TL;DR: A scan of 7.6 petabytes across 187 million public AI training files found 221,303 live, unique credentials in 6,003 datasets, including write-capable tokens and cloud keys that can affect software, infrastructure, and identity systems, according to TruffleHog. The security problem is not only leakage, but permanent propagation across derivative corpora, which turns one exposed secret into an enduring governance failure.
At a glance
What this is: This is an analysis of secret exposure inside public AI training data, with the key finding that live credentials are widespread and persist across downstream dataset copies.
Why it matters: It matters because IAM, secrets, and NHI teams cannot treat training data as a passive archive when live credentials inside it can still authorize access, modify software, and outlive revocation at the source.
By the numbers:
- The scan covered 7.6 petabytes across 187 million files.
- One Infura key got copied into 1,131 public datasets and 10,162 file locations.
👉 Read TruffleHog's analysis of secrets hidden in 7.6 petabytes of AI training data
Context
Public AI training data is now a credential exposure surface, not just a content corpus. If a live secret is embedded in a dataset, every downstream copy, fine-tune, and remix can preserve that access long after the original leak is forgotten. For identity teams, that turns dataset publication into an NHI governance issue because the secret can still authorize action even when no one remembers where it came from.
This article shows that the problem is not hypothetical. The scan found live cloud keys, database credentials, and tokens with write capability, including credentials that can change code or push software artefacts into downstream environments. That is a familiar NHI pattern, but here it appears at training-data scale, where revocation is necessary but not sufficient unless every copy is found and invalidated.
The practical takeaway is simple: if AI systems ingest public corpora, organisations need a policy for treating those corpora as potentially burned credential reservoirs. That is a stronger control posture than conventional secrets hygiene because the exposure path is replicated, versioned, and difficult to unwind.
Key questions
Q: What breaks when live secrets are published inside AI training data?
A: The normal secrets lifecycle breaks because the credential stops existing in one place. Once a live secret enters a public corpus, it can be copied into derivatives, reused in training, and discovered long after the original owner thinks the exposure is gone. Revocation still matters, but it must chase every replicated copy to be effective.
Q: Why do public training datasets create more risk than a normal source-code leak?
A: Because training datasets are intentionally replicated and redistributed. A source-code leak can sometimes be contained at the repository level, but a public corpus is designed to be cloned, remixed, and reused. That makes one leaked credential durable across multiple datasets and increases the chance that a forgotten secret remains active.
Q: How do security teams know which exposed credentials in datasets matter most?
A: Start with the authority the credential grants, not the system where it was found. Write-capable keys, package-publish tokens, org-admin access, and cloud-admin credentials create the highest downstream risk because they can alter software, infrastructure, or identity controls. Low-friction read access is less urgent than secrets that can change production outcomes.
Q: What should organisations do when they find a live key in training data?
A: Revoke it, then search for every derivative copy that might still contain the same secret. If the credential was scraped into public datasets, the risk is distributed and the response has to be distributed too. Treat the incident as a lifecycle failure, not a one-off leak, and confirm invalidation across all known copies.
Technical breakdown
Why training corpora behave like durable secret repositories
Public training datasets are built to be copied, versioned, and redistributed. That is useful for model development, but it is exactly why a leaked credential becomes persistent once it enters the corpus. Unlike a git repository or a live environment, there is no single authoritative place to remove it from. The same secret can survive into forks, cleaned derivatives, and fine-tuning sets. For identity governance, that means the exposure window is not bounded by the original leak event. It extends across the data supply chain and can remain operational until every known copy is revoked.
Practical implication: Treat published datasets as persistent credential replicas and require pre-publication secret scanning before any model training or dataset release.
Why write-capable secrets in training data raise the stakes
Not all secrets have the same impact. A read-only token can expose data, but a write-capable credential can alter software, configurations, or downstream model artefacts. In this article, the most concerning findings were credentials that could push code, rewrite workflows, administer orgs, or push container images. Those are NHI controls in the strict sense: they govern what a non-human credential can do at runtime. When such credentials are embedded in training data, the model supply chain becomes part of the attack surface for software delivery and identity-controlled publishing.
Practical implication: Prioritise revocation and detection for credentials with write, admin, package-publish, or image-push authority.
Why AI supply-chain exposure is an identity lifecycle problem
Secrets in training data are not a one-time leak problem. They are a lifecycle problem because the same credential can be scraped, republished, downloaded, and reused by multiple parties. That creates a governance gap between discovery and offboarding. In NHI terms, the secret has no clean leaver event unless the owning system rotates it everywhere it exists. The article’s example of a single key appearing in more than a thousand datasets shows that standard incident handling assumptions break down when the identity is replicated through data pipelines instead of held in a single system of record.
Practical implication: Build revocation workflows that assume distributed copies and use bulk invalidation as the default response, not manual one-by-one cleanup.
NHI Mgmt Group analysis
Training data secret exposure is now a governed identity problem: This is not just data leakage, it is credential distribution at scale. Once a live secret enters a public training corpus, it becomes an NHI asset embedded in a replication pipeline that organisations do not control. The implication is that AI data governance and secrets governance can no longer be separated.
Persistent corpus copies create identity blast radius: The same credential can survive across upstream sources, derived datasets, and fine-tunes, so the blast radius is defined by replication, not by the original leak location. That is why one revocation event rarely closes the exposure. Practitioners need to think in terms of copy count and downstream reuse, not just source cleanup.
Write-capable non-human credentials are the highest-risk finding here: A token that can publish packages, rewrite CI, or push images can move from exposure to supply-chain impact with very little friction. That makes this an OWASP-NHI and NIST CSF issue, not merely a secrets hygiene issue. The practical conclusion is to rank credentials by authorised action, not by where they were found.
Static secret assumptions fail when training data acts like an archive with runtime value: Secrets management was designed for bounded systems where access can be revoked once and the risk ends. That assumption fails when the actor is a credential copied into hundreds or thousands of public datasets because revocation must chase every derivative copy. The implication is that lifecycle controls need to account for data replication, not just system ownership.
Named concept: credential replication debt: This article shows how one leaked secret accumulates a debt across every dataset copy that preserves it. The longer that debt remains unpaid, the more likely the credential is to be rediscovered in a different context and used again. Practitioners should treat dataset publication as a control point with ownership, review, and revocation obligations.
From our research:
- The average time to mitigate a leaked secret is 36 hours, highlighting the operational burden of manual remediation processes, according to the 2024 State of Secrets Management Survey.
- 54% of organisations are dissatisfied with their current secrets management solution because not all secrets are secured, and 43% cite lack of central management.
- Guide to the Secret Sprawl Challenge is the next step for teams that need a practical view of secret discovery and remediation across environments.
What this signals
Credential replication debt: the real governance problem is not finding one leaked secret, it is managing the copies that survive after the first discovery. With 44% of unique live secrets appearing in more than one dataset in the source research, the operational model must assume spread before containment.
Teams running AI or data platforms should align their controls to OWASP Non-Human Identity Top 10 and NIST Cybersecurity Framework 2.0 because the failure mode is identity exposure inside a replication pipeline, not merely a storage misconfiguration.
The programme signal is clear: if a corpus cannot be scanned and revoked like any other credential-bearing environment, it should not be treated as safe training input. That changes intake, vendor review, and incident response expectations for ML teams and identity teams alike.
For practitioners
- Scan corpora before publication Run secret detection across any dataset before release, including archives, notebooks, JSONL, and derived artefacts. Block publication if live credentials are detected and route findings into a revocation workflow immediately.
- Classify credentials by authorised action Prioritise tokens and keys that can push code, rewrite workflows, administer organisations, or push images. These are the credentials that can turn training-data exposure into downstream compromise fastest.
- Assume downstream replication until proven otherwise Create incident runbooks that treat every public dataset copy as an independent exposure point. Search derivative corpora, not just the original source, and invalidate the credential everywhere it appears.
- Tie dataset governance to secrets lifecycle controls Require ownership for every published corpus, review each data source for embedded secrets, and make revocation evidence part of the release gate. If the data cannot be scanned or remediated, it should not be published.
Key takeaways
- Public AI training data can contain live credentials, which turns model supply chains into an identity governance problem.
- The biggest risk is not only the number of secrets found, but their persistence across copied datasets and downstream derivatives.
- Security teams should gate dataset publication and AI training on scanning, revocation, and copy-aware cleanup workflows.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Embedded live secrets and rotation failure are the core NHI risk in this article. |
| NIST CSF 2.0 | PR.AC-4 | The article centers on access scope and entitlement exposure through reused credentials. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential management and revocation map directly to the live-key exposure described here. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0010 , Exfiltration | The threat pattern is credential discovery followed by data replication into public corpora. |
Map exposed training-data secrets to NHI-03 and require pre-publication scanning plus rapid revocation.
Key terms
- Credential Replication Debt: The accumulated risk created when one live secret is copied into multiple datasets, logs, or downstream artefacts. In practice, the debt grows every time the credential is duplicated, because revocation has to reach each copy before the exposure is truly closed.
- Live Secret: A credential, token, API key, or certificate that still authorises real access when discovered. In NHI governance, a live secret matters more than its origin because it can still move data, change code, or invoke services until it is revoked everywhere it exists.
- Dataset Exposure Surface: The set of ways a public or shared dataset can preserve sensitive material, including credentials, personally identifiable data, and operational tokens. For security teams, this surface matters because training data is often versioned, redistributed, and difficult to retract once published.
What's in the full report
TruffleHog's full analysis covers the operational detail this post intentionally leaves for the source:
- The verification method used to confirm which credentials were live at scan time.
- The dataset families and model corpora with the highest concentration of exposed keys.
- The breakdown of credential types by cloud, database, AI provider, and publishing access.
- The practical revocation approach used when one secret appeared across many derivative datasets.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org