TL;DR: Machine identities, secrets, and AI agents are spreading across code, vaults, chat tools, and cloud services, with Entro claiming discovery across 1,200 NHI types and 70-plus sources, according to SailPoint’s acquisition of Entro. The control question is no longer visibility alone, but how far identity governance can reach into runtime access, ownership, and remediation before exposure becomes unmanageable.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- Entro discovers over 1,200 types of NHIs across 70+ critical cloud and developer infrastructure sources.
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.
Questions worth separating out
Q: What fails when leaked machine credentials are discovered but not owned?
A: Discovery without ownership leaves machine identities outside governance.
Q: Why do NHIs make access review harder than human identity review?
A: NHIs often exist in more places than a human account and can be created or copied without a clear lifecycle record.
Q: What breaks when secrets are left outside the normal identity lifecycle?
A: When secrets are not tied to lifecycle processes, they outlive the workload, team, or application that created them.
Practitioner guidance
- Expand discovery beyond repositories Scan code, vaults, chat platforms, CI/CD systems, and cloud audit logs for keys, tokens, certificates, and agent files so exposed credentials are not missed in non-code locations.
- Require ownership before recertification Map every discovered NHI to a human or service owner before it enters access review, because orphaned credentials cannot be offboarded or investigated cleanly.
- Combine discovery with runtime policy Enforce action-level controls that can block unauthorised tool calls, limit privilege drift, and trigger revocation when behaviour moves outside approved scope.
What's in the full announcement
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- How Entro maps discovery across code, vaults, SaaS activity, and collaboration platforms to uncover hidden NHIs.
- How the acquisition is positioned inside SailPoint's Agentic Fabric roadmap and what that means for portfolio scope.
- How runtime policy enforcement is described for blocking unauthorized tool calls and stopping agent drift.
- How the product teams frame real-time remediation for leaked secrets and excessive privileges.
👉 Read SailPoint’s analysis of the Entro acquisition and NHI governance impact →
SailPoint and Entro deal: what changes for NHI governance?
Explore further
NHI governance is shifting from inventory to control plane. Discovery alone no longer answers the operational question, because modern secrets move across code, collaboration, and cloud systems before teams can review them. The decisive change is that identity governance must now see, classify, and constrain machine credentials in the same motion. Practitioners should treat NHI discovery as the start of control, not the finish line.
A few things that frame the scale:
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks, according to State of Secrets Sprawl 2026.
- In the same research, 64% of valid secrets leaked in 2022 are still valid and exploitable today, which shows why discovery without automated revocation leaves real exposure in place.
A question worth separating out:
Q: Who should own NHI revocation when exposure is detected?
A: The accountable system owner should own revocation, with identity and security teams enforcing policy and verifying completion. If ownership is unclear, revocation slows down and the credential remains available for reuse. Clear assignment is essential because machine identities do not self-retire when their business purpose ends.
👉 Read our full editorial: SailPoint acquires Entro: NHI governance implications for practitioners