Gartner’s workload identity brief sharpens the secrets management shift

At a glance

What this is: Akeyless argues that Gartner’s April research signals a category shift from static secrets toward workload identity, multi-vault governance, and runtime access for AI agents and other workloads.

Why it matters: That matters because IAM teams now have to govern workload access, secrets sprawl, and agentic runtime identity as one connected programme rather than three separate problems.

By the numbers:

• 72% of identity professionals find machine identities more challenging to manage than human identities, citing poor internal processes and insufficient tooling.
• Only 38% have automated certificate lifecycle management in place.
• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.

👉 Read Akeyless's analysis of Gartner's workload identity and secrets management research

Context

Workload identity management is the shift from treating applications, containers, and AI agents as credential holders to treating them as governed identities with runtime access boundaries. In practice, that means the security model must move beyond storing and rotating secrets to deciding when a workload should receive a credential at all. Akeyless uses Gartner’s April research to argue that this is now the direction of the category.

The problem is not just secrets sprawl, but the gap between static credential control and how modern workloads actually operate. Enterprises already run multiple vaults, cloud platforms, and automation paths, while AI agents add dynamic access patterns that are harder to inventory and revoke. For IAM and security teams, the question is no longer whether secrets matter, but whether the governance model can keep pace with workload identity at runtime.

Key questions

Q: How should security teams govern workload identities across multiple secret stores?

A: They should treat the vault estate as a distributed control surface and apply a single policy layer for inventory, approval, rotation, and audit. The practical goal is consistent governance across clouds and platforms, not forced migration to one vault. Without that layer, teams lose visibility into which workloads hold which access paths and for how long.

Q: When does just-in-time access make more sense than long-lived API keys?

A: Just-in-time access makes more sense when the workload only needs access for a defined task, when reuse would increase blast radius, or when the access path is tied to an agent or automation flow. It is less about convenience and more about making access expire with the work itself, rather than persisting in a reusable secret.

Q: What breaks when AI agents rely on static credentials?

A: Static credentials break the assumption that access can be granted once and reviewed later. AI agents can execute across systems, trigger follow-on actions, and create access paths that outlive the original task. That makes reusable secrets hard to audit, harder to revoke, and easier to abuse across chained workflows.

Q: What should IAM teams evaluate before adopting workload identity management?

A: They should evaluate whether the programme can discover all workload identities, map each one to policy, and maintain governance across multiple vaults and environments. If the team cannot inventory the workload first, workload identity management becomes another abstraction layered over unknown access paths.

Technical breakdown

Workload identity management versus secrets management

Secrets management protects values such as API keys, passwords, and certificates after they exist. Workload identity management changes the control point by registering the workload itself, discovering what it is, and issuing access based on identity and policy at runtime. That distinction matters because the access decision moves from a stored secret to a live trust relationship. In cloud and agentic environments, that relationship can be short-lived, context-bound, and distributed across multiple systems. The result is a different operating model for governance, audit, and revocation.

Practical implication: map each workload to an identity and runtime policy, then reduce dependence on reusable secrets.

Multi-vault governance and orchestration

Most enterprises already operate more than one secrets platform because teams, clouds, and platform boundaries rarely align neatly. Multi-vault governance is the discipline of applying consistent policy, visibility, and orchestration across those separate stores without forcing a disruptive migration. The security issue is fragmentation: when vaults operate as isolated control planes, teams lose a coherent view of who can access what, where rotation happens, and which credentials persist too long. Governance across vaults is therefore a coordination problem as much as a storage problem.

Practical implication: establish a single governance layer across existing vaults before attempting consolidation.

Why AI agents push identity controls toward runtime issuance

AI agents complicate traditional access patterns because they can act across systems, initiate work dynamically, and need access that is scoped to the task, not the environment. Static keys and long-lived tokens are a poor fit because they outlive the session and can be reused outside intended context. Runtime issuance, often described as just-in-time access, lets a system bind access to a specific task and revoke it when the task ends. That is the architectural difference between persistent credential storage and ephemeral workload access.

Practical implication: treat AI agents as runtime identities and remove any standing credential path they can reuse.

NHI Mgmt Group analysis

Workload identity is becoming the control plane for secrets governance, not just another feature in the stack. The article’s central thesis is that static credential management no longer matches how workloads and AI agents operate. Once identity becomes the unit of runtime access, vaults become one component inside a larger governance model rather than the model itself. Practitioners should read this as a category boundary shift, not a product feature update.

Multi-vault reality is the enterprise norm, so governance over distribution matters more than tool consolidation. Most organisations will continue to operate across cloud-native services, legacy platforms, and multiple secret stores. The useful question is not whether one vault wins, but whether policy, inventory, and audit can span all of them without blind spots. That is why centralized governance with decentralized enforcement is the more durable design pattern for identity teams.

AI agents expose a runtime access problem that legacy secrets controls were never designed to solve. Static secrets assume access can be provisioned once and managed later. That assumption fails when an agent acquires access only for the duration of a task and may generate new access paths during execution. The implication is that access governance must be tied to runtime behaviour, not just credential lifecycle.

Ephemeral credential trust debt: The article points toward a deeper problem where organisations rely on temporary access patterns while still preserving the old trust assumptions around secret storage, rotation, and revocation. That debt grows when teams add more vaults or more automation without changing the underlying identity model. Practitioners should treat runtime issuance and workload inventory as linked governance requirements.

The market is moving from secret custody to workload accountability. Gartner’s framing suggests that buyers will increasingly expect tools to discover identities, bind access to workloads, and provide auditability across hybrid environments. That broadens the category from vault operations into identity governance for machines and agents. Security teams should plan for a governance model that spans workload identity, secrets, and access policy together.

From our research:

• Average time to detect a compromised machine identity: 214 days, according to The Critical Gaps in Machine Identity Management report.
• Manual processes still dominate: 61% rely on spreadsheets or manual tracking for machine identity management, according to The Critical Gaps in Machine Identity Management report.
• For teams moving from secret custody to workload accountability, the next step is the Guide to SPIFFE and SPIRE, which explains workload identity attestation and runtime trust boundaries.

What this signals

Ephemeral access only reduces exposure if discovery and inventory keep pace with the runtime model. A programme that can issue short-lived credentials but cannot reliably identify every workload will still leave gaps in ownership, audit, and revocation. That is why runtime governance and inventory discipline have to move together, especially as AI agents begin to request access on their own schedule.

The strongest signal for IAM teams is that secrets management is no longer a narrow vaulting problem. It now intersects with workload identity, policy orchestration, and agentic access, which means architecture reviews need to test whether every access path is discoverable, attributable, and revocable across the full environment.

Workload accountability becomes the differentiator: when access is tied to runtime identity rather than static storage, governance can finally ask who or what used the credential, for what task, and under which policy. Teams that cannot answer those questions will keep accumulating secret sprawl even if they add more tooling.

For practitioners

• Inventory workload identities before rationalising vaults Build a complete register of applications, services, containers, and AI agents that request credentials, then map each one to its current secret source and access path. Without that inventory, central policy will miss shadow workloads and duplicate access routes.
• Replace reusable secrets with runtime-issued access where possible Move high-frequency workloads toward ephemeral credentials that are issued for a specific task and revoked automatically at completion. Prioritise the systems where long-lived API keys or tokens would create the largest blast radius if reused.
• Apply one governance layer across every secret store Use policy and orchestration to standardise approval, rotation, and visibility across AWS, Azure, GCP, Kubernetes, and standalone vaults. The goal is not immediate consolidation, but consistent control over the distributed reality you already have.
• Separate workload access from secret custody in architecture reviews Ask whether each control is managing a stored credential, a workload identity, or the runtime exchange between the two. That distinction exposes where teams are overusing vaults to solve identity problems they were never meant to handle.

Key takeaways

• The article argues that secrets management is moving toward workload identity, where access is governed at runtime rather than stored and rotated after the fact.
• The operational challenge is not a single vault, but governance across multiple vaults, clouds, and automation paths that already exist in most enterprises.
• IAM teams should focus on inventory, runtime issuance, and policy orchestration together, because AI agents make reusable secrets harder to defend and easier to reuse.

Key terms

• Workload Identity Management: Workload Identity Management is the practice of discovering, registering, and governing non-human workloads as identities rather than treating them as anonymous consumers of secrets. It ties access to the workload itself, then controls issuance, monitoring, and revocation through policy and runtime context.
• Multi-Vault Governance: Multi-vault governance is the coordinated control of several secret stores across clouds, platforms, and teams. It focuses on consistent policy, inventory, audit, and orchestration so organisations can manage fragmented vault estates without losing visibility or creating conflicting credential lifecycles.
• Runtime Issuance: Runtime issuance is the practice of creating access credentials only when a workload needs them and removing them when the task is complete. It reduces standing exposure by binding the credential to a live identity, a specific action, and a narrow operating window.
• Ephemeral Credential: An ephemeral credential is a short-lived secret or token that exists only for a limited task or session. In identity programmes, ephemeral credentials are useful because they shrink the period of reuse, but they still require strong identity, policy, and revocation controls.

What's in the full article

Akeyless's full post covers the operational detail this post intentionally leaves for the source:

• Gartner note references and category placement details for Workload Access Management, Multi-Vault Governance, and Workload Identity Management.
• The company’s interpretation of the CeDeSec pattern and how it maps to its own architecture.
• Implementation claims about issuing Just-in-Time credentials for AI agents and cloud workloads.
• The vendor’s framing of centralized governance with decentralized enforcement across distributed environments.

👉 Akeyless's full post covers the Gartner category placements and the workload identity architecture behind them.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.