Notifications
Clear all
Topic starter
14/05/2026 1:49 pm
TL;DR: Claude helped build a Proxmox-based lab with Terraform, Ansible, Windows Server, and dual Teleport integrations in hours rather than days, but the workflow exposed repeated sequencing errors, credential lifecycle mistakes, and shared-state failures that human review had to catch, according to Teleport. The lesson is that AI speeds up infrastructure work, but it does not remove NHI governance, access control, or validation discipline.
NHIMG editorial — based on content published by Teleport: How Claude Helped Build a Proxmox Environment (and What I Learned Along the Way)
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should security teams govern AI-assisted infrastructure automation?
A: Treat AI-assisted automation as a privileged workload with constrained scope, logged actions, and mandatory human review for identity or network changes.
Q: Why do AI tools create new NHI risk in infrastructure workflows?
A: AI tools create NHI risk because they can recommend, generate, or repeat actions that touch service accounts, certificates, tokens, and cluster state without understanding the operational blast radius.
Q: What is the difference between short-lived credentials and proper NHI governance?
A: Short-lived credentials reduce exposure time, but proper NHI governance also defines scope, issuance authority, storage location, revocation, and ownership.
Practitioner guidance
- Implement step-ordered automation reviews Require human review for any playbook or agent workflow that changes host identity, IP addressing, or domain membership.
- Bind every machine credential to a single trust domain Avoid shared join tokens, shared certificate directories, or reused service state across clusters and environments.
- Replace long-lived tokens with task-scoped issuance Use short-lived credentials for automation and treat extended tokens as exception-only, time-bound break-glass material.
With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the control gap is already structural, not theoretical?
👉 Read Teleport's account of AI-assisted Proxmox and Teleport lab building →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 1:49 pm
A few things worth adding from our research at NHI Mgmt Group.
AI-assisted infrastructure work creates ephemeral credential trust debt. The productivity gain is real, but each automation shortcut can accumulate hidden trust assumptions about who or what may execute, join, or persist in an environment. That debt shows up when temporary credentials become convenient defaults instead of tightly scoped exceptions. Practitioner conclusion: if AI writes the automation, identity policy must still define the boundaries.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: When do AI-assisted automation mistakes become an access control problem?
A: They become an access control problem when the mistake affects who or what can join, persist, or write state in a system. At that point the error is no longer just a failed script. It is a governance issue involving privilege boundaries, identity records, and the integrity of the trust chain.
👉 Read our full editorial: AI-assisted infrastructure automation still needs identity guardrails
