Notifications
Clear all
Topic starter
06/06/2026 2:02 am
TL;DR: Secret rotation is presented as a requirement for breach response, compliance, lifecycle changes, and business continuity, but the article argues that vaulting, monitoring, and offboarding alone do not prevent secret exposure or lingering non-human access, according to Oasis Security. The real issue is that organisations still treat secrets as stable assets when they are often exposed, duplicated, and reused across environments.
NHIMG editorial — based on content published by Oasis Security: The Importance of Secret Rotation in Ensuring Security and Compliance
By the numbers:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, 38% have no or low visibility, and a further 47% have only partial visibility.
Questions worth separating out
Q: How should security teams handle secret rotation after a breach or exposure?
A: Security teams should treat breach response as a rotation event, not just an investigation.
Q: Why do secrets need rotation even when they are stored in a vault?
A: Vault storage reduces casual exposure, but it does not guarantee that every application is retrieving secrets from the vault at runtime.
Q: What breaks when offboarding does not include secret revocation?
A: The former identity may be removed in IAM while the credential itself remains usable by the ex-employee or by any system that still knows it.
Practitioner guidance
- Inventory every live secret and its true dependency path Build a complete inventory of secrets, tokens, and certificates, then map which applications, integrations, and humans can still use them.
- Trigger rotation on breach, offboarding, and role change events Do not wait for periodic clean-up cycles.
- Separate vault storage from actual runtime enforcement Confirm that applications retrieve secrets from the vault at runtime rather than caching or embedding them locally.
What's in the full article
Oasis Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Examples of when to rotate secrets after a breach, including the response pattern used by Cloudflare after the Okta compromise.
- The article's discussion of why monitoring tools like CSPM and ITDR still leave a manual rotation gap.
- More detail on the scream test approach and why it fails as a repeatable operational process.
- The vendor's view of automation as the mechanism for making rotation programmatic and continuous.
👉 Read Oasis Security's analysis of secret rotation, compliance, and breach recovery →
Secret rotation and NHI governance: what teams are missing?
Explore further
06/06/2026 3:29 am
Secret rotation is a containment control, not a cleanliness exercise. The article correctly frames rotation as the mechanism that shortens the life of an exposed credential after breach, audit failure, or organisational change. In NHI governance terms, the issue is not whether a secret exists, but how long it remains valid once exposed. That distinction matters because exposure often happens outside the vault, and the practical security question becomes how quickly the organisation can make the old credential unusable.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, according to Entro Security, which increases the chance that rotation must clean up more than one live copy.
A question worth separating out:
Q: Who is accountable for secret rotation across IAM, PAM, and NHI programmes?
A: Accountability usually sits with the system owner, the identity team, and the application owner together, because each controls part of the secret lifecycle. IAM defines the lifecycle event, PAM governs privileged secrets, and NHI operations handle the runtime credential. If no owner can revoke it quickly, the control is incomplete.
👉 Read our full editorial: Secret rotation is the control gap in NHI compliance and breach recovery
