TL;DR: Wiz found that 65% of Forbes AI 50 companies leaked verified secrets across repositories, forks, gists, SaaS systems, and development tools, showing that AI engineering expands the identity and credential surface far beyond traditional scanning paths, according to Akeyless. Static secret controls are failing because the real problem is identity sprawl, not just repository hygiene.
NHIMG editorial — based on content published by Akeyless: AI secrets sprawl and exposed credentials across development tooling
By the numbers:
- Wiz found that 65% of the Forbes AI 50 have leaked verified secrets on GitHub.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams reduce secret sprawl in AI development environments?
A: Start by expanding discovery beyond source code into notebooks, logs, extensions, support tools, and collaboration platforms.
Q: Why do AI pipelines expose more credential risk than traditional software development?
A: AI pipelines create more identities, more integrations, and more temporary execution paths than conventional software delivery.
Q: What breaks when secrets are used to authenticate AI agents and workflows?
A: Reusable secrets create standing exposure in environments that change too quickly for manual review.
Practitioner guidance
- Expand discovery beyond source control Scan notebooks, logs, IDE extensions, gists, forks, Slack, Jira, Confluence, and support portals for exposed credentials, not just primary repositories.
- Replace reusable secrets with runtime-issued access Use secretless or ephemeral authentication for AI pipelines so the task receives access only when needed and does not leave a credential behind for later reuse.
- Inventory machine identities with named ownership Assign ownership, purpose, and expiry expectations to each AI service, workflow, and integration, then retire credentials when the associated process or team no longer exists.
What's in the full article
Akeyless's full report covers the operational detail this post intentionally leaves for the source:
- A step-by-step breakdown of the specific AI development surfaces where secrets were found, including notebooks, forks, logs, and support portals.
- Detailed discussion of the secretless access model and how ephemeral credentials are issued at runtime.
- Operational examples of how developers can retrieve credentials without embedding them in code or tooling.
- The product-level workflow for monitoring and terminating privileged AI access across environments.
👉 Read Akeyless's analysis of AI secrets sprawl and exposed credentials →
AI secrets sprawl: what IAM teams need to change now?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
AI secrets sprawl is a governance failure, not a scanning gap: The article shows that credentials are leaking across repositories, forks, gists, notebooks, logs, extensions, and support portals because AI development produces too many identity touchpoints for legacy controls to cover. Traditional secrets hygiene assumes that the important surfaces are known in advance. That assumption no longer holds. Practitioners should treat AI pipelines as distributed identity systems, not just code repositories.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to Guide to the Secret Sprawl Challenge.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
A question worth separating out:
Q: How do teams know if secretless access is actually working?
A: Look for a reduction in persistent credentials, fewer secrets appearing outside repositories, and tighter ownership of machine identities. If AI workflows still depend on copied keys or broad tokens, then the programme has only moved the leak point rather than removing the leak surface.
👉 Read our full editorial: AI secrets sprawl is outpacing legacy identity controls