure in code or pipelines triggers containment before attackers can pivot through cloud APIs or registries.
  • Map NHI ownership to lifecycle accountability Assign clear owners for every service account, token, and certificate, then require offboarding, rotation, and revocation steps to be completed as part of release and decommissioning workflows.

Key takeaways

  • Static secrets are a scaling failure when AI-assisted development makes leaks more likely and harder to review.
  • The strongest evidence points to a lifecycle problem: reusable credentials remain valid long after teams think they have contained them.
  • Practitioners should reduce the existence of copyable secrets, shorten validity, and design credentials to fail safely when exposure happens.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centres on long-lived secret exposure and rotation failure.
NIST CSF 2.0PR.AC-1Static secrets create weak access assurance for machine workloads.
NIST Zero Trust (SP 800-207)PAThe post argues for identity-based, short-lived access over durable bearer secrets.

Reduce standing secret validity and automate rotation, revocation, and replacement for all machine credentials.


Key terms

  • Static Secret: A static secret is a reusable credential that stays valid until someone changes or revokes it. In practice, it behaves like a long-lived password for software and workloads, which makes exposure especially dangerous because copying the value often gives immediate access.
  • Ephemeral Credential: An ephemeral credential is a short-lived access token issued for a specific task or session. It reduces the time window available to an attacker if the credential is exposed, and it works best when paired with narrow scope and automated revocation.
  • Workload Identity: Workload identity is the way a machine proves who it is without relying on a shared secret copied into code or configuration. It uses runtime authentication and federation so access can be issued on demand and bound to the workload's actual context.
  • Blast Radius: Blast radius is the amount of damage a stolen or misused credential can cause before it is stopped. In identity security, reducing blast radius means shortening validity, narrowing scope, and making revocation fast enough to matter.

What's in the full article

Infisical's full blog post covers the operational detail this post intentionally leaves for the source:

  • The article's step-by-step argument for replacing static secrets with identity-based authentication in software delivery.
  • The practical rationale for short-lived, scoped access when CI/CD and AI-generated code increase leak frequency.
  • The article's security engineering analogy for designing credentials that fail safely instead of assuming perfect prevention.
  • The specific examples of leaked secrets in recent breaches that support the article's broader thesis.

👉 Infisical's full post covers the car-safety analogy, breach examples, and the shift toward ephemeral credentials.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org