Notifications
Clear all
Topic starter
25/06/2026 5:06 pm
TL;DR: Mismanaged secrets create hidden operational cost through false positives, delayed rotation, offboarding failures, and inconsistent policy enforcement, according to Entro Security. The core issue is not just secret handling overhead but the collapse of lifecycle control when access, ownership, and revocation are not managed consistently.
NHIMG editorial — based on content published by Entro Security: The hidden HR cost of mismanaged secrets
By the numbers:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
Questions worth separating out
Q: How should security teams reduce secret sprawl in large environments?
A: Security teams should first centralise discovery and ownership so every secret has a known system, owner, and lifecycle state.
Q: Why do stale secrets remain one of the hardest identity risks to remove?
A: Stale secrets persist because they are often embedded in applications, shared across teams, or forgotten after staff changes.
Q: What do organisations get wrong about rotating secrets manually?
A: They treat rotation as a simple replacement task, when it is actually a dependency management problem.
Practitioner guidance
- Create a single inventory of active secrets Track each secret’s owner, system of use, creation date, and last rotation date so teams can revoke or rotate with confidence rather than guesswork.
- Bind offboarding to secret revocation Make leaver workflows trigger secret revocation across directories, vaults, tickets, and code references so old access cannot survive a personnel change.
- Map shared-secret dependencies before rotation Identify every application that consumes a given secret and schedule coordinated rotation so one service does not break another during replacement.
What's in the full article
Entro Security's full blog covers the operational detail this post intentionally leaves for the source:
- The article walks through the day-to-day secrets management burdens that create hidden HR and security costs.
- It explains how false positives and false negatives consume analyst time and distort operational prioritisation.
- It outlines the practical impact of offboarding failures, including reassignment and decommissioning challenges.
- It expands on why integration across cloud, on-premises, and DevOps environments complicates safe rotation.
👉 Read Entro Security's analysis of the hidden HR cost of mismanaged secrets →
Secrets management gaps: what IAM teams are missing?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 5:36 pm
Secrets management is really lifecycle governance, not a tooling side issue. The article is strongest where it shows that ownership, rotation, and offboarding determine whether a secret remains a controlled identity artifact or becomes residual access. That maps directly to OWASP NHI and NIST CSF expectations around asset visibility and access control. Practitioners should treat secrets as governed identities with a start, a purpose, and an end.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: How do you know if secrets management is actually working?
A: Look for fewer duplicate secrets, shorter leak remediation times, clear ownership, and revocation that is tied to identity lifecycle events. If secrets remain active after offboarding or appear in multiple systems, the programme is not controlling the credential population. The measure of success is reduced exposure, not just more vault usage.
👉 Read our full editorial: Secrets management gaps create hidden HR and security costs
