Notifications
Clear all
Topic starter
13/05/2026 2:08 pm
TL;DR: Hardcoded secrets, leaked tokens, and credentials shared in logs or collaboration tools create direct paths to NHI compromise, lateral movement, and unauthorized cloud access, according to Entro Labs. The security issue is not detection alone but reducing secret lifespan, access scope, and storage sprawl before attackers can weaponize exposed identities.
NHIMG editorial — based on research published by Entro Security.
By the numbers:
- Non-human identities and secrets are outnumbering human identities by 92X in modern IT environments.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
- 64% of valid secrets leaked in 2022 are still valid and exploitable today.
Questions worth separating out
Q: How should organisations reduce the risk of leaked secrets in NHI environments?
A: Start by treating every credential as a governed identity with an owner, expiry, and scope.
Q: Why are secrets in logs and chat tools so dangerous?
A: Because those locations are broad, durable, and rarely monitored with the same discipline as production secret stores.
Q: What is the difference between secret detection and secret governance?
A: Detection finds the leak.
Practitioner guidance
- Inventory all secret-bearing systems Map code repositories, CI/CD logs, chat platforms, ticketing systems, and documentation stores into one discovery programme so exposed credentials are not treated as isolated incidents.
- Enforce fast rotation and expiry Set short lifetimes for API keys, tokens, and certificates, and automate revocation when a secret is found in a public repo, log, or collaboration thread.
- Reduce entitlement before leakage happens Review service account and API permissions so leaked credentials cannot reach high-value systems, then remove non-admin access that is not required for operation.
It is to align discovery, revocation, and access review with the control intent in NIST Cybersecurity Framework 2.0 and OWASP Non-Human Identity Top 10?
👉 Read Entro Labs's full analysis of secrets exposure and NHI attack paths →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
13/05/2026 2:08 pm
A few things worth adding from our research at NHI Mgmt Group.
Secrets exposure is now an NHI governance problem, not just a secure coding problem. The article's real lesson is that credentials drift across code, logs, tickets, and chat until they become a separate identity estate. That estate is usually less visible than the production environment and far easier to misuse. Practitioners should govern secrets as live identities, not as static configuration artefacts.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to The State of Secrets Sprawl 2026.
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.
A question worth separating out:
Q: When does a leaked secret become a major business risk?
A: It becomes a major risk when the credential can reach production systems, cloud control planes, or sensitive data stores and remains valid long enough to be used. Scope, lifespan, and privilege matter more than the fact of exposure alone.
👉 Read our full editorial: Secrets exposure is widening the NHI attack surface across teams
