NHI and secrets risk is widening as exposed identities outnumber humans

At a glance

What this is: This report argues that NHI and secrets risk is expanding faster than most teams can track, with exposure shifting into collaboration tools, SaaS workflows, and long-lived machine identities.

Why it matters: For IAM and NHI practitioners, the issue is no longer just secret storage, but whether identity ownership, rotation, and privilege scope can keep pace with machine-scale growth.

By the numbers:

• Non-human identities now outnumber humans 144:1, compared to 92:1 in H1 2024.
• 43% of exposed secrets are found outside of code.
• 1 in 20 AWS machine identities carry full admin privileges.

👉 Read Entro Security's report on the H1 2025 NHI and secrets risk landscape

Context

NHI and secrets governance now starts with a simple reality: machine identities are multiplying faster than most enterprises can inventory them. When non-human identities outnumber humans 144:1 and exposed secrets are increasingly stored in collaboration tools rather than code, the control problem shifts from perimeter defence to lifecycle control, privilege scope, and ownership.

Entro Security’s report points to a common pattern in SaaS-first environments. Secrets move through messaging apps, local files, and shared workspaces, then remain active long after the original owner has moved on. That is not an edge case for modern IAM. It is becoming the baseline risk profile for organisations that rely on automated services, agents, and application credentials.

The starting position described in the report is typical of fast-moving cloud programmes: broad adoption, weak sightlines, and too little operational discipline around non-human identity lifecycle management.

Key questions

Q: How should organisations reduce risk from exposed non-human identities and secrets?

A: Start by inventorying where credentials are copied, stored, and reused outside source code and vaults. Then shorten rotation intervals, assign named ownership for every machine identity, and remove full-admin entitlements wherever the task can be done with scoped access. The goal is to reduce blast radius, not just count secrets.

Q: Why do non-human identities create more risk than human accounts?

A: They scale faster, are often reused across systems, and are frequently left active after the original use case ends. That means one exposed secret can unlock access to many workloads at once. In practice, the problem is not identity type alone but the combination of persistence, reuse, and overprivilege.

Q: What is the difference between vaulting secrets and governing them?

A: Vaulting is storage control. Governing secrets means knowing where they move, who owns them, when they expire, and whether they are still justified. A secret can be safely stored and still be operationally unsafe if it is copied into chat tools, duplicated in files, or left active after offboarding.

Q: When should teams treat a machine identity as high risk?

A: Treat it as high risk when it carries broad privileges, is reused by multiple applications, or lacks a clear owner and expiry path. Those conditions multiply the impact of exposure and make recovery slower. A machine identity with weak lifecycle discipline should be treated as a standing security issue.

Technical breakdown

Why exposed secrets move outside code and vaults

Secrets do not stay neatly inside source control or a vault once teams start sharing them across SaaS collaboration platforms. Copy-paste workflows, ticketing systems, chat channels, and local files create parallel storage locations that bypass the intended control path. The result is not simply more exposure. It is fractured provenance, where security teams can no longer tell which copy is current, who approved it, or whether the credential is still in use. Vaulting reduces some risk, but it does not remove the operational habit of distributing credentials across people and tools.

Practical implication: Track where secrets are copied after issuance, not just where they are first stored.

How machine identity sprawl creates privilege multiplication

Machine identity sprawl occurs when the number of service accounts, tokens, and automation identities grows faster than the governance processes built to manage them. Each additional identity expands the review surface for access, ownership, rotation, and offboarding. The risk is amplified when a single machine identity is reused by multiple applications or granted broad permissions such as full administrator access. In that model, one leaked credential can produce a much larger blast radius than a typical user account compromise.

Practical implication: Treat reusable or overprivileged machine identities as blast-radius multipliers, not administrative conveniences.

Why detection-driven defense matters for NHI lifecycle gaps

Traditional posture management tells you what should be true at a point in time, but NHI risk often emerges after issuance, reuse, or abandonment. Detection-driven defense focuses on the moment credentials are exposed, duplicated, or left active beyond their intended lifecycle. That matters because non-human identities can persist after a project ends, an owner leaves, or an application changes hands. The security question is no longer only whether a secret exists, but whether the organisation can see its current state quickly enough to revoke it before it is abused.

Practical implication: Build alerts and response playbooks around exposure, reuse, and stale ownership, not just configuration checks.

Threat narrative

Attacker objective: Use one exposed non-human identity to widen access across multiple systems and increase the blast radius of compromise.

1. Entry occurs when exposed secrets are copied into collaboration platforms, local files, or other locations outside the intended control boundary.
2. Escalation follows when a reused or overprivileged machine identity gives the attacker broader access than the original application needed.
3. Impact is achieved when the compromised identity is used to access SaaS systems, cloud resources, or downstream services at machine scale.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity blast radius is now the central NHI governance metric. When non-human identities outnumber humans by triple digits, the real issue is not raw count but how much access each identity concentrates. A single full-admin machine identity can outweigh dozens of low-risk accounts. Practitioners should measure privilege concentration, not just identity volume.

Secrets without sightlines create governance debt. Once secrets move into chat systems, ticketing tools, and local files, the organisation loses clean custody and reviewability. That weakens offboarding, rotation, and audit response because the team cannot reliably prove where the secret lives or who still depends on it. Security programmes should treat hidden secret copies as a lifecycle failure, not a hygiene issue.

Vaulting alone does not solve the exposure problem. The report’s core message is that secure storage is necessary but insufficient when teams can still duplicate, reuse, and forget credentials outside the vault. NHI governance needs ownership, inventory, and enforced expiry across the whole credential path. Practitioners should design controls around how secrets travel, not only where they are stored.

Machine identity sprawl is a policy problem before it is a tooling problem. The overuse of NHIs by multiple applications and the persistence of stale credentials show that the underlying failure is weak lifecycle discipline. Organisations need explicit ownership, scoped permissions, and review intervals for every non-human identity. The programme question is whether access is justified today, not whether it was ever created.

Real-time exposure response is becoming the operating model for NHI security. In machine identity environments, waiting for quarterly review cycles leaves too much time for abuse. Detection, revocation, and verification now need to happen in the same control loop. Practitioners should move from periodic governance to continuous control because exposure windows are getting shorter, not longer.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• 50% of organisations are onboarding new vaults without proper security approval, introducing vulnerabilities and misconfigurations from the outset.
• 52 NHI Breaches Analysis shows how lifecycle failures and exposure paths turn into recurring compromise patterns.

What this signals

Identity sprawl is becoming a control-plane problem, not a discovery problem. With 60% of NHIs being overused, the issue is no longer simply whether teams can find machine identities. The harder question is whether they can govern reuse, ownership, and expiry before one credential becomes a platform-wide compromise. Organisations should expect access review backlogs to grow unless they automate entitlement checks and ownership reassignment.

The operational signal is that security programmes need to focus on where secrets are shared after issuance. When collaboration tools and ticketing systems become storage locations, the review model has to extend beyond the vault. That means pairing secret scanning with lifecycle controls, offboarding hooks, and alerting tied to credential duplication. Teams that do not close this gap will continue to discover exposures after the attacker does.

Secrets without sightlines is the right named concept for this phase of the market. It describes a condition where credential storage exists, but provenance, ownership, and current use cannot be established quickly enough to govern risk. That gap will only widen as agentic automation expands the number of identities and the speed at which credentials are consumed. NHI programmes should assume continuous exposure monitoring is now a baseline control.

For practitioners

• Inventory where secrets actually travel Map secrets across collaboration platforms, issue trackers, chat systems, code commits, and local files so your inventory reflects real exposure paths, not just vault contents.
• Separate machine identity ownership from application ownership Assign a named owner for each non-human identity, with review responsibility for scope, rotation, and retirement when the application changes hands.
• Reduce privilege concentration in high-risk AWS identities Find machine identities with broad permissions, especially full administrator access, and replace them with task-scoped roles and tighter entitlement boundaries.
• Add exposure-driven alerting to secret workflows Alert on secret appearance in collaboration tools, duplicate storage locations, and stale credentials that remain active after offboarding or project closure.
• Run lifecycle reviews on reused NHIs Prioritise identities used by more than one application, since reuse increases the blast radius if one credential is exposed or compromised.

Key takeaways

• NHI risk is rising because machine identities now scale faster than the governance processes meant to control them.
• Secrets exposure is moving outside code and vaults into everyday collaboration workflows, which makes lifecycle discipline harder and more important.
• Practitioners should focus on ownership, privilege reduction, and exposure-driven response because those controls shrink blast radius when discovery is incomplete.

Key terms

• Non-Human Identity: A non-human identity is any credentialed digital actor that accesses systems without a person typing the request. That includes service accounts, API keys, tokens, certificates, bots, workloads, and AI agents. In practice, NHIs need their own ownership, lifecycle, and privilege controls because they operate at machine speed.
• Secrets Exposure: Secrets exposure is the unintended disclosure of credentials such as tokens, API keys, and certificates outside approved control paths. It often happens in chat systems, tickets, shared files, or code commits. Once exposed, a secret can be copied rapidly and used before traditional review cycles detect the problem.
• Identity Blast Radius: Identity blast radius is the amount of downstream access that one compromised identity can unlock. It grows when credentials are reused, permissions are broad, or ownership is unclear. The concept is useful because it shifts discussion from how many identities exist to how much damage one failure can cause.
• NHI Lifecycle Management: NHI lifecycle management covers creation, ownership, rotation, review, suspension, and retirement of machine identities. It matters because credentials that are never reassigned or expired tend to accumulate hidden risk over time. Strong lifecycle control is the difference between an inventory and an enforceable governance model.

What's in the full report

Entro Security's full report covers the operational detail this post intentionally leaves for the source:

• The raw breakdown of where exposed secrets are found across collaboration tools, files, and code.
• The NHIDR risk radar categories used to prioritise the most common NHI and secrets failures.
• The practical implications of machine identities outnumbering humans by 144:1 for governance and reporting.
• The top five recurring risk patterns seen across the customer base, with more implementation context.

👉 The full Entro Security report expands the exposure categories, risk radar findings, and machine identity trends.

Deepen your knowledge

NHI lifecycle management, secret exposure control, and privilege scoping are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is dealing with similar identity sprawl and offboarding gaps, it is worth exploring.