Notifications

Clear all

AI/ML credentials in production , what AppSec teams need to know

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 3789

Topic starter 10/06/2026 12:14 am

TL;DR: 43% of organisations have exposed AI or machine learning credentials, while 78% run packages with critical vulnerabilities in production and 77% retain high or critical container flaws for more than 90 days, according to Orca Security’s 2026 State of Application Security Report. The data shows AppSec now has to govern identities, pipelines, and runtime exposure together, not as separate queues.

NHIMG editorial — based on content published by Orca Security: 2026 State of Application Security Report

By the numbers:

43% have exposed AI/ML credentials
78% of organizations run packages with critical vulnerabilities in production
31% expose valid secrets in source code and 30% retain them in Git history

Questions worth separating out

Q: How should security teams handle exposed AI/ML credentials in production pipelines?

A: Treat them as active non-human identities, not simple code artefacts.

Q: Why do secrets in source code remain a persistent security risk after removal?

A: Because removal from the file does not guarantee removal from every place it was replicated.

Q: What breaks when infrastructure as code embeds overly permissive IAM roles?

A: The same bad entitlement can be deployed repeatedly across environments, which turns one mistake into a scalable access problem.

Practitioner guidance

Inventory AI and MLOps credentials as governed NHI assets Classify model-hosting tokens, inference keys, and service credentials alongside other non-human identities, with explicit owners, purpose, and expiry conditions.
Rotate exposed secrets and revoke history-backed access paths fast Prioritise exposed secrets in repositories, Git history, and CI/CD logs.
Block permissive identity patterns in IaC before they ship Use policy checks to stop open network rules, unencrypted storage, and over-broad IAM roles from being deployed through templates.

What's in the full report

Orca Security's full report covers the operational detail this post intentionally leaves for the source:

Production environment breakdowns across AWS, Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud.
The report’s day-by-day remediation roadmap for days 0 to 30, 30 to 90, and beyond 90 days.
The practical control set for secrets detection, IaC gates, and CI/CD token restriction.
The source data behind the 43% AI/ML credential exposure finding and related AppSec trends.

👉 Read Orca Security’s 2026 State of Application Security Report →

AI/ML credentials in production , what AppSec teams need to know?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

5,021 Topics

7,166 Posts

20 Online

136 Members

Latest Post: Agentic AI security best practices for 2026: are your controls keeping up? Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies