NHI Forum
Notifications
Clear all
Topic starter
01/05/2025 11:19 am
Every time we talk about security hygiene, someone throws in “rotate your secrets” like it’s a checkbox on a form. But here’s the reality, most environments are flooded with non-human identities holding static, long-lived credentials, and barely anyone is tracking them.
We’re not talking about one or two overlooked tokens. We’re talking about thousands of service accounts, bots, infrastructure-as-code scripts, internal APIs, all quietly authenticating with secrets no one has looked at in months, maybe years.
They don’t complain. They don’t expire.
They just keep working until they get leaked.
And when they do? It’s game over.
One leaked token can hand over root access. One misconfigured secret can expose production data to the world. We’ve seen it. More than once.
Questions Worth Asking
- How many hardcoded secrets are sitting in your repos or pipelines right now?
- When was the last time you rotated a token or an API key, because of hygiene, not a breach?
- Do your audit trails include non-human identities and their usage of secrets?
- Are your devs and SREs treating NHI security with the same care as human IAM?
Join the Discussion
If you’re working on this problem or fighting the uphill battle of building NHI-aware practices, we want to hear from you.
What’s worked? What hasn’t?
How are you managing secrets for your machine users?
And how can we, as a community, push NHI security to be more than a checkbox?
This topic was modified 1 month ago by Sebastian Kardam
Adam and Abdelrahman reacted
Forum Statistics
8
Forums
36
Topics
47
Posts
0
Online
52
Members
Latest Post: Token Security: Introducing The First NHI MCP Server: AI Powered, Smarter, Driving Fast Remediation Our newest member: Aggregator.top Recent Posts Unread Posts
