TL;DR: Organisations still struggle to discover, classify, monitor, and rotate non-human identities and secrets across code, vaults, cloud services, and collaboration tools, according to Entro Security. That gap makes lifecycle governance and visibility the real control plane for NHI security, not branding or market awards.
NHIMG editorial — based on content published by Entro Security: The Cool Vendor Factor: Why Gartner Chose Entro
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams inventory non-human identities across cloud and code environments?
A: Start by scanning the places NHIs are most often embedded: source code, CI/CD pipelines, vaults, cloud consoles, chat tools, and configuration stores.
Q: Why do service accounts and API keys create more risk when they are long lived?
A: Long-lived credentials extend the time an attacker can use a compromised secret, and they often survive after the original business purpose has changed.
Q: What do teams get wrong about secrets discovery in NHI programmes?
A: They often stop at finding the secret and treat discovery as the end of the job.
Practitioner guidance
- Map the full NHI estate before expanding controls Inventory service accounts, API keys, tokens, and certificates across code, vaults, cloud services, chats, and CI/CD systems.
- Require enrichment fields before accepting any credential into production Do not treat a discovered secret as governable until it has an accountable owner, an associated application or service, and an explicit permission profile.
- Shorten the validity window for long-lived machine credentials Replace persistent keys where possible, and where not possible, enforce rotation tied to change events, vendor changes, and application decommissioning.
What's in the full article
Entro Security's full blog post covers the commentary and product-context detail this post intentionally leaves for the source:
- How Entro describes its discovery coverage across vaults, code repositories, CI/CD pipelines, and collaboration tools.
- The vendor’s own explanation of how it classifies and enriches NHIs with owner and permission context.
- Additional context on how Entro positions monitoring, analytics, and lifecycle management inside its platform.
- The company’s framing of why Gartner Cool Vendor recognition mattered to its market narrative.
👉 Read Entro Security's blog post on Gartner Cool Vendor recognition and NHI governance →
NHI visibility gaps: what Entro's Gartner recognition really means?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Visibility is the first governance control, not a supporting feature. Entro’s framing reflects a wider market truth: organisations cannot secure NHIs they cannot enumerate. The problem is structural because secrets are created in code, copied into chats, embedded in pipelines, and reused across cloud services faster than manual governance can track them. The practical conclusion is that NHI governance starts with discovery coverage, not with policy language.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why discovery-first governance remains the practical starting point.
A question worth separating out:
Q: Who should own lifecycle governance for non-human identities?
A: Ownership should sit with the teams that control the application or service using the credential, with IAM, security, and platform teams defining the governance rules. If no one is accountable for revocation, rotation, and offboarding, machine identities will outlive the systems they were created to support.
👉 Read our full editorial: Entro's Cool Vendor status spotlights NHI visibility gaps