Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Secrets sprawl: what IAM teams are missing in credential control


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9136
Topic starter  

TL;DR: Secrets sprawl persists because API keys, SSH keys, and other credentials are still being hardcoded in code, embedded in CI/CD pipelines, and pasted into shared tools, leaving visibility gaps that standard audit logs and identity tools do not cover, according to 1Password. The real problem is not just leakage, but governance blind spots that let unmanaged secrets live outside lifecycle control.

NHIMG editorial — here’s why we think this discussion matters

By the numbers:

Questions worth separating out

Q: How should security teams stop secrets from spreading across code, chats, and pipelines?

A: Security teams should treat secrets as governed identities, not as static text strings.

Q: Why do hardcoded secrets remain a risk after detection tools find them?

A: Detection does not remove access.

Practitioner guidance

  • Extend secret discovery beyond repositories. Scan code, CI/CD variables, build logs, shared documents, ticketing systems, and chat platforms because the highest-risk secrets often live outside source control.
  • Make revocation part of the response flow. When a secret is detected, invalidate the credential, rotate any dependent values, and verify that downstream systems no longer accept the old token.
  • Treat pipelines as governed identities. Assign ownership to build runners, service accounts, and deployment tokens, then review their scopes, lifetimes, and reuse patterns as part of access governance.

What to expect at the briefing

1Password's full session covers the operational detail this post intentionally leaves for the source:

  • Where secrets most commonly end up in developer and IT workflows, including the specific places teams miss when inventorying exposure.
  • How 1Password Developer Tools centralise storage, sharing, and provisioning for teams that need governed access without ad hoc copying.
  • What IT gains from policy controls and automated provisioning and deprovisioning at the workflow level.
  • How developers can keep working quickly while reducing the number of unmanaged credential handoffs.

👉 Read 1Password's session on solving secrets sprawl and developer credential visibility →

Secrets sprawl: what IAM teams are missing in credential control?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8575
 

Secrets sprawl is not a storage problem, it is a lifecycle failure. The central issue is that credentials now exist in too many places for conventional IAM inventories to see them as a single governed asset. Once a secret is pasted into code, chat, or pipelines, ownership fragments and offboarding becomes partial. The practitioner conclusion is simple: if the lifecycle is not visible, the identity is not governed.

A few things that frame the scale:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to The State of Secrets Sprawl 2026.
  • 28% of secrets incidents now originate outside code repositories and are 13% more likely to be categorised as critical than code-based leaks.

A question worth separating out:

Q: What should organisations do when a secret is found in a pipeline?

A: They should invalidate the credential, review the pipeline account that used it, and check for other copies in logs, artifacts, and environment variables before the old value can be reused. If the secret still works anywhere, the exposure is still active.

👉 Read our full editorial: Secrets sprawl exposes the visibility gap IAM tools miss



   
ReplyQuote
Share: