Notifications
Clear all
Topic starter
22/06/2026 9:57 am
TL;DR: Gartner’s latest research says secrets management is shifting toward workload access management, secretless access, short-lived credentials, and governance across multiple vaults already in use, according to Akeyless. The bigger implication is that vaulting alone no longer matches how modern workloads, pipelines, and AI agents authenticate, so identity control now matters as much as secret storage.
NHIMG editorial — based on content published by Akeyless: Gartner research on secrets management, workload access management, and multi-vault governance
Questions worth separating out
Q: How should security teams reduce reliance on static credentials for workloads?
A: Start by identifying which workloads can authenticate with cloud identity, Kubernetes identity, OIDC, certificates, or attestation instead of carrying reusable secrets.
Q: Why do multi-vault environments create governance problems for IAM teams?
A: Because control becomes fragmented across clouds, platforms, and development teams, each with different policy, audit, and rotation practices.
Q: What breaks when workloads still depend on static secrets instead of runtime identity?
A: The programme assumes a secret can remain trustworthy long enough to be stored, distributed, and rotated safely.
Practitioner guidance
- Inventory static credentials by workload, not by vault Map every application, pipeline, and automation script that still depends on reusable secrets, then classify which of those can move to identity-based runtime access first.
- Validate the authentication path into each vault Review how workloads prove identity before they are allowed to retrieve secrets, including cloud identity, certificates, attestation, and federated tokens.
- Establish policy consistency across all vaults Apply one access model for rotation, audit, and lifecycle control across AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, Kubernetes secrets, and any embedded platform stores.
What's in the full article
Akeyless's full article covers the operational detail this post intentionally leaves for the source:
- A practical breakdown of secretless authentication patterns for cloud, Kubernetes, and federated workload identities.
- The vendor's multi-vault orchestration and synchronization approach across AWS, Azure, GCP, and HashiCorp Vault.
- Examples of JIT credential issuance and audit controls for pipelines, automation scripts, and modern workloads.
- The specific AI-agent-oriented capabilities described in the article, including runtime authority and identity intelligence.
👉 Read Akeyless's analysis of Gartner's secrets management research →
Multi-vault governance: what IAM teams need to change?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
22/06/2026 10:39 am
Static credentials are not the end state, they are a trust debt that compounds over time. A reusable secret assumes the workload can be safely trusted to carry access until the next rotation cycle. That assumption breaks when credentials are duplicated, embedded, or reused across environments, because the control model depends on secrecy surviving longer than real-world operations allow. The practitioner conclusion is that static credential dependence should be treated as structural exposure, not merely operational inconvenience.
A few things that frame the scale:
- 88% of security professionals are concerned about secrets sprawl, with 49% of those in larger organisations described as "very concerned", according to The 2024 State of Secrets Management Survey.
- Only 44% of organisations are currently using a dedicated secrets management system, which helps explain why ad hoc vault patterns remain common in large estates.
A question worth separating out:
Q: How do organisations know if their secrets governance model is actually working?
A: Look for fewer long-lived credentials, fewer teams bypassing central tooling, and consistent policy enforcement across every vault in use. If workloads still require reusable secrets for ordinary operations, the model is not yet reducing risk at the identity layer. Effective governance should show up as shorter credential lifetimes and clearer runtime authorisation.
👉 Read our full editorial: Secrets management is becoming workload identity governance
