TL;DR: Secret scanners can now find exposed API keys and tokens quickly, but most organisations still stall on remediation because the alert does not reveal whether a secret is live, what it can reach, or how to retire it safely, according to Oasis Security. The real control gap is identity context, not detection speed.
At a glance
What this is: Identity-aware secret scanning ties exposed secrets to the non-human identities behind them so teams can judge live risk and remediate without breaking production.
Why it matters: IAM, PAM, and NHI programmes need this context because detection without ownership, blast radius, and safe revocation turns every leaked credential into an investigation problem.
By the numbers:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
👉 Read Oasis Security's analysis of identity-aware secret scanning and remediation
Context
Identity-aware secret scanning is the practice of linking a leaked secret to the non-human identity that uses it, then using that identity context to assess live risk and choose a safe response. For IAM and NHI teams, the gap is clear: a detected string is not the same thing as a governed credential.
Traditional secret scanning tells security teams that a key or token exists, but not whether it is still active, what systems it can reach, or who can safely disable it. That is why remediation slows down. The problem is not visibility alone. The problem is the missing governance layer between discovery and action.
That gap is widening as secrets spread across code, collaboration tools, CI logs, and AI-assisted workflows. The organisations that can map secrets to ownership and blast radius will shorten containment cycles without turning every incident into a production outage.
Key questions
Q: How should security teams handle exposed secrets without breaking production?
A: Security teams should first map the secret to its owning non-human identity, then confirm whether it is live, what it can access, and whether dependent systems can tolerate revocation. If those dependencies are unknown, rotate through a controlled workflow that updates consumers, verifies service health, and then retires the old credential.
Q: Why do leaked API keys and tokens remain a governance problem after detection?
A: Detection only proves that a secret exists in a risky place. The governance problem begins because teams still need ownership, usage, and blast-radius data before they can act safely. Without that context, every revocation decision becomes a manual investigation and can turn into an outage.
Q: What do organisations get wrong about secret rotation in NHI programmes?
A: They often treat rotation as a universal fix, even when they cannot confirm which systems depend on the credential. Rotation without identity context can hide the problem temporarily while leaving ownership gaps, stale entitlements, and unmanaged secrets in place. The right sequence is identify, validate, then rotate.
Q: How do teams know if identity-aware secret scanning is actually working?
A: It is working when findings are routed to clear owners, live credentials are resolved quickly, and revocation or rotation happens without production instability. Good programmes shorten the time from discovery to safe remediation and reduce the number of alerts that require manual reverse engineering.
Technical breakdown
Why secret scanning stops at the string level
Traditional secret scanners are pattern-matchers. They detect an AWS key, token, or password by comparing text against known formats, entropy, or machine-learning heuristics. That is useful for discovery, but it stops at the string. A string does not tell you whether the credential is live, whether it belongs to a service account or a human, or which workloads depend on it. Without that identity layer, triage becomes manual investigation across cloud consoles, source code, logs, and ticketing systems.
Practical implication: treat scanner output as a lead, not a decision, until the credential is tied to an owning identity and access scope.
How blast radius changes secret remediation
Blast radius is the operational answer to the question, what breaks if this secret is revoked now? In identity-aware secret scanning, the platform correlates the exposed credential with its downstream usage, permissions, and runtime behaviour. That makes it possible to distinguish a harmless stale key from a production identity with write access to sensitive data. The remediation model shifts from guesswork to controlled action, which is the difference between safe rotation and an outage caused by blind revocation.
Practical implication: require dependency and usage mapping before revocation so remediation can be sequenced instead of improvised.
Why identity context matters for non-human identities
Non-human identities include service accounts, API keys, tokens, certificates, bots, and agents. They often outlive the application or workflow that created them, which is why exposed secrets are so difficult to manage once found. Identity-aware scanning treats each secret as part of a larger lifecycle: ownership, usage, rotation, and offboarding. That is a more accurate model than treating secrets as isolated artefacts, because the real risk sits in the identity relationship, not the leaked value alone.
Practical implication: maintain a live inventory of non-human identities so every exposed secret can be routed to a responsible owner and retired safely.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity-aware secret scanning is a governance model, not a detection feature. The industry has spent years improving the speed of secret discovery, but discovery does not equal control. What matters is whether the secret can be tied to an identity, an owner, and a safe remediation path. Practitioners should stop measuring success by alert volume alone and start measuring how quickly they can move from finding to fixing.
Secret remediation fails when organisations treat credentials as strings instead of identities. A leaked token is only actionable if teams know what it authenticates, what it can reach, and who is accountable for it. That is where most remediation processes break down, because the security tool sees the secret while operations owns the blast radius. The implication is that NHI governance must sit between detection and response, not after them.
Blast radius is now the decisive control variable in secret response. If a team cannot answer what a secret can touch before revoking it, then every alert becomes a production-risk decision. That is especially true for service accounts and machine identities that are embedded in workflows, pipelines, and collaboration tools. Practitioners should treat usage visibility as a prerequisite for safe action.
Identity-aware secret scanning creates the bridge between NHI inventory and incident handling. The point is not to detect more secrets for its own sake. The point is to connect exposed credentials to the systems and teams that can revoke, rotate, or reissue them without guesswork. Organisations that build that bridge will close exposure windows faster and with less operational damage.
Ephemeral credential trust debt: The article points to a structural problem where organisations assume short-lived or context-specific credentials will be easy to manage after exposure. In practice, remediation still depends on inventory quality, ownership, and dependency mapping. The implication is that “found” and “fixed” remain separate unless the identity layer is already in place.
From our research:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- From our research: 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to The State of Secrets Sprawl 2026.
- From our research: Read Ultimate Guide to NHIs for the lifecycle controls that turn discovery into governed remediation.
What this signals
Identity-aware remediation will become the differentiator in secret-response programmes. Teams that can connect a leaked credential to a live non-human identity, ownership record, and dependency map will spend less time triaging and more time containing. That is why the operational gap is moving from detection coverage to remediation quality, especially in environments where secrets appear in Slack, CI logs, and AI-assisted workflows.
Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs, so most teams are still trying to rotate credentials they cannot fully explain. The practical signal is that inventory maturity now determines whether secret response is safe or disruptive.
If your programme still treats secret scanning as a ticketing problem, the next step is identity correlation and lifecycle control. The organisations that align secret discovery with ownership, rotation, and offboarding will reduce risk without creating avoidable operational churn.
For practitioners
- Map exposed secrets to owning identities Link every scanner finding to the service account, API key, token, or certificate that actually uses it. Route ownership to the team that can confirm live usage and approve safe remediation.
- Require blast-radius checks before revocation Verify what the credential can access, which production systems depend on it, and whether the secret is still live before disabling it. This reduces the risk of breaking customer-facing services.
- Build a safe rotation path for live credentials Use a rotation workflow that updates consumers, validates application health, and retires the old secret only after the new one is confirmed. Keep the process documented so response is repeatable.
- Inventory non-human identities continuously Maintain a live register of service accounts, tokens, keys, and certificates so exposed secrets can be matched to current ownership and lifecycle state instead of stale records.
Key takeaways
- Secret scanning alone does not close exposure risk when teams cannot map a leaked credential to its live identity and dependencies.
- The scale of the problem is already operational, not theoretical, because most exposed secrets remain valid long after discovery.
- Practitioners need identity context, blast-radius checks, and controlled rotation paths if they want to fix findings without breaking production.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret exposure requires rotation and revocation controls. |
| NIST CSF 2.0 | PR.AA-5 | Identity proofing and authentication context support safe secret handling. |
| NIST Zero Trust (SP 800-207) | PR.AC | Zero Trust depends on continuously verifying what a credential can reach. |
Use least-privilege and continuous verification to reduce blast radius during secret remediation.
Key terms
- Identity-aware Secret Scanning: Secret scanning that links an exposed credential to the identity that uses it, rather than treating the secret as a standalone string. The goal is to determine whether the credential is live, who owns it, and how to remediate it without breaking the systems that depend on it.
- Blast Radius: The set of systems, data, and workflows a credential can affect if it is exposed or revoked. In NHI governance, blast radius is not a theoretical label. It is the practical measure that tells teams whether they can revoke immediately or need a controlled rotation path.
- Non-Human Identity: A non-human identity is any machine, workload, service account, token, key, certificate, bot, or agent that authenticates to access systems and data. These identities need governance across their full lifecycle because they often operate continuously, outnumber human accounts, and accumulate access over time.
- Controlled Rotation: A credential replacement process that updates dependent systems, verifies service health, and retires the old secret only after the new one is confirmed. For non-human identities, controlled rotation is the safer alternative to blind revocation when production dependencies are unknown or tightly coupled.
Deepen your knowledge
Identity-aware secret scanning and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a remediation process that has to work in live production, it is worth exploring.
This post draws on content published by Oasis Security: Identity-aware secret scanning: From “Found” to “Fixed”. Read the original.
Published by the NHIMG editorial team on 2026-05-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
