They need automated discovery, clear ownership, and an enforced revocation path across code, CI/CD, and SaaS. Verizon's findings show that the issue is systemic, and the implementation patterns vary significantly by environment. The full article covers the operational framing in more detail.
Why This Matters for Security Teams
Reducing dwell time is not just a detection problem. Exposed secrets become operationally dangerous when they are valid long enough for an attacker to use them across code, CI/CD, SaaS, and cloud control planes. NHIMG research shows why speed matters: in public exposure scenarios, attackers may try AWS credentials within minutes, and the 52 NHI Breaches Analysis repeatedly shows that the breach path is often the combination of weak ownership, delayed revocation, and incomplete inventory rather than a single technical failure.
That is why automated discovery has to be paired with an enforced response path. Static secrets left in code or tickets are especially risky because they outlive the original task, which is exactly the pattern highlighted in Guide to the Secret Sprawl Challenge. Industry guidance such as the OWASP Non-Human Identity Top 10 and NIST SP 800-63 Digital Identity Guidelines both reinforce the need for strong identity lifecycle controls, but the practical challenge is operational, not conceptual.
In practice, many security teams discover exposed credentials only after an attacker has already authenticated, pivoted, or begun abusing automation at scale.
How It Works in Practice
The fastest way to shrink dwell time is to make revocation automatic, not advisory. Organisations need secret discovery across source control, build logs, containers, SaaS configuration, chat systems, and tickets, then route every finding to a clear owner with a pre-approved remediation path. If the secret is active, revocation should happen immediately. If the service cannot tolerate abrupt revocation, the fallback should be controlled JIT replacement with a short TTL and an audited cutover window. This is the operational difference between finding a secret and actually reducing exposure.
For NHI-heavy environments, current guidance suggests treating secrets as ephemeral credentials, not durable assets. That means mapping each credential to a workload identity, a service account, or a pipeline step so the system can decide whether the credential is still needed at runtime. Research in The 52 NHI breaches Report and the Shai Hulud npm malware campaign shows how quickly exposed credentials can be operationalised once they land in attacker tooling.
- Discover secrets continuously across code, CI/CD runners, SaaS, and collaboration tools.
- Assign ownership at the service or workload level, not only to individuals.
- Revoke or rotate automatically, then verify the old credential is no longer accepted.
- Use JIT issuance and short TTLs for machine credentials that do not need permanence.
- Separate detection, ticketing, and enforcement so the revocation step cannot be skipped.
Where this guidance breaks down is in legacy integration environments with hardcoded shared accounts, because revocation can cascade into outages unless dependencies are modelled first.
Common Variations and Edge Cases
Tighter revocation often increases operational overhead, requiring organisations to balance faster containment against integration fragility and change-management risk. That tradeoff is real in mainframe links, vendor-managed SaaS, and long-lived batch jobs, where a single credential may still touch multiple services. In those environments, best practice is evolving toward staged replacement: inventory first, isolate second, then migrate to short-lived tokens or workload identity once the dependency graph is understood.
There is no universal standard for this yet, but the direction is clear. The strongest pattern is to replace static secrets with short-lived credentials bound to the workload, then enforce policy at request time rather than relying on periodic access reviews. That is where runtime policy, JIT issuance, and automated revocation work together. The same logic appears in NHIMG research on Ultimate Guide to NHIs — Static vs Dynamic Secrets and the broader operational framing in Ultimate Guide to NHIs — Why NHI Security Matters Now.
External guidance such as the Anthropic first AI-orchestrated cyber espionage campaign report also underlines a practical point: once credentials are exposed, automated adversaries move faster than manual response. In high-churn CI/CD and AI-assisted development pipelines, dwell time reductions fail when ownership is ambiguous or when revocation depends on a human approving every exception.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret rotation and lifecycle control are central to shrinking dwell time. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access helps limit blast radius when a secret leaks. |
| NIST Zero Trust (SP 800-207) | Zero trust supports runtime verification instead of trusting static credentials. |
Inventory exposed NHI secrets, revoke them automatically, and replace long-lived credentials with short TTLs.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
