NHI misconfiguration and secret sprawl: what practitioners need to know

TL;DR: Organisations average 92 non-human identities for every human identity, 73% of vaults are misconfigured, and 44% of tokens are exposed in the wild, according to Entro Security research, showing that NHI sprawl and secret handling remain systemic risks. The governance problem is not visibility alone, but the failure to control identity lifecycle, rotation, and exposure paths.

NHIMG editorial — based on content published by Entro Security: Risks of Non-Human Identity misconfiguration and poor management

By the numbers:

• For each human identity, there are an average of 92 non-human identities.
• 73% of vaults are misconfigured, leading to unauthorized access and exposure of sensitive data.
• 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.

Questions worth separating out

Q: How should security teams reduce risk from exposed non-human identities?

A: Start by identifying where credentials are stored and used outside approved systems, then remove those copies and replace them with controlled references or managed secrets flows.

Q: Why do misconfigured vaults create such a large identity security problem?

A: A vault only protects secrets if access policy, logging, and integration settings are enforced correctly.

Q: What do organisations get wrong about NHI rotation and revocation?

A: They often treat rotation as an administrative task instead of a control that limits attacker dwell time.

Practitioner guidance

• Build a complete NHI ownership register Map every service account, token, API key, certificate, and workload identity to a named owner, a business purpose, and a retirement trigger.
• Audit secret storage outside approved controls Scan code repositories, tickets, chat tools, documentation, and CI/CD systems for secrets that should not be there.
• Tighten vault approval and configuration checks Require security approval before onboarding new vaults, then validate policy, logging, access boundaries, and integration settings before production use.

What's in the full report

Entro Security's full research report covers the operational detail this post intentionally leaves for the source:

• Per-category breakdowns of NHI and secret misconfiguration patterns across environments and industries
• The research context behind overuse, duplication, rotation, and offboarding failures in machine identity management
• Additional findings on vault diversity, third-party exposure, and where secrets are most likely to leak
• The full narrative and supporting data behind the report's conclusions on lifecycle controls and exposure paths

👉 Read Entro Security’s research on non-human identity misconfiguration and secret risk →

NHI misconfiguration and secret sprawl: what practitioners need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →