Notifications
Clear all
Topic starter
25/06/2026 5:07 pm
TL;DR: Secrets management fails when organisations treat vaulting as the finish line: 80% of secrets still slip through the cracks, and automated rotation is needed to shrink exposure windows and support compliance, according to Entro Security. The practical issue is governance, not storage, because centralisation, rotation, monitoring, and least privilege only work when they are operationally coordinated.
NHIMG editorial — based on content published by Entro Security: 9 Secrets Management Strategies that every company should adopt
By the numbers:
- 80% of secrets slip through the cracks and go unnoticed.
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
Questions worth separating out
Q: How should security teams implement secrets management across distributed environments?
A: Security teams should centralise governance, maintain a complete inventory of secret stores, and map each secret to its workload consumers before changing rotation or access policy.
Q: When does secret rotation reduce risk in practice?
A: Secret rotation reduces risk when the new credential is deployed everywhere the old one is used and the old credential is revoked immediately.
Q: What do organisations get wrong about secrets management?
A: They often treat vaulting as a complete solution when it is only one layer.
Practitioner guidance
- Inventory every secret store Build a complete inventory of vaults, CI/CD variables, config files, and application runtime stores so no secret category sits outside governance.
- Map secret consumers before rotation Document every application, service, and cloud dependency using each secret so rotation can be coordinated without breaking downstream access.
- Replace standing trust with conditional access Apply context-aware access checks and anomaly-triggered review to high-risk secrets, especially those supporting cloud services and automation.
What's in the full article
Entro Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step discussion of centralised secret vaulting and the trade-offs of single-repository governance.
- Implementation detail on automated rotation and how to avoid service disruption when multiple systems share one secret.
- Practical examples of context-aware access controls and real-time monitoring patterns for secret usage.
- The vendor's own walkthrough of context-driven rotation and anomaly detection workflow design.
👉 Read Entro Security's blog post on 9 secrets management strategies →
Secrets management strategies: what IAM teams need to tighten now?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 5:37 pm
Secrets sprawl is not a storage problem, it is a governance failure. The article is right to treat vaults as incomplete if they do not cover every secret, every consumer, and every lifecycle event. Fragmented control creates false confidence because the organisation thinks it has secured the secret while the real issue is that nobody can prove where it lives or who can still use it. The practitioner conclusion is that secrets governance must be treated as an identity programme, not a tooling add-on.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.
A question worth separating out:
Q: How do you know if secrets controls are actually working?
A: Look for complete coverage of secret inventory, short exposure windows after disclosure, and consistent rotation outcomes across dependent services. If teams cannot show who uses a secret, where it is stored, and how quickly it is revoked, the control is not working. Effective programmes produce traceable evidence, not just policy statements.
👉 Read our full editorial: Secrets management strategies for NHI governance and exposure control
