Notifications
Clear all
Topic starter
14/05/2026 4:43 pm
TL;DR: Black Hat SecTor 2026 will center practical conversations about secrets exposure and non-human identity governance, with GitGuardian positioning its presence around credential-based risk across development pipelines and cloud environments at Toronto's Metro Convention Centre. For IAM and NHI teams, the signal is that conference-floor discussions are moving from discovery to governance, where hidden credentials and machine identities define exposure.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern secrets and non-human identities together?
A: Treat secrets management and NHI governance as one program.
Q: When does a secret become an NHI governance issue?
A: A secret becomes an NHI governance issue when it grants persistent machine access, especially if it can reach production systems, cloud control planes, or sensitive data.
Q: What is the difference between secrets rotation and NHI governance?
A: Secrets rotation changes credentials on a schedule, while NHI governance controls who or what may use those credentials, for what purpose, and for how long.
Practitioner guidance
- Inventory all machine credentials Build a current register of API keys, tokens, certificates, and service accounts across source control, CI/CD, cloud, and endpoints.
- Tie secrets to access scopes Map each secret to the exact systems and actions it can reach, then remove unused privileges before the conference cycle or audit cycle forces a rushed cleanup.
- Implement fast revocation paths Pre-stage approvals, automation, and rollback steps so a leaked token can be disabled in minutes, not days.
Teams should expect auditors and security leaders to ask not only where credentials exist, but how quickly they can be revoked, rotated, and attributed to an owner?
👉 Read GitGuardian's Black Hat SecTor 2026 event page →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 4:46 pm
A few things worth adding from our research at NHI Mgmt Group.
Secrets exposure is now an identity governance problem, not a hygiene problem. The presence of leaked credentials matters because each secret is a reusable authentication path into systems, data, and automation. Once secrets are distributed across pipelines and cloud services, ownership becomes unclear and revocation slows down. Practitioners should treat secrets as governed identities with explicit lifecycle controls, not as isolated configuration defects.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Why do non-human identities complicate zero trust architecture?
A: Non-human identities complicate zero trust because they often authenticate automatically, hold reusable credentials, and operate across systems without a person in the loop. Continuous verification is harder when the subject is a workload, a token, or an AI agent. Teams need policy, telemetry, and revocation that apply to machine access as rigorously as human access.
👉 Read our full editorial: Black Hat SecTor 2026 spotlights secrets exposure and NHI risk
