Solving Improper NHI Offboarding at Scale

Read full article here: https://blog.gitguardian.com/how-gitguardian-and-delinea-solve-improper-offboarding-of-nhis-at-scale/?utm_source=nhimg

Improper offboarding of Non-Human Identities (NHIs) is now the #1 risk in OWASP’s Top 10 NHI for 2025. With NHIs outnumbering human identities 144:1, every unmanaged token, API key, or certificate left behind represents a potential breach vector.

When projects end, apps are deprecated, or developers leave, too often their associated credentials don’t. These orphaned secrets linger — unmonitored, unowned, and unexpired — creating a shadow attack surface across clouds, pipelines, and source code.

GitGuardian and Delinea have partnered to eliminate this silent but critical risk, providing organizations with end-to-end visibility, automated remediation, and audit-ready governance for NHI offboarding.

Why Improper Offboarding Is Dangerous

Unlike human users, NHIs are rarely tied into HR or IAM offboarding workflows. That gap creates three systemic problems:

1. Secrets that never expire
   • 68% of tokens in GitHub have no expiration date.
   • Long-lived credentials accumulate over years, far beyond their original purpose.

2. No clear ownership
   • Many NHIs lack a named human owner.
   • During employee turnover or project sunset, credentials remain active and untraceable.

3. Manual, inconsistent cleanup
   • 40% of companies say revoking API keys can take weeks or longer.
   • Fear of “breaking production” leads to credentials being left untouched indefinitely.

These gaps make orphaned NHIs ideal entry points for attackers — enabling lateral movement, persistence, and blind spots in incident response.

Only 20% of organizations have formal processes to offboard API keys.

The Joint Solution: GitGuardian + Delinea

Together, GitGuardian and Delinea address improper offboarding through discovery, context, and automated lifecycle management.

Step 1: Detect Dormant Secrets with GitGuardian

• Continuous discovery across vaults, codebases, CI/CD systems, and cloud IAMs.
• Metadata enrichment: creation/rotation dates, vault path, exposure history, linked services.
• High-risk signals: unused + exposed + over-permissioned.

Example: A secret last rotated 400 days ago, still hardcoded in two repos, linked to staging and production. Flagged as orphaned + high-risk.

Step 2: Remediate via Delinea Secret Server

• GitGuardian’s alerts flow into Delinea Secret Server for remediation.
• Admins gain actionable choices: rotate, disable, archive, or permanently erase.
• RBAC ensures only authorized teams can execute sensitive operations.
• Full audit trails maintained for compliance, with archived secrets available for investigation or rollback.

This workflow solves the “fear of breaking production” by offering safe rotation and rollback, ensuring business continuity.

Step 3: Validate with GitGuardian Continuous Monitoring

• Post-remediation scans ensure old secrets aren’t still hardcoded or referenced.
• Developers are alerted to legacy references in pipelines, configs, or repos.
• Updates tracked in a Secrets Incident timeline to prove closure.

This creates a closed-loop lifecycle: detection → remediation → validation.

Why It Matters

By combining GitGuardian’s NHI discovery and risk intelligence with Delinea’s privileged access and lifecycle controls, enterprises can:

• Eliminate improper offboarding at scale.
• Reduce blast radius by ensuring no ghost credentials remain active.
• Accelerate compliance with audit-ready visibility and attestation.
• Free up teams by automating what was once a manual, high-risk process.

This joint approach ensures organizations continuously shrink their NHI attack surface — without slowing down development or risking outages.

Final Thoughts

Improper offboarding is no longer just bad hygiene; it’s a leading security threat. As NHIs multiply and regulations tighten, manual cleanup isn’t sustainable.

With GitGuardian and Delinea, security leaders can finally treat NHIs with the same rigor as human identities: provisioned securely, governed continuously, and decommissioned with certainty.