Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI coding tools and secrets sprawl: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: AI coding tools are pushing more builders to handle real secrets, and 1Password says that often means plaintext credentials end up in .env files, chat messages, scripts, or notes that later become hard to govern. That shifts secrets management from an engineering-only task to a broader identity and access problem.

NHIMG editorial — based on content published by 1Password: developer secrets security for AI coding tools and AI builders

By the numbers:

Questions worth separating out

Q: How should security teams stop AI coding tools from creating secrets sprawl?

A: Security teams should make approved secret retrieval the easiest path and block plaintext credential storage in files, chat messages, and scripts.

Q: Why do AI-assisted development workflows increase NHI risk?

A: They increase NHI risk because they expand credential creation beyond trained developers to designers, analysts, founders, and operations staff.

Q: What breaks when developers keep secrets in .env files and chat logs?

A: What breaks is lifecycle control.

Practitioner guidance

  • Move secrets out of code and chat workflows Block plaintext credential storage in .env files, pasted snippets, shared notes, and AI chat transcripts.
  • Make runtime retrieval the default pattern Use service accounts, CLI flows, and SDK-based retrieval so apps and scripts fetch secrets when they execute rather than carrying reusable credentials in source or configuration.
  • Extend lifecycle controls to builders outside engineering Assign ownership, review cadence, and offboarding steps to credentials created by designers, analysts, founders, and operations teams, not only by software engineers.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

  • How 1Password's developer tools surface in the desktop app and browser extension for non-engineering builders.
  • The specific quick start paths for developers, admins, SSH, Git, developer secrets, deployments, AI access, and integrations.
  • The runtime secret retrieval options shown for AI-assisted build workflows and automation.
  • The rollout model that keeps admins in control while making the secure path easier to use.

👉 Read 1Password's article on developer secrets security for AI-assisted building →

AI coding tools and secrets sprawl: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Credential sprawl is now a builder problem, not only an engineering problem. The article shows that designers, analysts, founders, and other non-traditional builders are now handling secrets that used to sit inside disciplined engineering workflows. That broadens the attack surface because the people creating credentials often do not have the secure coding habits that IAM and AppSec programmes assume. The implication is that secrets governance must follow the builder, not just the repository.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.

A question worth separating out:

Q: Should organisations prioritise runtime secret retrieval over manual cleanup?

A: Yes. Runtime retrieval reduces the number of durable secret copies and prevents teams from depending on post-hoc cleanup after exposure has already occurred. Manual cleanup is reactive and incomplete, especially when builders are using multiple tools and machines. The better control is to keep the secret out of the code path from the start.

👉 Read our full editorial: AI coding tools are accelerating credential sprawl in app security



   
ReplyQuote
Share: