AI secrets sprawl: what IAM teams need to change now

TL;DR: Wiz found that 65% of Forbes AI 50 companies leaked verified secrets across repositories, forks, gists, SaaS systems, and development tools, showing that AI engineering expands the identity and credential surface far beyond traditional scanning paths, according to Akeyless. Static secret controls are failing because the real problem is identity sprawl, not just repository hygiene.

NHIMG editorial — based on content published by Akeyless: AI secrets sprawl and exposed credentials across development tooling

By the numbers:

• Wiz found that 65% of the Forbes AI 50 have leaked verified secrets on GitHub.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams reduce secret sprawl in AI development environments?

A: Start by expanding discovery beyond source code into notebooks, logs, extensions, support tools, and collaboration platforms.

Q: Why do AI pipelines expose more credential risk than traditional software development?

A: AI pipelines create more identities, more integrations, and more temporary execution paths than conventional software delivery.

Q: What breaks when secrets are used to authenticate AI agents and workflows?

A: Reusable secrets create standing exposure in environments that change too quickly for manual review.

Practitioner guidance

• Expand discovery beyond source control Scan notebooks, logs, IDE extensions, gists, forks, Slack, Jira, Confluence, and support portals for exposed credentials, not just primary repositories.
• Replace reusable secrets with runtime-issued access Use secretless or ephemeral authentication for AI pipelines so the task receives access only when needed and does not leave a credential behind for later reuse.
• Inventory machine identities with named ownership Assign ownership, purpose, and expiry expectations to each AI service, workflow, and integration, then retire credentials when the associated process or team no longer exists.

What's in the full article

Akeyless's full report covers the operational detail this post intentionally leaves for the source:

• A step-by-step breakdown of the specific AI development surfaces where secrets were found, including notebooks, forks, logs, and support portals.
• Detailed discussion of the secretless access model and how ephemeral credentials are issued at runtime.
• Operational examples of how developers can retrieve credentials without embedding them in code or tooling.
• The product-level workflow for monitoring and terminating privileged AI access across environments.

👉 Read Akeyless's analysis of AI secrets sprawl and exposed credentials →

AI secrets sprawl: what IAM teams need to change now?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →