Notifications
Clear all
Topic starter
06/06/2026 11:23 am
TL;DR: Organizations are split between secrets management and secretless workload identity, with the latter removing static credentials from modern cloud, CI/CD, and AI-agent workflows while legacy and external systems still require vaulting, rotation, and audit controls, according to Aembit. The strategic shift is not choosing a side but reducing where static secrets still have to exist.
NHIMG editorial — based on content published by Aembit: Secretless Workload Identity vs. Secrets Management
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams decide where to use secretless authentication versus secrets management?
A: Use secretless authentication for workloads that can authenticate through native identity, federation, or token projection.
Q: Why do static machine credentials still create risk even when they are stored in a vault?
A: A vault reduces exposure, but it does not remove the credential from the environment.
Q: What do security teams get wrong about secretless workload identity?
A: They often treat it as a universal replacement for secrets management.
Practitioner guidance
- Classify workloads by identity capability Separate cloud-native services, CI/CD pipelines, SaaS APIs, and legacy systems into distinct authentication paths so you can apply secretless access where identity primitives exist and keep secrets management where they do not.
- Reduce bootstrap dependencies around vault access Inventory every secret-zero path that still depends on a credential to reach the vault, then decide whether that workload can move to federated identity or must remain under stricter secrets governance.
- Rework access reviews around workload assertions For secretless systems, review which workload identity was authenticated, what policy issued the token, and which runtime context was accepted, rather than focusing only on credential rotation records.
What's in the full article
Aembit's full analysis covers the operational detail this post intentionally leaves for the source:
- Specific workload types where secretless authentication is practical today and where it is not
- Detailed comparison of vault-based secrets management overhead versus identity-first access patterns
- Discussion of attestation, identity federation, and runtime policy enforcement for modern workloads
- Implementation trade-offs for teams operating both cloud-native systems and legacy dependencies
👉 Read Aembit's analysis of secretless workload identity versus secrets management →
Secretless workload identity versus secrets management: what changes?
Explore further
06/06/2026 12:10 pm
Secretless authentication changes the control objective from protecting secrets to shrinking the secret population. The most important governance shift is that teams stop treating static credentials as inevitable and start treating them as exceptions. That is a different operating model for NHI governance, because audit, rotation, and exposure reduction now apply only to the credentials that remain. The practitioner conclusion is straightforward: design the programme around where secrets still exist, not around a universal assumption that they must.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams still cannot prove where machine identity risk is concentrated.
A question worth separating out:
Q: How do organisations keep governance strong when they run a hybrid authentication model?
A: They need separate control paths for secretless workloads and secret-based systems. That means policy governance for identity-issued credentials, and lifecycle governance for the secrets that cannot yet be removed. The goal is to shrink the secret population while keeping residual secrets visible, owned, and regularly reviewed.
👉 Read our full editorial: Secretless workload identity is reshaping machine authentication
