Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

JIT secrets and standing credentials: what IAM teams need now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Secrets remain a major attack surface because they are often unmanaged, static, and invisible across code, vaults, and cloud workflows, according to SSH Communications Security's analysis of KuppingerCole's Compass coverage. Ephemeral provisioning helps reduce exposure, but access review models still assume credentials persist long enough to be observed and revoked.

NHIMG editorial — based on content published by SSH Communications Security: secrets management, JIT provisioning, and CIEM integration in the PrivX portfolio

By the numbers:

Questions worth separating out

Q: How should security teams reduce the risk of standing secrets in cloud and DevOps environments?

A: Start by inventorying where secrets are issued, stored, copied, and reused across pipelines, workloads, and admin access.

Q: Why do static secrets increase lateral movement risk?

A: Static secrets remain valid after they are exposed, which means one leak can be reused across multiple systems if the credential is accepted broadly.

Q: What breaks when secrets are vaulted but downstream privileges stay standing?

A: The vault protects storage, but it does not remove the access paths that a valid secret unlocks.

Practitioner guidance

  • Inventory every standing secret path Map where passwords, API keys, certificates, and tokens live across code, CI/CD, vaults, and cloud services, then assign an owner to each secret class.
  • Convert long-lived credentials to task-scoped issuance Prioritise the secrets that unlock privileged systems or automation first, then replace them with ephemeral certificates or short-lived tokens that expire automatically when the job completes.
  • Tie secrets governance to PAM and CIEM Review whether each issued secret can reach more systems than the task requires, and remove downstream entitlements that make one credential useful across multiple cloud services.

What's in the full article

SSH Communications Security's full research covers the operational detail this post intentionally leaves for the source:

  • The vendor's product-level secrets rotation model for hybrid environments, including where policy decisions are enforced.
  • The integration details for CI/CD pipelines, identity systems, and microservices architecture that support the operational workflow.
  • The KuppingerCole category context behind the leadership recognition and how the portfolio is positioned across multiple compasses.
  • The specific compliance and governance features that sit inside the PrivX portfolio for implementation teams.

👉 Read SSH Communications Security's analysis of secrets management and JIT access →

JIT secrets and standing credentials: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Static secret governance is now an identity risk problem, not a storage problem. Secrets only become defensible when their validity window, privilege scope, and revocation path are governed together. A vault alone does not remove the exposure created by credentials that remain valid long after the task that created them has ended. The implication is that security teams should treat secret lifetime as part of identity design, not as an afterthought.

A few things that frame the scale:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
  • 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.

A question worth separating out:

Q: Which controls should be evaluated together for secrets governance?

A: Secrets management, PAM, and CIEM need to be evaluated as one control set because issuance, privilege, and revocation are linked. A secret that is issued safely can still create major exposure if the identity behind it is over-permissioned or if revocation does not happen quickly enough.

👉 Read our full editorial: Secrets management and JIT access are reshaping identity controls



   
ReplyQuote
Share: