By NHI Mgmt Group Editorial TeamPublished 2026-05-31Domain: Best PracticesSource: Token Security

TL;DR: Machine identities now outnumber humans by roughly 45 to 1 in many enterprises, while 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025, according to GitGuardian and Token Security’s analysis of machine identity governance. The governance gap is no longer theoretical: discovery, ownership, rotation, and access review must move from manual review to policy-driven control.


At a glance

What this is: This analysis argues that machine identity governance has shifted from an operational convenience to a core security discipline because non-human identities are multiplying faster than manual controls can govern them.

Why it matters: It matters because IAM, NHI, and lifecycle teams now need one governance model for service accounts, secrets, bots, containers, and AI agents before identity debt turns into breach exposure.

By the numbers:

  • 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.

👉 Read Token Security's analysis of machine identity governance best practices


Context

Machine identity governance is the discipline of controlling service accounts, API keys, tokens, certificates, bots, containers, and AI agents with the same rigor applied to human identities. Token Security’s article makes the case that the enterprise problem is not just identity volume, but the mismatch between how fast machine identities are created and how slowly they are reviewed, rotated, and retired.

That mismatch now affects NHI governance across hybrid cloud, DevOps, and agentic AI programmes. When credentials are hard-coded, over-privileged, or left without an owner, the result is identity debt: access that outlives the workload, the project, or the business need.


Key questions

Q: How should security teams govern machine identities in hybrid cloud environments?

A: They should start with a complete inventory, then apply ownership, least privilege, and rotation policies consistently across cloud roles, service accounts, tokens, and certificates. Governance works when it is tied to real usage, not when it depends on manual tickets or quarterly review rituals. The best programmes make identity lifecycle controls part of the delivery system, not a separate process.

Q: Why do service accounts and API keys create more risk than human accounts when they are unmanaged?

A: Because non-human identities are often created faster, granted broader access, and reviewed less often than human accounts. When they are unmanaged, they persist after the workload changes, the team moves on, or the secret is exposed. That creates a long-lived attack surface that attackers can exploit through reuse, privilege abuse, or stale credentials.

Q: What breaks when machine identity access reviews are still done quarterly?

A: Quarterly reviews miss most of the lifecycle events that matter for machine identities, especially short-lived workloads, ephemeral infrastructure, and secrets that are exposed and reused between review cycles. By the time the spreadsheet is reviewed, the real risk has already moved. Usage-based entitlement checks work better because they remove access when the workload no longer needs it.

Q: Which standards should guide machine identity governance programmes?

A: Machine identity programmes should map to OWASP NHI guidance, NIST Cybersecurity Framework controls, and zero-trust principles. Those frameworks help teams define discovery, least privilege, continuous verification, and lifecycle enforcement in a way that can be audited. The practical test is whether the programme can prove who or what had access, why it had access, and when that access ended.


Technical breakdown

Identity discovery and inventory across hybrid cloud

Machine identity governance starts with inventory because you cannot control what you cannot see. In hybrid and multi-cloud estates, identities live in AWS IAM roles, Azure service principals, Google Cloud service accounts, SaaS tokens, CI/CD secrets, and application configs. The technical challenge is building a unified system of record that classifies each identity by type, owner, risk, and environment. Without that graph, every downstream control is working blind.

Practical implication: connect discovery to every cloud, repository, and SaaS surface before trying to automate policy.

Credential rotation and secret-less authentication

Static credentials create long-lived attack windows, which is why governance must distinguish between managing a secret and governing its lifetime. Short-lived credentials, mutual TLS, and workload-native identity reduce dependence on passwords and API keys, while rotation automation limits the usefulness of exposed secrets. In practice, the control failure is not just exposure, but persistence after exposure.

Practical implication: treat revocation speed as a control objective, not a cleanup task.

Policy-driven access reviews for service accounts

Human-style quarterly reviews do not scale to non-human identities. Machine identity governance instead asks whether an entitlement was actually used, whether the workload still exists, and whether the permission still matches the current function. This is a data-driven form of right-sizing that replaces standing access with utilized access and makes least privilege measurable instead of aspirational.

Practical implication: base entitlement removal on usage evidence, not on calendar-based review cycles.


NHI Mgmt Group analysis

Machine identity governance has become a structural security layer, not a control add-on. The article is right that the modern enterprise now depends on non-human identities to move data, launch infrastructure, and execute transactions. That makes identity discovery, ownership, rotation, and revocation foundational to the security model, not downstream administration. The practical conclusion is that governance programmes must be built around machine identity as a first-class asset.

Identity debt is the clearest failure mode in machine identity programmes. Ad-hoc provisioning, forgotten service accounts, and hard-coded secrets create a persistent inventory of active but unaudited access. This is not simply poor hygiene; it is governance debt that accumulates when creation is easier than retirement. Practitioners should treat identity debt as a measurable operational risk that grows until it is actively retired.

Least privilege only works when privilege is observable and time-bounded. Token Security’s emphasis on JIT access and data-driven reviews reflects a broader truth: standing access becomes a liability once machine identities can be cloned, reused, or forgotten. The NHI governance model has to shift from static entitlements to continuously validated access intent. The practical implication is that unused permissions should be removed by default.

Machine identity governance is where DevOps speed and security discipline either reconcile or collide. The article’s strongest point is that security cannot sit outside CI/CD and expect developers to comply manually. Policy-as-code, secret scanning, and automated provisioning are not convenience features, they are the only scalable way to keep governance inside the delivery path. Practitioners should embed control into the pipeline rather than ask the pipeline to slow down for control.

Agentic AI sharpens the governance problem because autonomy magnifies identity sprawl. When AI systems can choose tools or queries at runtime, the governance question changes from who created the identity to what the identity is allowed to do while it is operating. That is why machine identity governance now has to cover both classic NHIs and emerging agentic workloads. The practical conclusion is that AI programmes must inherit NHI controls before they inherit NHI failure modes.

From our research:

  • 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to Guide to the Secret Sprawl Challenge.
  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, which means discovery without automated revocation leaves the control gap intact.
  • The governance lesson is reinforced by Ultimate Guide to NHIs, which frames discovery, ownership, rotation, and offboarding as one lifecycle, not separate tasks.

What this signals

Identity debt is now a programme-level risk, not a tooling gap. As machine identities multiply, the issue is no longer whether teams can create access but whether they can explain why it still exists. Programmes that rely on manual review will keep accumulating orphaned access, especially where CI/CD and cloud identities are provisioned outside central governance.

With 24,008 unique secrets exposed in MCP configuration files in 2025 alone, the governance problem is moving into agent-adjacent workflows as well as classic CI/CD. Teams planning for AI and automation should treat secret discovery, ownership, and revocation as shared controls across workload identity and emerging agentic systems.

Ephemeral infrastructure changes the meaning of least privilege. When workloads exist for minutes and secrets can be copied in seconds, the relevant question is whether access can be validated, revoked, and evidenced fast enough to matter. That pushes identity teams toward policy-as-code, short-lived credentials, and stronger linkage between runtime events and access decisions.


For practitioners

  • Build a single inventory of all non-human identities Map service accounts, API keys, tokens, certificates, CI/CD secrets, and AI-related workloads into one control plane so ownership, purpose, and environment are explicit. Without a complete inventory, rotation and access reviews will always miss the highest-risk identities.
  • Automate revocation for exposed and unused secrets Trigger immediate revocation when a secret appears in code, chat, or ticketing systems, and remove credentials that have not been used within the defined policy window. The goal is to shrink the exposure window before attackers can exploit stale access.
  • Replace calendar reviews with usage-based entitlement checks Evaluate whether each machine identity actually used its permissions in the last review cycle, then remove access that has no operational evidence. This turns access review from a paperwork exercise into a living right-sizing process.
  • Shift governance into CI/CD and infrastructure code Block hard-coded secrets, prevent over-privileged service accounts from being provisioned, and enforce identity policy as code before deployment. If the pipeline can create the identity, the pipeline must also enforce the identity policy.

Key takeaways

  • Machine identity governance fails when organisations treat non-human access as an operational side task instead of a core control plane.
  • The scale problem is already visible in secrets data, where millions of exposed credentials and stale valid secrets create a durable attack surface.
  • Practitioners need identity discovery, automated revocation, and usage-based access review to keep machine identity sprawl from becoming unmanaged risk.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Discovery and inventory are central to the article's governance model.
NIST CSF 2.0PR.AA-01Identity governance depends on knowing what identities exist and what they can access.
NIST Zero Trust (SP 800-207)PR.AC-4Least-privilege and continuous verification underpin the article's access-control argument.

Inventory all non-human identities and classify them by owner, purpose, and risk before granting production access.


Key terms

  • Machine Identity Governance: The policies and controls that decide how non-human identities are created, owned, used, reviewed, rotated, and removed. It extends identity management beyond humans to service accounts, API keys, certificates, bots, containers, and AI workloads, with the goal of making machine access visible, justified, and finite.
  • Identity Debt: The accumulation of unmanaged or poorly governed identities that remain active after the original need has changed. In practice, this includes orphaned accounts, stale secrets, and permissions that outlive the workload, creating security risk that grows quietly until it is cleaned up or exploited.
  • Right-Sizing: The process of removing unused or excessive permissions so an identity only retains access it actually uses. For machine identities, right-sizing is usually evidence-driven rather than manager-driven, because logs and runtime behaviour provide a better signal than calendar-based review alone.
  • Secret-less Authentication: An authentication pattern that avoids long-lived passwords or static API keys in favour of workload-native or short-lived credentials. It reduces exposure by removing the most reusable form of machine access and making compromise harder to persist beyond a narrow execution window.

What's in the full article

Token Security's full blog covers the operational detail this post intentionally leaves for the source:

  • A practical breakdown of how to classify cloud-native identities, secret-based identities, and shadow identities across hybrid estates.
  • Example policy patterns for rotation, revocation, and right-sizing that teams can adapt to their own machine identity programme.
  • Pipeline controls for scanning hard-coded secrets and blocking over-privileged service accounts before deployment.
  • Identity-centric logging requirements that support auditability when machine transactions need to be investigated.

👉 The full Token Security post covers inventory, rotation, access reviews, and pipeline controls in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-31.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org