TL;DR: Developer endpoints remain a high-risk place for plaintext secrets, with GitGuardian framing credential exposure across laptops, CI/CD runners, and reachable environments as a practical attack surface. The core issue is not just detection, but ownership, remediation, and over-permissioned access across NHI governance.
At a glance
What this is: This is a GitGuardian webinar demo about finding leaked credentials across developer endpoints, CI/CD runners, and related environments before attackers can use them.
Why it matters: It matters because secrets exposure on developer machines is both an NHI risk and an access-governance problem, cutting across workload identity, identity provider visibility, and remediation workflows.
👉 Register for GitGuardian's live demo on developer endpoint secrets visibility
Context
Developer endpoint secrets exposure is a governance problem before it is a tooling problem. When credentials sit in plaintext on laptops, CI/CD runners, or other reachable systems, identity teams lose track of who owns the secret, where it is used, and whether it still has standing access.
GitGuardian's demo frames the issue around visibility and remediation at scale, but the underlying challenge is broader: secrets sprawl creates unmanaged non-human identity exposure that conventional access reviews do not reliably see. For IAM, IGA, and PAM teams, the key question is how to detect and retire secrets before they become durable access paths.
Key questions
Q: How should security teams handle leaked secrets on developer endpoints?
A: Treat leaked secrets on developer endpoints as active identity incidents, not just code hygiene issues. Confirm whether the credential still works, identify the owning system and team, and then rotate or revoke it through a tested process. If ownership is unclear, escalate immediately because unowned secrets are usually the highest-risk cases.
Q: Why do developer machines create so much NHI exposure?
A: Developer machines create exposure because secrets are often copied into local files, caches, scripts, and CI tooling outside the vault. That makes them easy to reuse and hard to govern. The risk grows when one credential is shared across multiple systems, because the identity lifecycle becomes invisible to normal access review processes.
Q: What breaks when secret discovery is not linked to ownership?
A: When discovery is not linked to ownership, teams find credentials but cannot safely act on them. Rotation gets delayed, revocation is avoided, and the secret remains usable longer than intended. The result is a governance gap where the alert exists, but no one can prove who is accountable for closing it.
Q: How do you know if secrets governance is actually working?
A: Secrets governance is working when every exposed credential can be traced to a current owner, a current purpose, and a current revocation path. If teams can only count detections but cannot confirm fast retirement, the programme is measuring visibility instead of control.
Background and context
Why plaintext secrets on developer endpoints create identity risk
A secret on a developer machine is not just a leaked string. It is a live identity artifact that may authenticate to code repositories, cloud services, CI/CD systems, or SaaS tools. Once a credential is copied into a local file, shell history, environment variable, or browser cache, it can persist outside the control plane that issued it. That is why endpoint discovery matters: the secret may be valid long after the developer who created it has forgotten it exists. In NHI terms, the problem is not only exposure, but the loss of lifecycle control over the credential.
Practical implication: inventory where secrets can persist on endpoints and bind each one to an owner, a purpose, and a revocation path.
How secrets sprawl breaks NHI governance across CI/CD and SaaS
Secrets sprawl happens when credentials accumulate across developer tooling, build runners, vaults, identity providers, and ad hoc scripts without a single source of governance. That fragmentation makes it hard to prove which secret is authoritative, which is redundant, and which is no longer needed. It also creates over-permissioned access because credentials are often issued broadly to reduce friction during development. The result is a hidden trust layer that sits beneath normal IAM visibility. In practice, this is where non-human identity governance fails: the identity exists, but its lifecycle, ownership, and revocation logic are scattered.
Practical implication: consolidate secret inventory and treat duplicate or orphaned credentials as governance defects, not just hygiene issues.
Why remediation workflows must connect detection to ownership
Detection alone does not reduce exposure unless the organisation can assign remediation quickly. A leaked secret creates a chain of follow-up tasks: verify whether it is active, determine which systems depend on it, rotate or revoke it, and confirm the replacement works. Without that workflow, teams often delay action because they fear breaking integrations. That is why secrets response needs identity context, not just alerting. The technical goal is to convert discovery into controlled retirement, especially when the secret is tied to infrastructure, automation, or third-party access that no one team fully owns.
Practical implication: build a remediation path that links every alert to an owner, a dependency list, and a tested rotation or revoke procedure.
NHI Mgmt Group analysis
Secrets visibility is now a control plane problem, not a search problem. The article points to a common NHI failure pattern: organisations can scan for exposed credentials, but still lack a durable ownership model for the identities behind them. That gap matters because a discovered secret is only useful if the response process can identify the dependent service, the responsible team, and the safe revocation path. Practitioners should treat visibility as the first step in identity control, not the finish line.
Developer endpoints are where NHI governance becomes operationally brittle. Plaintext secrets on laptops and runners reveal that many programmes still assume credentials only exist inside vaults or managed services. In reality, developers create local copies, test credentials, and temporary access artefacts that outlive their intended use. The implication is that NHI governance must extend into endpoint reality, where secrets are created, cached, and reused outside formal lifecycle processes.
Ownership gaps are the named concept this demo exposes. When a secret is discovered but no one can immediately prove who owns it, the identity programme has already lost control of that credential's lifecycle. This is not just poor housekeeping. It is a structural weakness in non-human identity governance because revocation, rotation, and recertification all depend on ownership being unambiguous. Practitioners should treat orphaned secrets as evidence of broken accountability.
Over-permissioned access becomes invisible when secrets are distributed informally. The article's emphasis on vaults, SaaS applications, and identity providers signals a wider truth: access sprawl is often a secret distribution problem in disguise. A credential that works across multiple tools is especially risky when its scope is broader than the team realises. The practical conclusion is that access scope and secret placement must be governed together, or the organisation will keep reintroducing the same risk through different systems.
The market is shifting toward endpoint-level identity discovery because perimeter assumptions have already failed. Credentials now travel with developers, build pipelines, and automation workflows, which means identity programmes need discovery that follows the credential to where it is actually used. That widens the remit of NHI governance from vault management to endpoint and workflow visibility. Practitioners should expect identity security to become more operationally distributed, with stronger demand for continuous discovery and faster remediation.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, according to The State of Secrets in AppSec.
- For a broader control lens, read Ultimate Guide to NHIs for how lifecycle, rotation, and ownership should fit together.
What this signals
Developer-endpoint discovery is becoming a practical prerequisite for NHI governance because secrets now appear outside the systems identity teams traditionally monitor. With 43% of security professionals concerned about AI systems learning and reproducing sensitive information patterns from codebases, the boundary between source code hygiene and identity exposure is narrowing fast.
Ownership gaps: once a secret can be found but not confidently assigned, the control problem moves from detection to accountability. Teams should expect more pressure to prove who can revoke a credential, who approves replacement access, and how quickly a leaked secret can be retired without breaking the service.
The operational signal to watch is not alert volume but closure quality. If endpoint findings pile up while rotation and revoke workflows remain manual, fragmented, or dependent on tribal knowledge, the programme is generating visibility without reducing privilege.
For practitioners
- Map secret exposure to named owners Require every detected secret to resolve to a specific owner, system, and revocation path before the alert can be closed. If no owner can be identified, treat the secret as an orphaned credential and escalate it for immediate review.
- Extend discovery to developer endpoints and runners Scan laptops, CI/CD runners, and other reachable environments for plaintext secrets as part of the same governance workflow used for vaults and repositories. This is where hidden credentials often bypass normal control boundaries.
- Tie alerts to tested rotation or revocation procedures Do not rely on detection alone. Build a response workflow that verifies whether the secret is active, maps its dependencies, and then executes a tested rotation or revoke procedure without breaking the owning service.
- Review over-permissioned access behind shared secrets Check whether one credential is being reused to cover multiple tools, environments, or teams. Broad reuse usually means the access scope is wider than the documented owner intended and should be reduced.
Key takeaways
- Developer endpoints are a persistent NHI risk because credentials can exist in plaintext outside normal vault and lifecycle controls.
- Discovery without ownership is not enough, because leaked secrets stay dangerous until teams can rotate or revoke them safely.
- Identity programmes should treat endpoint secret exposure as an accountability problem that requires faster remediation and clearer revocation paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Secrets exposure on endpoints maps directly to credential leakage and lifecycle failures. |
| NIST CSF 2.0 | PR.AC-1 | Access control and credential governance are central to leaked-secret remediation. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires continuous verification of credential use across distributed environments. |
Inventory exposed secrets, classify ownership, and reduce plaintext storage across endpoints and pipelines.
Key terms
- Secret sprawl: Secret sprawl is the uncontrolled spread of credentials across endpoints, code, pipelines, and services. It creates hidden access paths that are difficult to inventory, govern, and revoke, especially when no single team can prove which credential is still active or needed.
- Orphaned credential: An orphaned credential is a secret that still works but no longer has a clearly accountable owner. These credentials are dangerous because they survive role changes, project changes, and team handoffs, leaving access alive after governance has effectively lost track of it.
- Endpoint secret exposure: Endpoint secret exposure occurs when credentials are stored or cached on developer laptops, runners, or other local systems outside central controls. It matters because local environments often bypass normal vault, rotation, and revocation processes even though they can still authenticate to production systems.
What to expect at the briefing
GitGuardian's full demo covers the operational detail this post intentionally leaves for the source:
- Live walkthrough of detecting leaked secrets across code, endpoints, CI/CD, and other reachable environments
- Remediation workflow details for investigating, triaging, and closing secret leak incidents at scale
- Visibility into vaults, SaaS applications, and identity providers for ownership and access review
- Developer-first prevention examples showing how to reduce plaintext secret storage on endpoints
Deepen your knowledge
NHI governance, machine identity security, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle control in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org