Notifications
Clear all
Topic starter
08/06/2026 4:56 pm
TL;DR: Secrets management is the practice of storing, rotating, and controlling access to passwords, API keys, certificates, and tokens across modern infrastructure, according to StrongDM. The real problem is not storage alone but the governance gap created when secrets are hardcoded, overexposed, or left without lifecycle control, because access paths outlive the assumptions behind them.
NHIMG editorial — based on content published by StrongDM: What Is Secrets Management? Best Practices for 2026
By the numbers:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
- Only 44% of organisations are currently using a dedicated secrets management system.
Questions worth separating out
Q: How should security teams handle secrets sprawl across CI/CD and cloud systems?
A: Start by identifying every place secrets are created, copied, and consumed, then remove ad hoc storage outside approved controls.
Q: Why do hardcoded secrets create such a large security risk?
A: Hardcoded secrets turn source code, build output, and configuration files into credential repositories, which makes exposure easy to repeat and difficult to contain.
Q: When does secrets rotation actually reduce risk?
A: Rotation reduces risk when the new credential replaces the old one quickly enough that exposure cannot be operationalised.
Practitioner guidance
- Inventory every secret location Build a complete map of where credentials appear in repositories, CI/CD jobs, tickets, chat, build artifacts, and runtime configs.
- Shorten validity windows for all application secrets Assign explicit owners, expiry rules, and revocation triggers to each credential type so exposure does not equal persistent access.
- Treat CI/CD as a privileged access domain Apply stricter controls to pipeline identities, runners, and deployment jobs than to ordinary operational tooling.
What's in the full article
StrongDM's full guide covers the operational detail this post intentionally leaves for the source:
- Step-by-step implementation guidance for secrets storage, retrieval, and rotation across application environments
- Platform-specific comparisons for vaulting, automation, and access policy enforcement in mixed infrastructure
- Detailed discussion of StrongDM's approach to Active Directory credential handling and workflow integration
- Implementation considerations for teams migrating from manual secret handling to policy-driven access
👉 Read StrongDM's guide to secrets management best practices for 2026 →
Secrets management in 2026: are your controls keeping up?
Explore further
08/06/2026 6:50 pm
Secrets sprawl is a governance failure before it is a tooling problem. The article describes a world where credentials live in repositories, pipelines, and cloud services at the same time, which means the organisation has already lost containment at creation. That is the failure mode OWASP NHI work is trying to surface. Practitioners should read this as an identity distribution problem, not a vault selection exercise.
A few things that frame the scale:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
A question worth separating out:
Q: What is the difference between password management and secrets management?
A: Password management protects human login credentials, while secrets management governs machine-to-machine and application credentials such as API keys, certificates, and tokens. The second problem is broader because non-human identities often need automated retrieval, rotation, and auditing at scale. A password-only model misses the identity behaviour that modern infrastructure actually depends on.
👉 Read our full editorial: Secrets management in 2026: the governance gap behind sprawl
