Secretless access for workloads and AI agents: what changes now?

TL;DR: Secretless adoption shifts applications and systems from handling static credentials to using short-lived, identity-based access, with Akeyless outlining a four-stage path from static secrets to SPIFFE-backed machine identity and AI agent support. The governance break point is that trust must be verified at runtime, not assumed at provisioning, because static review cycles cannot contain ephemeral access.

NHIMG editorial — based on content published by Akeyless: Secretless adoption and the move from static secrets to identity-based access

By the numbers:

• Internal repositories are 6x more likely to contain secrets than public ones (32.2% vs 5.6%), contradicting the assumption that private repos are safe.
• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
• AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.

Questions worth separating out

Q: How should security teams implement secretless access for workloads without breaking operations?

A: Start with the systems that expose the most reusable credentials, then replace those paths with workload identity, dynamic secrets, and central policy enforcement.

Q: Why do static secrets create more risk than dynamic machine identity?

A: Static secrets create a standing exposure window because they can be copied, reused, and forgotten long after issuance.

Q: What do security teams get wrong about secretless architectures?

A: They often assume secretless means no secrets exist anywhere, when the real objective is to stop secrets from reaching the application or developer.

Practitioner guidance

• Inventory every secret exposure point Map where static credentials still appear in code, CI/CD, containers, cloud roles, and service-to-service calls.
• Replace reusable bootstrap secrets Use trusted workload identity such as cloud IAM roles, Kubernetes service accounts, or SPIFFE attestation so applications prove identity without storing a permanent secret zero.
• Shift from rotation to runtime issuance Use dynamic secrets and just-in-time credentials for access paths that still need credentials, then make revocation automatic at session end.

What's in the full article

Akeyless's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanations of the secretless workflow across authentication, authorisation, dynamic credential generation, and transparent injection.
• The vendor's staged adoption model for moving from static secrets to dynamic secrets, OIDC, SPIFFE, and secretless operation.
• Implementation detail on solving the secret zero problem across cloud IAM, Kubernetes service accounts, and on-premises identity.
• The AI agent extension path that maps secretless principles to runtime identity for automated workloads.

👉 Read Akeyless's analysis of secretless adoption for workloads and AI agents →

Secretless access for workloads and AI agents: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →