Notifications
Clear all
Topic starter
25/06/2026 5:06 pm
TL;DR: Secrets management still breaks down at discovery, classification, monitoring, and revocation, with leaked credentials remaining a major operational burden according to Entro Security. The real issue is not whether secrets exist, but whether organisations can govern them as living non-human identities across their full lifecycle.
NHIMG editorial — based on content published by Entro Security: Hard questions you should ask your secrets management service
By the numbers:
- Only 44% of organisations are currently using a dedicated secrets management system.
Questions worth separating out
Q: How should security teams implement secrets management across cloud and application environments?
A: Start with continuous discovery, then tie each secret to an owner, purpose, environment, and expiry condition.
Q: Why do unmanaged secrets increase lateral movement risk?
A: Unmanaged secrets often survive past their original business purpose, which turns a temporary credential into standing access.
Q: What do teams get wrong about secrets rotation?
A: Many teams treat rotation as the whole control, when it is only effective if old credentials are actually invalidated and replaced everywhere they are used.
Practitioner guidance
- Create a complete secrets inventory Map every API key, password, token, certificate, and SSH key to its system owner, environment, and usage context.
- Classify secrets by business criticality Assign each secret a sensitivity tier, production or non-production status, and blast-radius estimate.
- Link each secret to lifecycle ownership Require an owner, expiry condition, and revocation path before a secret is approved for production use.
What's in the full article
Entro Security's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step evaluation checklist for secrets discovery coverage across vaults, repositories, and pipelines
- Practical examples of metadata enrichment for secret classification and access context
- Detailed discussion of monitoring, anomaly detection, and privacy/compliance controls for secret usage
- A feature-by-feature comparison table covering inventory, lifecycle, leakage detection, and over-permission handling
👉 Read Entro Security's hard questions checklist for secrets management services →
Secrets management governance gaps: are your controls keeping up?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 5:37 pm
Secrets management is now NHI governance, not a sidecar to it. The article's own framing shows why discovery, classification, lifecycle, and monitoring are not separate hygiene tasks. They are the minimum control set for non-human identities whose access is expressed through credentials rather than interactive logins. The practitioner implication is that secrets programmes should be measured as identity programmes, not as tooling inventories.
A few things that frame the scale:
- The average time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control.
A question worth separating out:
Q: How do organisations know if secrets management is actually working?
A: Look for reduction in unknown secrets, faster revocation after exposure, fewer overpermissive credentials, and clearer ownership at the record level. A working programme shortens the time between discovery and containment. If leaked secrets remain active for days or weeks, the control is not mature enough for production trust.
👉 Read our full editorial: Secrets management hard questions expose NHI governance gaps
