TL;DR: Traditional secrets management breaks down when applications continuously generate, consume, and exchange tokens, certificates, and API keys across distributed systems, according to Infisical's 2026 guide. The core shift is away from static credential storage toward dynamic generation, automated lifecycle control, and runtime injection that reduce exposure windows and human handling.
NHIMG editorial — based on content published by Infisical: Secrets Management Best Practices [2026]
By the numbers:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
- Internal repositories are 6x more likely to contain secrets than public ones (32.2% vs 5.6%), contradicting the assumption that private repos are safe.
Questions worth separating out
Q: How should security teams reduce exposure from long-lived application secrets?
A: Start by identifying where secrets are reused across workloads, then replace the highest-risk ones with dynamic credentials that expire automatically.
Q: When does secrets rotation stop being enough?
A: Rotation stops being enough when the same credential model remains in place and only the clock changes.
Q: What do organisations get wrong about secrets management in CI/CD pipelines?
A: They often assume that putting secrets into a pipeline is safe if the values are encrypted or stored in a vault.
Practitioner guidance
- Inventory static credentials by workload criticality Classify API keys, certificates, and database passwords by business impact, then target the credentials that sit in production paths, CI/CD systems, and shared services first.
- Replace long-lived credentials with dynamic issuance Use on-demand secret generation for databases, SSH, and API access where the workload can authenticate through a trusted identity provider.
- Move secret delivery into runtime controls Fetch secrets programmatically at execution time through SDKs, orchestration, or managed injection rather than storing values in code, logs, or tickets.
What's in the full article
Infisical's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step implementation guidance for dynamic database credentials, API tokens, and SSH certificates.
- Practical examples for injecting secrets into applications, orchestration layers, and CI/CD pipelines without exposing values.
- A phased roadmap for assessment, core implementation, advanced automation, and scaling across environments.
- Developer workflow guidance that shows how teams can reduce friction while tightening secret control.
👉 Read Infisical's guide to secrets management best practices →
Secrets management best practices: what IAM teams need to change?
Explore further
Static secret thinking is the control failure modern application estates expose most clearly. The guide describes an environment where tokens, certificates, and API keys are created and consumed continuously, yet many programmes still treat them like durable passwords. That mindset creates a mismatch between credential lifetime and application velocity. The practical conclusion is that modern secrets governance has to be built around runtime behaviour, not storage alone.
A few things that frame the scale:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to The State of Secrets Sprawl 2026.
A question worth separating out:
Q: How do you know if secrets governance is actually working?
A: Look for fewer static credentials, faster revocation after discovery, and clear ownership for every active secret. If teams still rely on manual steps, cannot explain where credentials live, or keep finding secrets in code and collaboration tools, the programme is controlling storage but not governing identity.
👉 Read our full editorial: Secrets management best practices for dynamic, cloud-native access