NHI visibility gaps: what Entro's Gartner recognition really means

TL;DR: Organisations still struggle to discover, classify, monitor, and rotate non-human identities and secrets across code, vaults, cloud services, and collaboration tools, according to Entro Security. That gap makes lifecycle governance and visibility the real control plane for NHI security, not branding or market awards.

NHIMG editorial — based on content published by Entro Security: The Cool Vendor Factor: Why Gartner Chose Entro

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should security teams inventory non-human identities across cloud and code environments?

A: Start by scanning the places NHIs are most often embedded: source code, CI/CD pipelines, vaults, cloud consoles, chat tools, and configuration stores.

Q: Why do service accounts and API keys create more risk when they are long lived?

A: Long-lived credentials extend the time an attacker can use a compromised secret, and they often survive after the original business purpose has changed.

Q: What do teams get wrong about secrets discovery in NHI programmes?

A: They often stop at finding the secret and treat discovery as the end of the job.

Practitioner guidance

• Map the full NHI estate before expanding controls Inventory service accounts, API keys, tokens, and certificates across code, vaults, cloud services, chats, and CI/CD systems.
• Require enrichment fields before accepting any credential into production Do not treat a discovered secret as governable until it has an accountable owner, an associated application or service, and an explicit permission profile.
• Shorten the validity window for long-lived machine credentials Replace persistent keys where possible, and where not possible, enforce rotation tied to change events, vendor changes, and application decommissioning.

What's in the full article

Entro Security's full blog post covers the commentary and product-context detail this post intentionally leaves for the source:

• How Entro describes its discovery coverage across vaults, code repositories, CI/CD pipelines, and collaboration tools.
• The vendor’s own explanation of how it classifies and enriches NHIs with owner and permission context.
• Additional context on how Entro positions monitoring, analytics, and lifecycle management inside its platform.
• The company’s framing of why Gartner Cool Vendor recognition mattered to its market narrative.

👉 Read Entro Security's blog post on Gartner Cool Vendor recognition and NHI governance →

NHI visibility gaps: what Entro's Gartner recognition really means?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →