Notifications
Clear all
Topic starter
14/05/2026 5:03 pm
TL;DR: GitGuardian’s AppSec Summit 2026 briefing centers on a familiar enterprise problem: secrets still leak into code, CI pipelines, logs, containers, and deployment workflows, and the operational challenge is reducing exposure without breaking developer velocity. The event frames that gap through secrets security and non-human identity governance.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams reduce secrets leakage without slowing developers down?
A: Use detection and remediation automation rather than relying on manual gates alone.
Q: Why do leaked secrets create an NHI governance problem?
A: Because a secret usually authenticates a non-human identity, not just an application.
Q: What is the difference between secrets rotation and access control for non-human identities?
A: Rotation changes how long a credential remains usable, while access control limits what that credential can do if it is valid.
Practitioner guidance
- Implement continuous secret discovery Scan source code, CI pipelines, logs, containers, and deployment artifacts continuously so exposed secrets are identified before they are reused in production.
- Shorten credential lifetime aggressively Replace long-lived secrets with short-lived credentials where possible and rotate any exposed secret immediately after detection.
- Separate human and non-human privileges Assign distinct access models for developers, pipelines, and autonomous systems so automated execution never inherits broad human entitlements.
Teams should respond by reducing credential lifetime and by making every automated execution path explicitly accountable, because AI-assisted delivery compresses the time between exposure and misuse?
👉 Register for GitGuardian's AppSec Summit 2026 briefing on secrets leakage and NHI governance →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 5:04 pm
A few things worth adding from our research at NHI Mgmt Group.
Secrets leakage is now an NHI governance problem, not an AppSec side issue. The moment a credential can authenticate a workload, pipeline, or agent, it becomes part of the identity plane. That means ownership, rotation, scoping, and revocation must be managed as lifecycle controls, not as occasional cleanup tasks. Practitioners should treat exposed secrets as failed identity governance, not just failed code review.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: When do secrets become a higher risk in agentic AI environments?
A: Risk rises when autonomous systems can copy, reuse, or trigger credentials across multiple tools and workflows. At that point, one exposed secret can support repeated machine execution rather than a single human action. Teams should assume faster exploitation and stronger amplification when AI agents are involved.
👉 Read our full editorial: Secrets leakage and NHI governance at AppSec Summit 2026
