Notifications
Clear all
Topic starter
12/05/2026 7:04 pm
TL;DR: Non-human identities are made up of consumers, secrets, and entitlements, and the security failure usually appears when those three pieces are managed separately rather than as one governance problem, according to Entro Security. The real issue is not just credential exposure, but the access path and blast radius that follow it.
NHIMG editorial — based on research published by Entro Security.
By the numbers:
- Non-human identities outnumber human identities in organizations by 92:1.
Questions worth separating out
Q: How should security teams govern non-human identities across cloud and AI systems?
A: Security teams should govern non-human identities as a lifecycle, not a set of separate controls.
Q: Why do secrets alone not solve non-human identity risk?
A: Secrets only prove that an identity is allowed to authenticate.
Q: What is the difference between a non-human identity secret and an entitlement?
A: A secret is the credential that authenticates the consumer, such as an API key, token, or certificate.
Practitioner guidance
- Inventory every non-human identity as a full chain Record the workload or service that acts as the consumer, the secret used to authenticate it, and the entitlements attached to that identity.
- Reduce entitlements before you rotate secrets Review whether each service account, token, or role still needs its current permissions, then remove unused access before changing credentials.
- Tie secret lifecycle controls to access reviews Set a recurring review for creation, rotation, expiration, and revocation so a secret does not outlive the workload or business process it supports.
The practical shift is toward continuous discovery, entitlement review, and ownership mapping before access becomes unmanageable?
👉 Read Entro Security's blog on the three elements of non-human identities →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
12/05/2026 7:05 pm
A few things worth adding from our research at NHI Mgmt Group.
The consumer, secret, and entitlement triad is the right model for NHI governance, but most programs still only manage one corner of it. Credential vaulting without permission governance leaves blast radius intact. Permission reviews without inventory leave unknown identities active. A durable NHI program has to govern the identity as a lifecycle, not as a collection of disconnected controls.
A few things that frame the scale:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers, according to The State of Secrets Sprawl 2026.
A question worth separating out:
Q: When should organisations prioritise entitlement reduction over secret rotation?
A: Organisations should prioritise entitlement reduction whenever a workload has broad, inherited, or rarely used permissions. Rotating a secret does not reduce the damage an attacker can do if the identity still has excessive access. Removing unused rights first usually delivers faster risk reduction than changing credentials alone.
👉 Read our full editorial: Three elements define NHI risk: consumers, secrets, and entitlements
