Credential management and NHI sprawl: where controls are breaking

TL;DR: Credential management still relies on strong passwords, MFA, SSO, PAM, and vaulting, but Zluri’s guide shows the real problem is lifecycle control across growing credential populations. The case for tighter NHI governance is no longer theoretical when 96% of organisations still store secrets outside vaults and 97% of NHIs carry excessive privileges.

NHIMG editorial — based on content published by Zluri: Security & Compliance Credential Management: The Ultimate Guide

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

Questions worth separating out

Q: What breaks when credentials are stored outside a secrets manager?

A: When credentials live in code, config files, or CI/CD systems, they bypass the controls that make secrets governable.

Q: Why do service accounts and API keys create outsized IAM risk?

A: Service accounts and API keys often outlive the task, team, or vendor relationship that created them.

Q: How do organisations know if credential management is actually working?

A: Look for evidence that secrets are vaulted, rotated, and revoked on time, and that orphaned credentials are being removed quickly after the owner changes.

Practitioner guidance

• Map every credential repository and spill point Inventory code repositories, CI/CD variables, configs, shared documents, endpoints, and ticketing systems for stored secrets, then remove any persistent credential that can be replaced with vault-backed retrieval.
• Tie rotation to identity lifecycle events Rotate API keys, tokens, and certificates when roles change, vendors offboard, or workloads are reconfigured, instead of relying on calendar-based rotation alone.
• Separate privileged access from credential persistence Use PAM for session control, but enforce short-lived issuance, revocation, and ownership for the underlying secret so a logged session does not mask a durable compromise path.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanations of the credential management lifecycle, from creation through deletion
• Plain-language breakdowns of MFA, SSO, PAM, and credential vaulting as separate control types
• Examples of how zero trust and least privilege are positioned inside the credential management model
• Broader product context around Zluri's access management approach and how it is framed for buyers

👉 Read Zluri's guide to credential management and secure access controls →

Credential management and NHI sprawl: where controls are breaking?

Explore further

View Full Forum →  |  NHI Foundation Course →