Identity secret sprawl: what IAM teams need to fix first

TL;DR: Shared secrets for machines outnumber human secrets by 20 to 45 times, and the article argues that secret sprawl persists because applications still authenticate with long-lived credentials stored in code, files, and CI/CD systems, according to Defakto Security. The governance shift is from rotating secrets more often to removing shared secrets from the operating model entirely.

NHIMG editorial — based on content published by Defakto Security: Identity Secret Sprawl: Understand It To Reduce Your Risk

By the numbers:

• Today’s companies manage 20-45 times more shared secrets for machines than they do for humans.
• Half of the organizations surveyed by the ESG expect their total number to increase by more than 20% over the next 12 months.

Questions worth separating out

Q: What breaks when shared secrets are copied across development and production systems?

A: Governance breaks first.

Q: Why do shared machine secrets increase breach risk so much?

A: Because the secret itself becomes the proof of identity.

Q: How do security teams know when secret sprawl is becoming unmanageable?

A: When they cannot confidently answer where each secret exists, which workloads depend on it, and how quickly it can be retired without breaking business services.

Practitioner guidance

• Inventory every shared machine secret Scan code repositories, CI/CD pipelines, developer workstations, configuration stores, and monitoring jobs to locate every copy of each credential.
• Rank secrets by blast radius, not by age Prioritise credentials that unlock production data, administrative control, or third-party integrations.
• Replace reusable secrets with workload identity where feasible For new services and high-value integrations, move toward verifiable workload identity so the application proves who it is without relying on a copied shared secret.

What's in the full article

Defakto Security's full article covers the operational detail this post intentionally leaves for the source:

• Examples of where shared secrets typically accumulate across development, staging, production, and CI/CD.
• Step-by-step ways to estimate secret sprawl in an enterprise application estate.
• Operational guidance on choosing between secrets managers and identity-first approaches.
• The Snowflake case discussion and the article's view on why shared responsibility still leaves customers exposed.

👉 Read Defakto Security's analysis of identity secret sprawl and NHI risk →

Identity secret sprawl: what IAM teams need to fix first?

Explore further

View Full Forum →  |  NHI Foundation Course →