Non-human identity discovery and inventory still miss hidden secrets

At a glance

What this is: This is an analysis of why non-human identity discovery and inventory fail when secrets, service accounts, and automated workflows spread across clouds, pipelines, and collaboration tools.

Why it matters: It matters because IAM teams cannot govern what they cannot enumerate, and hidden NHI sprawl creates privilege, rotation, and blast-radius risk that traditional human-centric controls miss.

By the numbers:

• 57% of organizations find themselves worrying about leaked secrets in their automated workflows and AI implementations.

👉 Read the source article on non-human identity discovery and inventory

Context

Non-human identity discovery and inventory is the problem of finding every service account, API key, token, certificate, and automated workflow that can authenticate on behalf of software. The article argues that most enterprises still cannot see the full set of NHIs, especially when they are distributed across cloud vaults, source control, CI/CD systems, collaboration tools, and infrastructure code.

That visibility gap matters because each unseen credential expands the attack surface and weakens IAM governance. If a team cannot map where a secret lives, how often it changes, and which system uses it, then rotation, access review, and privilege reduction become reactive instead of controlled.

The article's starting position is typical of modern enterprises, not exceptional, because NHI sprawl now follows normal cloud and automation patterns rather than rare misconfiguration.

Key questions

Q: How should security teams inventory non-human identities across cloud and CI/CD environments?

A: They should build one inventory that correlates secrets, service accounts, tokens, and certificates across repositories, vaults, pipelines, and runtime systems. The goal is not just discovery, but ownership, active status, and lifecycle state. That lets teams see duplicates, orphaned credentials, and hidden privilege paths before they become incident drivers.

Q: Why do non-human identities create more governance risk than human user accounts?

A: NHIs are often long-lived, widely distributed, and embedded in automation, so they can be overlooked for months while still carrying meaningful access. They also scale faster than human review processes can track. That makes privilege drift, stale secrets, and hidden trust relationships more likely than in human IAM alone.

Q: What is the difference between secret scanning and non-human identity discovery?

A: Secret scanning finds exposed credentials in a specific place, such as a repository or log. Non-human identity discovery connects those credentials to the systems, owners, permissions, and workflows that use them. In practice, discovery answers whether a credential exists, while inventory answers whether it still matters and what it can reach.

Q: When should organisations treat an NHI as a high-priority security risk?

A: They should escalate any NHI with production access, cross-account reach, inherited admin privilege, or unclear ownership. Those traits expand the likely blast radius if the credential is exposed or abused. A high-priority NHI is one that can affect many systems before detection and slow response make containment harder.

Technical breakdown

How NHI discovery breaks down across storage layers

Non-human identities are rarely stored in one place. Vaults, Git repositories, CI/CD variables, Kubernetes manifests, collaboration threads, and cloud-native IAM services each hold different parts of the identity picture. Discovery fails when tools scan one layer well but cannot correlate credentials across layers, because the same secret may appear in code, logs, and runtime environments with different contexts. The hard part is not finding a token once, but understanding whether it is active, duplicated, inherited, or exposed through a workflow that regenerates it automatically.

Practical implication: Practical implication: inventory tooling must correlate secrets across code, runtime, and collaboration systems before teams can trust any asset register.

Why lifecycle context matters more than static scanning

Static scans identify exposed material, but they do not explain whether an NHI is still in use, who owns it, or whether revocation will break production. Lifecycle context ties discovery to provisioning, rotation, access review, and decommissioning. That context is what turns raw findings into governance decisions. Without it, teams create false confidence by counting secrets instead of managing their exposure window. The real issue is not just secret existence, but secret persistence after it should have been retired.

Practical implication: Practical implication: build discovery around ownership and lifecycle state, not just repository or vault location.

How blast radius changes when NHIs have inherited privilege

Many NHIs accumulate access through role inheritance, cross-account trust, and automation defaults. A service account may begin as a narrow integration identity and end up with admin reach across multiple systems. That is why discovery must feed risk analysis, not just asset cataloguing. The architecture question is whether each identity can be tied to a bounded purpose and a measurable privilege footprint. Once that link is missing, the identity becomes an invisible escalation path rather than a controlled automation primitive.

Practical implication: Practical implication: connect each discovered NHI to effective permissions so privilege reduction can target the highest blast-radius accounts first.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Discovery without lifecycle context is inventory theatre. Counting secrets or service accounts does not produce governance if teams cannot connect each identity to an owner, runtime use, and retirement path. The practical result is that remediation stays manual, slow, and inconsistent, while exposed credentials remain valid far longer than their designers intended. Practitioners should treat discovery as the start of control, not the control itself.

Non-human identity sprawl is now a structural IAM issue, not a tooling gap. Cloud automation, CI/CD, and AI workflows create credentials faster than periodic review cycles can absorb them. That means the security model has to shift from periodic visibility to continuous identity governance across code, runtime, and collaboration surfaces. Practitioners should assume the inventory problem will worsen unless lifecycle ownership is explicit.

Identity blast radius is the right concept for NHI risk prioritisation. The security question is no longer how many secrets exist, but how far a compromised identity can reach across accounts, pipelines, and data systems. That framing makes overprivilege visible and lets teams rank remediation by impact instead of by scan volume. Practitioners should prioritise the identities with the widest effective access first.

Continuous discovery becomes essential once AI systems start carrying credentials. Autonomous systems do not just consume identity material, they multiply the number of places where trust must be managed. That creates a new class of shadow NHI exposure if teams assume human-style access review is enough. Practitioners should extend governance to machine workflows before AI adoption outpaces control design.

From our research:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
• Internal repositories are 6x more likely to contain secrets than public ones, at 32.2% versus 5.6%, which means private code cannot be treated as low-risk by default.
• For a broader framework on the control problem, see Guide to the Secret Sprawl Challenge and map discovery to rotation, ownership, and containment.

What this signals

Secret discovery has to become an always-on governance function. A one-time scan may satisfy reporting, but it does not keep pace with CI/CD churn, collaboration leaks, or AI-assisted development. With 28% of secrets incidents now originating outside code repositories, teams need monitoring that covers Slack, Jira, Confluence, and runtime logs as part of normal operations, not exception handling.

That shift also means identity programmes should stop treating repositories as the main boundary. The operating model now has to assume that credentials will surface in workflow tools, not just in source code, and that the remediation clock starts when exposure occurs, not when a quarterly review begins.

Identity blast radius should shape control investment. The right programme question is which NHIs can reach production, data stores, or cross-account trust first, because those are the identities most likely to create material loss. Prioritising by reach gives security leaders a defensible way to sequence remediation when inventory is incomplete.

For practitioners

• Build a unified NHI inventory across code, cloud, and collaboration tools Correlate secrets found in repositories, vaults, CI/CD systems, chat platforms, and cloud IAM so duplicate or orphaned credentials are not counted as separate assets. Use the Guide to the Secret Sprawl Challenge and the OWASP Non-Human Identity Top 10 to structure coverage.
• Attach ownership and lifecycle state to every discovered credential Record who owns the identity, where it runs, whether it is active, and when it should be rotated or decommissioned. Without that metadata, revocation and access review remain manual and slow.
• Rank remediation by effective blast radius Prioritise credentials with cross-account access, production reach, or inherited admin rights before low-impact development secrets. Use the 52 NHI Breaches Analysis to inform which patterns tend to produce the widest downstream damage.
• Move from periodic scans to continuous discovery Monitor for new secrets in commit histories, build logs, configuration files, and collaboration threads as part of normal control operations, not as quarterly cleanup. Automated detection should feed a live inventory rather than a static report.

Key takeaways

• Non-human identity discovery is an IAM control problem, not a documentation exercise.
• Secrets that remain valid after exposure show why inventory must be paired with revocation and lifecycle management.
• Practitioners should prioritise continuous discovery and blast-radius-based remediation to reduce hidden automation risk.

Key terms

• Non-Human Identity: A non-human identity is any credentialed machine actor that authenticates to systems on its own behalf. That includes service accounts, API keys, tokens, certificates, and autonomous agents. These identities often outnumber human users and can hold broader, longer-lived access.
• Secrets Sprawl: Secrets sprawl is the uncontrolled spread of credentials across code, pipelines, chat tools, vaults, and infrastructure. It creates hidden copies, unclear ownership, and longer exposure windows. The governance challenge is not just locating secrets, but keeping them rotated, revocable, and tied to a responsible owner.
• Identity Blast Radius: Identity blast radius is the amount of damage a compromised credential can cause across systems, data, and trust relationships. It reflects effective permissions, inheritance, and cross-account reach. Practitioners use it to prioritise which identities deserve the fastest containment and strongest controls.

What's in the full article

The article's full analysis covers the operational detail this post intentionally leaves for the source:

• Vendor walkthrough of continuous discovery across repositories, vaults, CI/CD systems, and collaboration tools
• Platform-specific enrichment details for ownership, permissions, and usage history
• Automated response workflows for rotation, policy enforcement, provisioning, and decommissioning
• Integration examples for AWS Secrets Manager, Azure Key Vault, GitHub secrets, Kubernetes secrets, SIEM, and SOAR

👉 The full source article includes the platform workflow and integration detail behind the discovery approach.

Deepen your knowledge

Non-human identity discovery and inventory are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme from a similar starting point, it is worth exploring.