Secrets managers or workload identity: which model fits your stack?

TL;DR: Secrets managers centralize API keys, passwords, and tokens, but they do not remove the bootstrap and post-delivery risks that keep credential abuse in play, according to Aembit’s analysis, which cites GitGuardian’s roughly 29 million secrets detected on public GitHub in 2025 and Verizon’s finding that credential abuse drove 22 percent of breaches. The practical shift is toward workload IAM for systems that can authenticate with identity instead of persistent secrets, while vaults remain necessary for legacy dependencies.

NHIMG editorial — based on content published by Aembit: secrets managers versus workload IAM and where each model fits

By the numbers:

• The 2025 Verizon DBIR cited credential abuse as the initial attack vector in 22 percent of breaches, one of the top two entry points alongside vulnerability exploitation.
• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
• 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.

Questions worth separating out

Q: How should security teams decide between secrets managers and workload IAM?

A: Use workload IAM wherever the target system can authenticate with federated identity, because that removes the reusable secret entirely.

Q: Why do secrets managers not fully solve NHI risk?

A: They solve custody, not runtime trust.

Q: What breaks when a workload still depends on secret zero?

A: The programme inherits a hidden bootstrap exception that has to exist somewhere outside the vault.

Practitioner guidance

• Map every secret zero dependency Identify which workloads still need a bootstrap credential to reach the vault, then replace those paths with platform identity where the target environment supports it.
• Classify credentials by persistence risk Separate stored credentials that are unavoidable from those that can be replaced by federated identity, and prioritise the long-lived secrets that cross cloud or environment boundaries.
• Move cloud-native workloads to federated identity Use OIDC-backed workload authentication for Kubernetes, serverless, and CI/CD jobs so the application never handles a reusable secret in the first place.

What's in the full article

Aembit's full article covers the operational detail this post intentionally leaves for the source:

• Native integration examples for AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager
• Decision criteria for when a workload can move from stored credentials to federated identity
• Operational guidance for CI/CD pipelines that need both vault access and short-lived job-scoped credentials
• Examples of how AI agents and cross-cloud workloads change the secret versus identity decision

👉 Read Aembit's analysis of secrets managers versus workload IAM →

Secrets managers or workload identity: which model fits your stack?

Explore further

View Full Forum →  |  NHI Foundation Course →