Notifications
Clear all
Topic starter
12/05/2026 5:14 pm
TL;DR: AWS Bedrock now supports API keys that simplify access to generative AI models but also expand the non-human identity surface, with short-term keys valid up to 12 hours and long-term keys able to run without expiration, according to AWS. That makes lifecycle control, discovery, and rotation the real governance problem.
NHIMG editorial — based on research published by Entro Security.
By the numbers:
- AWS states that short-term Bedrock API keys can be valid for up to 12 hours, reducing the lifetime of exposed credentials.
Questions worth separating out
Q: How should teams govern API keys for AI model access?
A: Treat them as non-human identities with the same controls you apply to service account secrets.
Q: When do short-lived AI credentials still create risk?
A: Short-lived credentials still create risk when discovery is weak, logs are incomplete, or the token is copied into places that persist longer than the credential itself.
Q: What is the difference between IAM roles and direct API keys for AI workloads?
A: IAM roles rely on controlled assumption of access and usually fit better into policy, review, and revocation workflows.
Practitioner guidance
- Classify Bedrock keys as governed NHIs Assign every API key an owner, a business purpose, an expiry date, and a review cadence so it enters the same control plane as other secrets and service identities.
- Block unmanaged key distribution paths Scan repositories, logs, build systems, Slack, and Jira for embedded Bedrock keys, then remove or quarantine any instance that lacks approved lifecycle controls.
- Prefer time-bounded access by policy Allow short-term keys where direct model access is unavoidable and require explicit approval for any key that can be created without expiration.
The practical response is to unify AI access with the rest of the secrets estate, because separate processes create separate blind spots?
👉 Read AWS's Bedrock API key announcement and implementation details →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
17/05/2026 8:13 am
A few things worth adding from our research at NHI Mgmt Group.
Bedrock API keys are best understood as NHI sprawl in a new form. The control problem is not limited to cloud permissions anymore, because model access now has its own credential surface. That widens the set of places where secrets can appear and the number of teams that must own them. Practitioners should assume every new AI access token adds governance burden unless it is built into lifecycle control from the start.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which explains why new AI credentials often arrive faster than control maturity.
A question worth separating out:
Q: Why do AI access keys complicate zero trust architecture?
A: Zero trust assumes each access request is continuously verified, but a reusable AI key can function as static proof once it is issued. That weakens the model unless the organisation adds strict expiry, monitoring, and revocation so the credential does not become standing trust.
👉 Read our full editorial: AWS Bedrock API keys turn GenAI access into an NHI governance issue
