Identity sprawl and secret exposure are widening across enterprise NHIs

TL;DR: Entro Labs says its H1 2025 analysis of more than 27 million non-human identities found a 44% year-over-year rise in NHI sprawl, 43% of exposed secrets outside code, and 5.5% of AWS machine identities holding administrator privileges, underscoring how access growth outpaces governance. The security problem is no longer discovery alone, but controlling privilege, ownership, and secret exposure before shadow access becomes normal.

At a glance

What this is: Entro Labs' H1 2025 analysis shows NHI sprawl, exposed secrets, and over-privileged cloud identities are rising together across enterprise environments.

Why it matters: For IAM and NHI practitioners, the finding matters because access growth is now creating hidden privilege paths and secret exposure faster than most governance programmes can absorb.

By the numbers:

• Entro Labs found a 44% year-over-year increase in NHI sprawl in 2025.
• Entro Labs found that 43% of all exposed secrets are located outside code in SDLC tools, logs, and collaboration apps.
• Entro Labs found that 5.5% of AWS machine identities hold administrator privileges.
• Entro Labs reported that enterprise NHIs now outnumber human users by 144 to 1.

👉 Read Entro Labs' H1 2025 report on NHI sprawl and secret exposure

Context

NHI sprawl is the expansion of machine identities faster than governance can track ownership, privilege, rotation, and revocation. In this report, the core problem is not just quantity. It is that growing identity populations are carrying secrets and entitlements into places traditional IAM teams do not monitor closely enough.

For IAM and NHI practitioners, the issue is a control-plane gap. Security teams can discover more identities, but still miss where secrets live, which identities are over-privileged, and which accounts have become shadow access paths. The article's starting position is typical for modern cloud environments, not an outlier.

Key questions

Q: How should security teams govern non-human identities at scale?

A: Start with ownership, purpose, privilege, and lifecycle. Every machine identity should have a named owner, a documented business function, a least-privilege role, and a retirement path. Teams that focus only on inventory count miss the real problem, which is unmanaged access that keeps authenticating long after the original need has changed.

Q: Why do exposed secrets often slip past traditional security controls?

A: Because many secrets now appear outside source code, including in logs, chat tools, CI/CD systems, and project platforms. Traditional scanning methods often stop at the repository, but attackers can find credentials wherever workflows emit them. Effective control requires visibility across the full operational path, not just the codebase.

Q: What is the difference between secrets rotation and access revocation?

A: Rotation replaces a credential while preserving the workload's access pattern. Revocation removes access entirely, which is appropriate when the identity is stale, unused, or no longer needed. Organisations need both controls, because a rotated secret can still belong to an over-privileged or abandoned identity.

Q: When does over-privileged NHI access become a material risk?

A: It becomes material as soon as a machine identity can reach systems beyond its workload scope, because automation multiplies the impact of a compromise. In practice, any NHI with administrator rights, broad cloud permissions, or shared use across multiple devices should be treated as high risk and reviewed first.

Technical breakdown

Why NHI sprawl turns into governance debt

Non-human identities grow through automation, CI/CD, third-party integrations, SaaS connections, and AI agent workflows. Each new identity usually arrives with a secret, a role, or both, and ownership often lags behind creation. That creates governance debt, meaning the security team inherits accounts that exist, authenticate, and act, but cannot easily be explained, reviewed, or retired. The report's machine-to-human ratio shows that scale alone is now a risk factor. Traditional IAM models were built around periodic human lifecycle events, not constant machine creation and abandonment.

Practical implication: Practical implication: teams need continuous NHI inventory, ownership mapping, and lifecycle review instead of periodic cleanup campaigns.

Why secrets exposure outside code is the real blind spot

Secrets are credentials such as API keys, tokens, certificates, and passwords used by systems rather than people. When they appear in CI/CD logs, chat tools, project systems, or other SDLC surfaces, code scanning alone will miss them. That matters because the attack surface is not just the repository. It is every tool where developers, automation, and integrations exchange operational data. Once a secret escapes code, it can persist in systems built for collaboration, not control. The result is a hidden distribution layer for credential abuse.

Practical implication: Practical implication: expand secret detection to logs, pipelines, chat, and ticketing systems, not just source repositories.

What makes super NHIs especially dangerous

A super NHI is a machine identity with more privilege than it needs, often because the role was inherited, defaulted, or never reduced after the original use case changed. Excess privilege matters more for machines than humans because automation can repeat abuse at speed and across environments. The risk is not only compromise. It is silent escalation, where a single identity becomes a reliable bridge into adjacent systems. In cloud environments, role sprawl and standing privilege create durable paths that bypass least-privilege expectations.

Practical implication: Practical implication: review high-privilege machine roles first and remove access that is not tied to a current workload need.

Threat narrative

Attacker objective: The attacker objective is to turn exposed machine credentials into durable access paths that bypass normal IAM oversight and enable broad environment control.

1. Entry via exposed secrets in collaboration tools, logs, or workflow systems that were not covered by code-only scanning.
2. Escalation through over-privileged AWS roles or reused machine credentials that grant broader access than the workload requires.
3. Impact through persistent shadow access, allowing attackers to move across cloud and SaaS environments without triggering obvious human-account controls.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• 230M AWS environment compromise — 230M AWS environments compromised via exposed .env files with cloud credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity sprawl is becoming governance debt, not just an inventory problem. Once machine identities outnumber human users by orders of magnitude, the programme challenge shifts from counting assets to proving ownership, purpose, and revocation. Security teams that treat NHI growth as a reporting exercise will miss the control failure underneath. The correct response is lifecycle governance, not periodic cleanup.

Secret exposure outside code is the more dangerous part of the story. Code scanning remains necessary, but it no longer covers the full credential surface when secrets move through logs, collaboration apps, and CI/CD systems. That creates a wider operational blind spot than many IAM teams assume. Practitioners should treat every workflow system as a potential credential repository.

Super NHIs create identity blast radius. When a small share of machine identities carries administrator rights, compromise becomes disproportionately costly because automation can amplify misuse at machine speed. This is why least privilege and entitlement review matter more for NHIs than for many human accounts. The discipline should focus on reducing the reachable blast radius before compromise occurs.

Shadow access is now a first-class governance category. Long-lived identities, stale secrets, and forgotten roles do not disappear when they are unowned; they continue to authenticate. That means the programme risk is not only initial exposure but also dormant access that survives normal review cycles. Organisations need explicit controls for discovery, assignment, rotation, and retirement.

Ephemeral access does not remove trust assumptions, it shifts them. Short-lived credentials can reduce exposure windows, but they still depend on correct issuance, scoping, and monitoring. If the underlying identity model is weak, the environment simply trades one kind of persistence risk for another. The field should measure NHI security by control quality, not by the age of the credential alone.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, which keeps stale credentials alive long enough for compromise to compound.
• For a broader control baseline, see Ultimate Guide to NHIs , Key Challenges and Risks for visibility, sprawl, and over-privilege patterns.

What this signals

Identity blast radius: machine identity growth is now a programme-level governance problem because every new workload, integration, or AI agent expands the number of credentials that must be owned, reviewed, and retired. The practical shift is from periodic clean-up to continuous control verification. Teams that do not formalise lifecycle rules will keep discovering access paths after they should have been removed.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs, the exposure problem is clearly structural. This is not a matter of one bad repository. It is a sign that operational systems still double as credential stores, which means every governance programme needs broader telemetry.

The next programme priority is to align NHI inventory, secret discovery, and entitlement review into one operating model. Without that integration, teams will keep closing isolated findings while the underlying identity sprawl continues. A control strategy that cannot see the full machine identity lifecycle will remain reactive.

For practitioners

• Implement continuous NHI inventory Map every service account, API key, token, and certificate to a named owner, a business purpose, and a review cadence. Without explicit ownership, identity sprawl becomes unmanageable and revocation stalls when teams change or workloads move.
• Expand secret scanning beyond source code Inspect CI/CD logs, collaboration tools, ticketing systems, and project management platforms for exposed secrets. Code repository scanning is necessary, but the report shows a large share of exposure now lives outside code.
• Reduce machine privilege aggressively Review AWS roles, service accounts, and automation identities for permissions they do not actively use. Remove administrator access where workload function does not require it and revalidate entitlement after every platform change.
• Create a rotation and retirement baseline Set mandatory rotation windows for active secrets and a retirement process for stale identities that are no longer tied to a current service. Long-lived credentials should not survive without proof of ongoing need.
• Treat shadow access as an operational risk Detect dormant credentials, stale tokens, and forgotten accounts as part of regular control monitoring, not incident response only. Hidden access paths should be reviewed alongside privileged human accounts and cloud exceptions.

Key takeaways

• Machine identity growth is now a governance problem because scale alone creates hidden ownership, privilege, and revocation gaps.
• Secret exposure outside source code shows why code scanning alone is no longer enough to protect enterprise credentials.
• Teams should prioritise continuous inventory, privilege reduction, and lifecycle control before shadow access becomes the default state.

Key terms

• Non-Human Identity: A non-human identity is any account or credential used by software, services, workloads, or automation rather than a person. It includes service accounts, API keys, tokens, certificates, and AI agents with execution authority. In practice, these identities often outnumber human users and need their own lifecycle controls.
• Secret Sprawl: Secret sprawl is the uncontrolled spread of credentials across repositories, logs, chat tools, CI/CD systems, and other operational surfaces. It creates discovery and revocation problems because credentials can persist far outside the systems security teams expect to monitor. The risk increases when ownership and rotation are not enforced consistently.
• Identity Blast Radius: Identity blast radius is the amount of damage a single compromised identity can cause based on its permissions, reach, and reuse. For NHIs, it is driven by over-privilege, shared credentials, and long-lived access. Reducing blast radius is a central control objective because machine compromise can scale quickly.
• Shadow Access: Shadow access is unauthorised or unmanaged access that continues to exist because a credential, role, or account was forgotten, reused, or never properly revoked. In NHI programmes, shadow access is especially dangerous because it can remain active across cloud, SaaS, and automation layers without obvious human ownership.

What's in the full article

Entro Labs' full report covers the operational detail this post intentionally leaves for the source:

• The full breakdown of the 27 million NHI sample set and how the vendor segmented identity types across enterprise environments
• Source-specific examples of exposed secrets in CI/CD workflows, collaboration tools, and messaging platforms
• The report's deeper analysis of super NHIs, including where administrator privileges clustered and how they were identified
• The age distribution of long-lived NHIs and active secrets, which is useful for remediation planning and governance reviews

👉 The full Entro Labs report includes the underlying figures, segmentation details, and operational examples.

Deepen your knowledge

NHI sprawl, secrets exposure, and privilege control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is building a governance baseline from a similar starting point, it is worth exploring.