TL;DR: A documentation audit of 20 credential configurations across 19 major platforms found that only 7 expire by default, 5 are documented to never expire, and 8 have no documented default expiration at all, according to Identra Research. Default lifetime is still a governance control point, not a convenience setting, because credential persistence shapes blast radius and accountability.
NHIMG editorial — based on content published by Identra.ai: Keys That Never Die: We Audited 20 Credential Configurations Across 19 Major Platforms
By the numbers:
- Of 20 credential configurations across 19 major platforms, only 7 expire by default.
- Only 9 of the 20 configurations, on 9 of the 19 platforms, come with a documented administrator control that can enforce a maximum credential lifetime.
Questions worth separating out
Q: What breaks when credentials do not expire by default?
A: When credentials do not expire by default, access persists beyond the original business need and becomes harder to govern through ordinary reviews.
Q: Why do long-lived secrets increase identity risk in cloud and SaaS environments?
A: Long-lived secrets remain reusable until someone revokes them, which gives attackers a durable target.
Q: How do teams know whether a credential lifetime control is actually working?
A: A lifetime control is working when the platform enforces expiration without manual reminders, the org can verify the maximum lifetime in policy, and stale credentials disappear from inventory on schedule.
Practitioner guidance
- Classify perpetual credentials as high-risk identities Build an inventory of every token, key, refresh token, and client secret that lacks a documented expiry default, then assign an owner, purpose, and review date to each one.
- Enforce platform lifetime controls where they exist Turn on organisation-level maximum lifetime settings for platforms that support them, and block creation paths that allow indefinite or unbounded credential validity.
- Replace legacy long-lived credentials first Prioritise migrations from classic tokens, permanent API keys, and unbounded refresh tokens to newer credential types that support shorter lifetimes or explicit expiration.
What's in the full report
Identra.ai's full documentation audit covers the platform-by-platform lifecycle details this post intentionally leaves at the governance level:
- Credential-by-credential documentation notes for GitHub, AWS, Google Cloud, Salesforce, Slack, OpenAI, Anthropic, and the other platforms in scope.
- The exact wording used by vendor documentation to distinguish 'never expires' from 'no default expiration documented'.
- The admin policy settings that can enforce maximum lifetime on some platforms and the ones that do not exist publicly on others.
- The methodology and source checks used to classify each credential configuration as expiring, non-expiring, or undocumented.
👉 Read Identra.ai's documentation audit of credential expiry across major platforms →
Forever keys and missing expiry controls: what should IAM teams do?
Explore further
Forever credentials are a lifecycle failure, not just a secrets problem. The audit shows that many platforms still treat lifetime as optional, undocumented, or impossible to enforce. That means the credential is being governed as a static artifact instead of a time-bound identity. The consequence is persistent access debt, where issuance is easy but accountability is delayed or absent.
A few things that frame the scale:
- Only 9 of the 20 configurations, on 9 of the 19 platforms, come with a documented administrator control that can enforce a maximum credential lifetime, according to The 2024 Non-Human Identity Security Report.
- Another finding from the same report shows that 88.5% of organisations acknowledge their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts.
A question worth separating out:
Q: Who should be accountable for non-expiring credentials?
A: Accountability should sit with the system owner, identity team, and platform owner together, because non-expiring credentials are both a governance and an engineering problem. The owner must justify the exception, the identity team must track it, and the platform owner must ensure that revocation and lifecycle policy are actually enforceable.
👉 Read our full editorial: Forever keys still dominate across major credential platforms