Secret zero in multicloud: what workload IAM changes for teams

TL;DR: GitGuardian found 28.65 million new hardcoded secrets in public GitHub commits during 2025, a 34% year-over-year increase, while AI-related credential leaks surged 81% and 64% of valid 2022 secrets were still unrevoked heading into 2026, according to GitGuardian. Static credential storage is only one part of the problem: the real gap is how workloads authenticate and receive access across clouds, APIs and SaaS systems.

NHIMG editorial — based on content published by Aembit: workload IAM versus secrets management and related NHI access patterns

By the numbers:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
• Stolen credentials were the leading initial access vector in 22% of breaches, according to the Verizon 2025 DBIR.
• Machine identities outnumber human identities by roughly 82 to 1 in the average enterprise, according to CyberArk's 2025 research.

Questions worth separating out

Q: How should security teams replace shared secrets for workloads that span multiple clouds?

A: Use federated workload identity so the workload proves who it is with a signed token or attestation instead of a shared static secret.

Q: Why do secrets managers not fully solve non-human identity risk?

A: Secrets managers protect where credentials are stored, but they do not decide who may request them or under what runtime conditions.

Q: What breaks when service mesh or mTLS is treated as full workload governance?

A: Transport controls verify that services can talk securely, but they do not decide whether the request is appropriate for the workload's context.

Practitioner guidance

• Separate secret storage from access governance Map every vault to the identity source that can ask it for credentials, then document the runtime conditions that authorize each request.
• Use federated identity for cross-boundary workloads Replace shared static secrets with OIDC federation or workload identity where workloads must access resources in more than one cloud.
• Treat transport security as incomplete authorisation Use service meshes and PKI to protect workload communication, then add policy-based checks for request context, namespace, posture, and destination sensitivity.

What's in the full article

Aembit's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step comparison of secrets managers, cloud-native IAM, OIDC federation, service meshes, PKI, and workload IAM for different deployment patterns.
• Mechanics of runtime credential issuance across AWS, Azure, GCP, and on-premises environments.
• Practical decision guidance for choosing between secret storage, transport security, and policy-based access control.
• Examples of how workload IAM handles AI agents, CI/CD pipelines, and third-party API access.

👉 Read Aembit's analysis of workload IAM vs. secrets management →

Secret zero in multicloud: what workload IAM changes for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →