Risks of non-human identity misconfiguration outpace enterprise controls

At a glance

What this is: This is a research report on non-human identity and secrets mismanagement, with the key finding that NHI sprawl, vault misconfiguration, and exposed tokens are widespread across enterprises.

Why it matters: It matters because identity teams cannot secure machine access, agentic workflows, or human governance if secrets, service accounts, and vaults are still being managed as isolated tactical issues.

By the numbers:

• For each human identity, there are an average of 92 non-human identities.
• 73% of vaults are misconfigured, leading to unauthorized access and exposure of sensitive data.
• 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.

👉 Read Entro Security’s research on non-human identity misconfiguration and secret risk

Context

Non-human identity governance is the discipline of controlling machine credentials, tokens, service accounts, certificates, and AI-driven access with the same rigor applied to human identity. Entro Security’s research argues that most organisations still lack that discipline, leaving secrets exposed, vaults misconfigured, and access paths harder to govern than they should be.

The primary issue is not simply scale. When NHIs outnumber human identities by a wide margin, lifecycle mistakes, duplicate secrets, and weak offboarding become structural control failures, not edge cases. That makes this report directly relevant to IAM, PAM, and secrets management programmes that still treat machine identity as a side concern.

Key questions

Q: How should security teams reduce risk from exposed non-human identities?

A: Start by identifying where credentials are stored and used outside approved systems, then remove those copies and replace them with controlled references or managed secrets flows. Exposed NHIs are dangerous because they bypass normal governance, so the goal is to shrink the number of places a usable secret can exist at once.

Q: Why do misconfigured vaults create such a large identity security problem?

A: A vault only protects secrets if access policy, logging, and integration settings are enforced correctly. Misconfiguration turns the vault into a weak store for high-value credentials, and once secrets are copied elsewhere, the vault no longer contains the risk. That is why vault governance is as important as vault adoption.

Q: What do organisations get wrong about NHI rotation and revocation?

A: They often treat rotation as an administrative task instead of a control that limits attacker dwell time. If revocation is not verified everywhere the secret is trusted, the credential may still work after offboarding. Effective lifecycle control requires proof that access is gone, not just a ticket saying it should be gone.

Q: How do service accounts and API keys increase breach impact when overused?

A: When the same non-human identity is reused across multiple applications, a compromise becomes shared across several workloads at once. That expands the blast radius and makes ownership harder to trace. Teams should expect faster propagation, broader remediation, and more difficult containment when one credential supports many systems.

Technical breakdown

Why NHI sprawl breaks access governance

Non-human identity sprawl creates a control problem because every service account, token, and API key adds another entitlement set that must be inventoried, scoped, rotated, and retired. Unlike human access, NHI permissions often persist inside applications, pipelines, and vaults without a clear owner or review cadence. That is why organisations end up with more identities than they can confidently govern. When one identity is reused across multiple workloads, the blast radius expands further because a single compromise can touch several systems at once.

Practical implication: build an authoritative NHI inventory and tie each credential to an owner, workload, and retirement path.

Vault misconfiguration and secret exposure paths

A vault only reduces risk when it is configured to enforce access boundaries, approvals, logging, and separation of duties. When vaults are misconfigured, or when secrets are copied into code, tickets, and collaboration tools, the vault becomes one part of a larger exposure chain rather than a control point. The report’s finding on exposed tokens shows that secrets often leave the intended protection layer entirely. That is a governance failure in both handling and placement, not just in storage technology.

Practical implication: audit where secrets actually live, not just where policy says they should live.

Rotation, revocation, and the lifecycle gap

NHI lifecycle control depends on timely rotation and reliable revocation, but those are often the weakest parts of the programme. Long rotation intervals, duplicated secrets, and unreleased tokens create a persistence window that attackers can exploit long after the original business use has ended. Former employee tokens that remain active are especially dangerous because they combine stale access with unclear ownership. In practice, lifecycle breakdown is what turns a manageable credential into a standing exposure.

Practical implication: align rotation and offboarding processes to workload reality, then verify that revocation actually removes access everywhere.

Threat narrative

Attacker objective: The attacker wants to convert a single exposed or stale machine credential into persistent access across multiple systems and data paths.

1. Entry occurs when exposed secrets, duplicated tokens, or misconfigured vaults reveal usable non-human credentials in code, tickets, collaboration tools, or external platforms.
2. Escalation follows when excessive privileges and overused identities let the attacker move beyond the original secret into broader application or environment access.
3. Impact emerges through unauthorized access, data exposure, or system manipulation, especially where a single NHI is reused across multiple workloads or third parties.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Non-human identity misconfiguration is now a governance problem, not a tooling problem. The report shows that organisations have scaled machine access faster than they have scaled control ownership. That means entitlement review, vault hygiene, and revocation discipline are no longer edge tasks for security engineering. The implication is that NHI governance must be treated as a standing identity programme, not as an adjunct to DevOps.

Exposure of secrets is the failure mode that turns every other weakness into a breach path. Once tokens are copied into tickets, code, or collaboration platforms, the protection model collapses because the credential has already escaped the intended control plane. That is why the report’s exposed-token finding is more important than isolated misconfiguration counts. Practitioners should read this as evidence that the boundary between approved and unapproved secret storage is still too porous.

Overuse and duplication create identity blast radius that conventional ownership models miss. When one NHI supports multiple applications, or when the same secret exists in several places, accountability becomes fragmented and incident scope expands. A credential compromise is then no longer a single-workload event but a shared-service incident. The implication is that NHI ownership must be workload-specific and enforced at creation time, not discovered during review.

Standing privilege is the hidden premise behind most NHI risk, and this report shows that premise still dominates enterprise practice. The fact that 97% of NHIs carry excessive privileges indicates that least privilege is often theoretical at provisioning time and absent in operation. That is the control gap attackers exploit when secrets are exposed or vaults are weak. Practitioners need to treat privilege scope as a living governance object, not a one-time setup choice.

Identity lifecycle failure is the true persistence layer of machine compromise. Former employee tokens that remain active, secrets that are not rotated, and vaults that are approved without proper security review all point to a broken lifecycle model. The programme implication is that JML-style governance must be extended to service accounts, API keys, and machine tokens with the same seriousness as human offboarding.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which helps explain why lifecycle and ownership controls continue to lag.
• For a deeper lifecycle lens, Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows how provisioning, rotation, and offboarding should fit together.

What this signals

Identity programmes should expect NHI control debt to surface first in secret sprawl, not in access reviews. The operational signal is that credentials are being copied into places where review processes never look, which makes discovery and containment more urgent than periodic certification. The 2026 line of travel is toward tighter secret locality, stronger owner mapping, and less tolerance for duplicated credentials.

The strongest next step is to connect vault governance, offboarding, and workload ownership into a single control loop rather than separate tickets. That is where machine identity risk becomes manageable, because the programme can finally answer who owns the credential, where it lives, and when it should die.

Service account governance is becoming a Zero Trust requirement, not just an IAM hygiene issue. The 90% of IT leaders who say properly managing NHIs is essential for successful zero trust implementation, according to our Ultimate Guide to NHIs, point to a structural shift in how programmes should be built. If NHIs remain invisible or over-privileged, Zero Trust stops at the human edge.

For practitioners

• Build a complete NHI ownership register Map every service account, token, API key, certificate, and workload identity to a named owner, a business purpose, and a retirement trigger. Use that register as the source of truth for reviews and offboarding, not as a reporting artifact.
• Audit secret storage outside approved controls Scan code repositories, tickets, chat tools, documentation, and CI/CD systems for secrets that should not be there. Remove duplicates, reduce spread, and treat every unexpected copy as a control failure rather than a convenience issue.
• Tighten vault approval and configuration checks Require security approval before onboarding new vaults, then validate policy, logging, access boundaries, and integration settings before production use. Misconfiguration at creation time is much harder to fix once the vault becomes a central dependency.
• Shorten rotation and enforce revocation verification Set rotation schedules based on workload sensitivity and verify that revocation removes access in every system that trusts the credential. Do not assume deprovisioning succeeded until the token, key, or account is no longer usable.

Key takeaways

• Entro Security’s research shows that machine identity risk is being amplified by poor visibility, over-privilege, and secret exposure rather than by a single isolated flaw.
• The scale of the issue is already high enough to create broad operational damage, which means rotation, offboarding, and vault discipline now belong in core identity governance.
• Security teams should treat NHI inventory, secret locality, and revocation verification as interconnected controls that determine whether a compromise stays small or spreads.

Key terms

• Non-Human Identity: A non-human identity is a machine credential used by software, workloads, services, or automation to authenticate and access resources. It includes service accounts, API keys, tokens, certificates, and similar secrets that must be owned, scoped, rotated, and retired like any other identity asset.
• Secret Exposure: Secret exposure occurs when a credential leaves its intended protection boundary and appears in code, tickets, chat tools, logs, or other uncontrolled locations. Once exposed, the secret can be copied, replayed, or reused, which makes the original storage control far less relevant than the exposure path itself.
• Identity Blast Radius: Identity blast radius is the amount of damage that can follow from a single credential compromise. In NHI environments it grows quickly when one identity is reused, over-privileged, or shared across multiple workloads, because the compromise is no longer isolated to one system or one task.

What's in the full report

Entro Security's full research report covers the operational detail this post intentionally leaves for the source:

• Per-category breakdowns of NHI and secret misconfiguration patterns across environments and industries
• The research context behind overuse, duplication, rotation, and offboarding failures in machine identity management
• Additional findings on vault diversity, third-party exposure, and where secrets are most likely to leak
• The full narrative and supporting data behind the report's conclusions on lifecycle controls and exposure paths

👉 The full Entro Security report covers the data behind vault misconfiguration, exposed tokens, and lifecycle failures.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.