Notifications
Clear all
Topic starter
12/05/2026 7:45 pm
TL;DR: Idle API keys, tokens, and service accounts can stay valid for months or years, creating silent access paths that evade traditional monitoring and rotation controls, according to Entro Labs. The governance issue is lifecycle discipline, not just detection, because unrevoked NHIs turn forgotten credentials into persistent attack surface.
NHIMG editorial — based on research published by Entro Security.
Questions worth separating out
Q: How should organisations govern idle secrets in NHI environments?
A: Treat idle secrets as active risk until they are proven unnecessary.
Q: Why do stale service accounts create such a large security risk?
A: Stale service accounts can remain authenticated long after the original use case ends, so attackers do not need to bypass login controls to abuse them.
Q: What is the difference between secret scanning and secret governance?
A: Secret scanning finds exposed credentials, while secret governance reduces the chance those credentials remain useful.
Practitioner guidance
- Inventory all NHI credentials with ownership and expiry metadata Create a single view of API keys, tokens, certificates, and service accounts with last-used time, business owner, and retirement date.
- Automate rotation and enforced expiration for stale secrets Set policy-based rotation intervals by sensitivity, and require hard expiration for credentials that support it.
- Integrate secret revocation into offboarding and change control Make revocation part of employee exit, project closure, and application retirement workflows.
For readers building policy, the next step is to align access review, expiry, and revocation with NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10?
👉 Read Entro Labs' analysis of idle secrets and non-human identity risk →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
12/05/2026 7:46 pm
A few things worth adding from our research at NHI Mgmt Group.
Idle secrets are not a visibility problem first. They are a lifecycle failure. The article describes a common but under-disciplined state in which credentials remain valid after their business purpose has ended. That means governance must start with expiry, ownership, and revocation, not just inventory and alerts. The practitioner conclusion is simple: if a credential can outlive its use case, it can outlive your controls.
A few things that frame the scale:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to the State of Secrets Sprawl 2026.
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, showing that discovery without revocation leaves live exposure in place.
A question worth separating out:
Q: When does a short-lived credential still become a long-term risk?
A: A short-lived credential becomes a long-term risk when the organisation fails to enforce expiry, reuse controls, or revocation after the original task ends. Even if the intended use is temporary, any valid credential can become durable access if it remains active beyond its expected lifecycle.
👉 Read our full editorial: Idle secrets and NHI sprawl create long-lived access risk
