Notifications
Clear all
Topic starter
12/05/2026 4:33 pm
TL;DR: Entro Labs says its H1 2025 analysis of more than 27 million non-human identities found a 44% year-over-year rise in NHI sprawl, 43% of exposed secrets outside code, and 5.5% of AWS machine identities holding administrator privileges, underscoring how access growth outpaces governance. The security problem is no longer discovery alone, but controlling privilege, ownership, and secret exposure before shadow access becomes normal.
NHIMG editorial — based on research published by Entro Security.
By the numbers:
- Entro Labs found a 44% year-over-year increase in NHI sprawl in 2025.
- Entro Labs found that 43% of all exposed secrets are located outside code in SDLC tools, logs, and collaboration apps.
- Entro Labs found that 5.5% of AWS machine identities hold administrator privileges.
Questions worth separating out
Q: How should security teams govern non-human identities at scale?
A: Start with ownership, purpose, privilege, and lifecycle.
Q: Why do exposed secrets often slip past traditional security controls?
A: Because many secrets now appear outside source code, including in logs, chat tools, CI/CD systems, and project platforms.
Q: What is the difference between secrets rotation and access revocation?
A: Rotation replaces a credential while preserving the workload's access pattern.
Practitioner guidance
- Implement continuous NHI inventory Map every service account, API key, token, and certificate to a named owner, a business purpose, and a review cadence.
- Expand secret scanning beyond source code Inspect CI/CD logs, collaboration tools, ticketing systems, and project management platforms for exposed secrets.
- Reduce machine privilege aggressively Review AWS roles, service accounts, and automation identities for permissions they do not actively use.
Teams that do not formalise lifecycle rules will keep discovering access paths after they should have been removed?
👉 Read Entro Labs' H1 2025 report on NHI sprawl and secret exposure →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
12/05/2026 4:33 pm
A few things worth adding from our research at NHI Mgmt Group.
Identity sprawl is becoming governance debt, not just an inventory problem. Once machine identities outnumber human users by orders of magnitude, the programme challenge shifts from counting assets to proving ownership, purpose, and revocation. Security teams that treat NHI growth as a reporting exercise will miss the control failure underneath. The correct response is lifecycle governance, not periodic cleanup.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, which keeps stale credentials alive long enough for compromise to compound.
A question worth separating out:
Q: When does over-privileged NHI access become a material risk?
A: It becomes material as soon as a machine identity can reach systems beyond its workload scope, because automation multiplies the impact of a compromise. In practice, any NHI with administrator rights, broad cloud permissions, or shared use across multiple devices should be treated as high risk and reviewed first.
👉 Read our full editorial: Identity sprawl and secret exposure are widening across enterprise NHIs
