Notifications
Clear all
Topic starter
25/06/2026 3:08 pm
TL;DR: Passwords, API keys, tokens, and hardcoded blobs keep accumulating because vaults and scanning tools treat symptoms rather than the brittle credentialing model itself, according to Aembit. The underlying governance gap is now a workload identity problem, not a hygiene problem.
NHIMG editorial — based on content published by Aembit: Credentialitis and the AccessZero experience
Questions worth separating out
Q: How should security teams reduce secrets sprawl without disrupting delivery?
A: Start by classifying secrets by business criticality, lifetime, and exposure path.
Q: Why do vaults and rotation fail to eliminate credential exposure?
A: Vaults and rotation control handling, but they do not remove the underlying dependency on reusable secrets.
Q: What do security teams get wrong about secrets scanning?
A: They often treat scanning as proof of governance when it is only a detection layer.
Practitioner guidance
- Map all standing secrets by owner and runtime Build an inventory of passwords, API keys, tokens, config files, and hardcoded blobs across repos, pipelines, and application runtimes.
- Replace cross-environment shared credentials first Prioritise secrets that grant access across multiple environments, teams, or vendors because they create the widest blast radius.
- Tie secret revocation to offboarding events Connect credential revocation to joiner-mover-leaver processes, vendor offboarding, and service retirement so access does not persist after business need ends.
What's in the full article
Aembit's full article covers the operational detail this post intentionally leaves for the source:
- The interactive AccessZero experience that frames Credentialitis as a diagnosis exercise for teams.
- The diagnostic quiz and custom risk score that help readers self-assess their current non-human identity posture.
- The downloadable recovery plan that lays out a prescriptive path toward workload IAM.
- The vendor-neutral educational framing behind the hub's treatment and recovery content.
👉 Read Aembit's full Credentialitis experience and workload IAM recovery guide →
Credentialitis and secrets sprawl: what IAM teams are missing?
Explore further
25/06/2026 4:28 pm
Credentialitis is a useful name for a familiar failure mode, but the real issue is credential dependency. Organisations do not just have too many secrets; they have built critical access paths on artefacts that are easy to copy, hard to revoke, and impossible to observe everywhere at once. That is why scanning and rotation keep feeling productive while the exposure surface stays large. The practitioner takeaway is that the problem is architectural, not cosmetic.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How do IAM teams know whether workload identity adoption is working?
A: Look for fewer reusable secrets, fewer manual rotation exceptions, and fewer access paths that depend on copied credentials. If workload identity is working, teams should see less secret handling in delivery pipelines and a cleaner offboarding process for applications and integrations. The signal is reduced credential dependency, not just a larger vault.
👉 Read our full editorial: Credentialitis shows why secrets sprawl is still an NHI governance failure
