Notifications
Clear all
Topic starter
06/06/2026 2:22 am
TL;DR: Access keys are dynamic identity credentials, not encryption keys, and treating them the same creates visibility, rotation and zero-trust failures that increase breach risk, according to Aembit and supporting breach research. The real issue is not credential storage, but whether access is issued, scoped and revoked as runtime identity rather than static secret material.
NHIMG editorial — based on content published by Aembit: Access Keys Are Not Encryption Keys: Why Identity Needs a Different Strategy
By the numbers:
- Verizon’s 2025 DBIR found stolen credentials were implicated in 22% of breaches.
- GitGuardian reports that 64% of secrets exposed in 2022 were still valid four years later.
Questions worth separating out
Q: How should security teams handle access keys differently from encryption keys?
A: Security teams should govern access keys as workload identity credentials, not as data-protection material.
Q: Why do static access keys create more risk in cloud-native environments?
A: Static access keys create more risk because they can be copied into code, containers and pipelines, then reused long after the original context changes.
Q: What breaks when organisations treat all keys as the same type of credential?
A: What breaks is the control model.
Practitioner guidance
- Separate key governance by function Split encryption-key custody from workload access governance so one rotation policy does not govern two different control problems.
- Eliminate standing workload secrets where runtime issuance is possible Replace embedded access keys in code, containers and pipeline variables with short-lived credentials issued at execution time.
- Add identity-level observability for non-human access Track which workload used which credential, when it was issued and what action it performed.
What's in the full article
Aembit's full analysis covers the operational detail this post intentionally leaves for the source:
- A side-by-side comparison of encryption key custody and access-key operational handling across cloud services and pipelines.
- A practical explanation of how secretless access works when workloads authenticate at runtime instead of storing long-lived credentials.
- A breakdown of why runtime issuance changes audit, revocation and observability requirements for CI/CD and containerized environments.
- Implementation context for teams deciding when a secrets manager is sufficient and when workload identity controls are the better fit.
👉 Read Aembit's analysis of why access keys are not encryption keys →
Access keys vs encryption keys: what IAM teams need to change?
Explore further
06/06/2026 4:01 am
Access-key governance fails when organisations assume all credentials can be managed as static secret material. That assumption is designed for encrypted data controls, not for workload identities that must authenticate and act continuously. When access credentials inherit encryption-key handling, rotation becomes too slow, scope becomes too broad and visibility becomes too shallow. The implication is that governance needs to distinguish between protecting data and controlling action, because they are not the same control problem.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to the 2024 Non-Human Identity Security Report.
- Another finding from the same report shows that 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge.
A question worth separating out:
Q: How can teams tell whether workload access is still too secret-driven?
A: A strong signal is finding access keys embedded in source code, environment variables, old infrastructure or CI/CD pipelines with no clear owner. Another warning sign is rotation measured in months or quarters instead of runtime issuance. If the team cannot say who last used a credential and for what purpose, governance is too weak.
👉 Read our full editorial: Access keys are not encryption keys: why IAM controls diverge
