Secrets sprawl is widening the non-human identity governance gap

At a glance

What this is: GitGuardian’s 2025 report shows secrets sprawl is still expanding across public code, private repositories, collaboration tools, and containers.

Why it matters: For IAM and NHI practitioners, the finding reinforces that credential exposure is a lifecycle problem, not just a code-scanning problem.

By the numbers:

• Breaches involving stolen or compromised credentials take an average of 292 days to identify and remediate, according to IBM’s Cost of a Data Breach.

👉 Read GitGuardian's State of Secrets Sprawl 2025 report

Context

Secrets sprawl is the accumulation of credentials, tokens, keys, and certificates across code, collaboration tools, containers, and other systems where they are hard to inventory and harder to revoke. For NHI governance, the issue is not just leakage at the point of creation. It is the long tail of valid secrets that survive after exposure and remain usable in production paths.

GitGuardian’s report is useful because it connects leakage patterns to operational outcomes rather than treating secret discovery as a standalone hygiene metric. The data suggests that private repositories, generic credentials, and collaboration platforms are all part of the same governance failure. That is a typical enterprise condition, not an edge case, which is why the control discussion has to move from detection to lifecycle enforcement.

Key questions

Q: How should security teams reduce the risk from leaked non-human credentials?

A: Security teams should treat leaked non-human credentials as an identity lifecycle issue. The right response is immediate revocation, forced rotation of dependent secrets, ownership assignment, and a verified recovery path for the affected service. Detection matters, but the real control is how quickly a leaked credential stops being usable.

Q: Why do private repositories still create NHI risk?

A: Private repositories still create NHI risk because privacy does not equal control. Secrets leak through misconfigurations, forks, compromised accounts, and weak review processes, and once a credential is valid, the attacker does not need public access. Teams should apply the same scanning, rotation, and access rules to private code as they do to public code.

Q: What is the difference between secret detection and secret governance?

A: Secret detection finds exposed credentials, while secret governance makes them safe to use, rotate, or retire. Detection is a point-in-time control. Governance is a lifecycle discipline that includes inventory, ownership, expiry, revocation, and exception handling across repositories, runtime systems, and collaboration tools.

Q: When does secret sprawl become a business continuity problem?

A: Secret sprawl becomes a business continuity problem when exposed credentials remain valid long enough to be reused in production. At that point, the issue is not only data exposure but service abuse, cloud misuse, and outage risk. Organisations need revocation speed and dependency mapping, or leaked secrets will keep creating operational incidents.

Technical breakdown

Why secrets sprawl becomes an NHI lifecycle problem

A secret is not just a leaked string. It is an identity artifact that confers access until it expires, is rotated, or is revoked. In modern environments, those artifacts appear in source control, CI pipelines, collaboration tools, and container images, which means the exposure surface is broader than application code. The technical failure is usually not one event but weak lifecycle control: no inventory, no ownership, no expiry discipline, and no reliable revocation path when a leak is detected.

Practical implication: Treat every secret as a managed NHI with an owner, expiry, and revocation workflow.

Why generic secrets are harder to stop than pattern-based leaks

Pattern-based secret detection works best when vendors can recognise a token format, prefix, or checksum. Generic credentials do not follow a stable pattern, so they evade many push protections and detection rules. That matters because generic secrets are often the most dangerous class in modern pipelines. If security controls only catch known formats, teams end up defending the past while the highest-risk credentials continue to move through build systems and collaboration channels.

Practical implication: Add content-aware scanning and context-based policy checks instead of relying on token prefixes alone.

Why containers and collaboration tools expand the attack surface

Public images and chat systems often sit outside the security model used for source code, yet both can carry valid credentials. Container layers can preserve secrets in environment instructions, while Slack, Jira, and Confluence can expose operational tokens in tickets, logs, and handoffs. The technical lesson is that secret exposure is platform-agnostic. Any system that stores, forwards, or snapshots operational data can become a secret distribution path if lifecycle controls are weak.

Practical implication: Extend secret discovery and response controls beyond repositories to runtime images and collaboration platforms.

Threat narrative

Attacker objective: The attacker wants to turn a single exposed credential into persistent access to production systems and sensitive data.

1. Entry occurs when a valid secret is committed to public code, embedded in a container layer, or pasted into a collaboration tool with broad access.
2. Escalation follows when the exposed credential is reused before rotation, allowing direct access to cloud, source control, or application services.
3. Impact is sustained access, lateral movement, or data theft because the secret remains valid long after discovery.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Secrets sprawl is now an identity governance problem, not a code-quality issue. Once a credential is valid, the security outcome depends on lifecycle controls, not just discovery. That shifts responsibility from developers alone to IAM, platform security, and cloud operations. The practitioner implication is simple: if you cannot inventory, revoke, and reissue secrets quickly, you do not control the identity surface.

Ephemeral credential trust debt is the right way to describe today’s exposure model. Organisations keep adopting more short-lived patterns, but legacy secrets remain valid far longer than their intended use. That creates a debt stack where each new leak compounds prior exposure. Security programmes should measure how much standing access still exists, because that is where breach dwell time is born.

Private repositories are not a safe boundary for NHI governance. The report’s private-repo findings reinforce a familiar pattern: teams lower their guard when the repository is not public, yet secrets still leak through misconfiguration, access sprawl, and poor review discipline. The implication for practitioners is to apply the same controls to private code as to public code, then validate them with continuous scanning.

Collaboration systems must be treated as secret-bearing infrastructure. Slack, Jira, and Confluence increasingly carry operational credentials because teams use them to coordinate incidents and deployments. That means the data loss boundary has expanded beyond source code and into business workflows. Practitioners should align detection, access review, and redaction controls across those systems or accept recurring exposure.

From our research:

• 88% of security professionals are concerned about secrets sprawl, with 49% of those in larger organisations described as "very concerned", according to the 2024 State of Secrets Management Survey.
• 54% of organisations are dissatisfied with their current secrets management solution because not all secrets are secured, and 43% cite lack of central management.
• That is why the Guide to the Secret Sprawl Challenge is the right next step for teams that need to move from detection to lifecycle enforcement.

What this signals

Ephemeral credential trust debt: organisations are layering short-lived identity patterns on top of long-lived secrets, which means the residual risk is now more about what stays valid than what gets discovered. That is the governance gap teams should measure first, because revocation latency determines how much exposure an attacker can actually use.

The programme-level implication is that IAM, cloud, and engineering teams need a shared secret ownership model, not separate hygiene checklists. Controls like inventory, expiry, and revocation only work when they are enforced across repositories, collaboration systems, and runtime environments.

Teams that already align with the NIST AI Risk Management Framework should extend governance to AI-assisted development paths, where secret exposure can scale with automation. The key question is no longer whether secrets leak, but whether the organisation can make them unusable before they are exploited.

For practitioners

• Build a complete secret inventory across all environments Map secrets in repositories, CI/CD, containers, collaboration tools, and cloud services into a single ownership model. Include service accounts, API keys, tokens, and certificates, then assign each item an owner and expiry policy.
• Enforce rotation and revocation SLAs for exposed credentials Set a time-bound response playbook that revokes exposed secrets immediately, rotates dependent credentials, and validates downstream service continuity. Use incident severity to define maximum remediation windows rather than relying on ad hoc ticket queues.
• Expand scanning beyond source code Scan container layers, build configs, tickets, chat exports, and documentation for secrets, especially generic credentials that evade pattern-based controls. Pair detection with policy checks that block high-risk exposures before merge or release.
• Move non-human identities to short-lived access by default Replace static credentials with ephemeral alternatives wherever the platform supports it, and limit standing access to exceptional cases only. This reduces the usable window for any leaked secret and lowers the blast radius of compromise.
• Use linkable breach evidence in executive reporting Tie remediation reporting to real breach patterns such as container secret exposure and cloud credential abuse so leadership sees the operational risk, not just scan counts. That makes the case for funding lifecycle controls instead of isolated detection tools.

Key takeaways

• Secrets sprawl is an NHI governance failure because leaked credentials remain valid until lifecycle controls revoke them.
• The scale of the problem is operational, with millions of new secrets exposed and many still active long after discovery.
• Security teams should prioritise inventory, revocation speed, and cross-platform scanning over point-in-time detection alone.

Key terms

• Secrets Sprawl: Secrets sprawl is the uncontrolled spread of credentials, tokens, keys, and certificates across systems that were never designed to be a secrets vault. It becomes a governance issue when no team can reliably inventory, rotate, or revoke every exposed credential before it is reused.
• Non-Human Identity: A non-human identity is any machine, workload, bot, service account, API token, certificate, or AI agent that authenticates to other systems. Unlike human users, these identities often live in code and infrastructure, which makes lifecycle control and ownership essential.
• Secret Rotation: Secret rotation is the process of replacing a credential with a new value and invalidating the old one so the exposed secret can no longer be used. Effective rotation is time-bound, automated where possible, and tied to dependency mapping so services keep running.
• Standing Privilege: Standing privilege is persistent access that remains available without just-in-time provisioning. In NHI environments, it increases blast radius because a leaked credential can be reused immediately unless access is reduced, expiring, or revoked.

What's in the full report

GitGuardian's full report covers the operational detail this post intentionally leaves for the source:

• A year-over-year breakdown of new GitHub secret exposure and where the growth is concentrated.
• Detailed examples of generic secrets that evade pattern-based controls and why push protection misses them.
• Container and collaboration-tool leakage patterns, including which environments are most likely to hold valid credentials.
• Remediation and detection observations that help teams turn findings into a practical rotation workflow.

👉 GitGuardian's full report covers the data breakdowns, leak patterns, and remediation context behind the findings.

Deepen your knowledge

Secrets sprawl and non-human identity lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to move from secret detection to enforceable governance, it is worth exploring.