Create explicit boundaries between human credentials, machine secrets, and workflow automation tokens. Each should have a named owner, a clear purpose, and a removal trigger. Without that separation, secrets accumulate in scripts, vaults, and shared systems, making review and offboarding far less reliable.
Why This Matters for Security Teams
credential sprawl becomes a governance problem the moment humans, services, and automation all touch the same workflow. Teams often start with a few shared API keys or vault entries, then add scripts, CI jobs, and agentic tools until ownership is unclear and removal never happens. That creates hidden persistence, weak auditability, and a bigger blast radius when one secret is exposed. The pattern is especially risky in agentic systems because autonomous tools can reuse access across steps in ways humans do not anticipate.
NHIMG research shows this is not a theoretical hygiene issue: Guide to the Secret Sprawl Challenge documents how secrets accumulate across modern delivery paths, while the 2024 Non-Human Identity Security Report found that 88.5% of organisations say their non-human IAM practices lag behind or only match their human IAM efforts. In practice, many security teams discover credential sprawl only after a failed offboarding, a leaked repository, or an agent chain has already reused a secret outside its intended scope.
How It Works in Practice
The practical fix is to treat each workflow class as a distinct identity boundary. Human users should authenticate as humans, automation should use workload identity, and agent tools should receive only the ephemeral permissions needed for the current task. That usually means three controls working together: named ownership, short-lived issuance, and automatic revocation when the workflow ends. Static secrets are the wrong default for autonomous or semi-autonomous flows because they outlive the task, not the intent.
For machine-to-machine work, current guidance suggests using workload identity and policy evaluation at request time rather than embedding reusable secrets in code. Standards such as the OWASP Agentic AI Top 10, CSA MAESTRO agentic AI threat modeling framework, and the NIST AI Risk Management Framework all reinforce the need to evaluate risk in context, not only at provisioning time. In agent-heavy environments, that often means short-lived OIDC tokens, SPIFFE-style workload identities, or other cryptographic proof of what the workload is, paired with policy-as-code and per-task approval boundaries.
Operationally, teams should also separate storage from usage. A secret in a vault is not safe if it is copied into build logs, chat systems, notebook cells, or local environment files. The same NHIMG report found that 23.7% of organisations still share secrets through insecure methods such as email or messaging apps, which is a strong signal that process discipline matters as much as tooling. A good workflow design answers four questions before rollout: who owns the credential, what exact task needs it, how long should it live, and what event guarantees removal. These controls tend to break down when legacy scripts, long-running jobs, and ad hoc agent tooling all depend on the same shared key because revocation becomes operationally risky.
Common Variations and Edge Cases
Tighter credential separation often increases operational overhead, requiring organisations to balance security gains against developer friction and runtime complexity. That tradeoff is real, especially in hybrid environments where a single workflow spans SaaS APIs, cloud services, and internal systems. Best practice is evolving, but there is no universal standard for every mixed human-agent workflow yet.
One common edge case is break-glass access. Human responders may need elevated access during incidents, but those privileges should remain separate from automation tokens and should be time boxed, logged, and reviewed after use. Another is shared CI or orchestration platforms, where teams are tempted to reuse the same secret across pipelines; that may reduce setup time, but it also makes offboarding and compromise containment much harder.
The most useful rule is to avoid designing around convenience inheritance. If an agent can call tools, chain actions, or retry on failure, then a long-lived credential can persist far beyond the original business intent. For emerging agentic systems, the safer pattern is documented in OWASP NHI Top 10 and OWASP Non-Human Identity Top 10: issue the minimum credential needed for the current context, limit its lifetime aggressively, and assume the workflow will expand unless constrained by design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO define the specific risk controls and attack patterns relevant to this topic.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses secret lifecycle control, directly tied to sprawl and revocation gaps. |
| OWASP Agentic AI Top 10 | Agentic workflows need runtime controls that prevent reusable credentials from spreading. | |
| CSA MAESTRO | MAESTRO focuses on agent threat modeling where shared workflows create hidden privilege paths. |
Inventory all shared secrets, assign owners, and rotate or revoke anything without a clear task-bound purpose.
Related resources from NHI Mgmt Group
- How should security teams handle credential sprawl across humans, NHIs, and AI workflows?
- How should security teams govern access when AI agents and humans share the same apps?
- How should teams secure non-human identities across cloud and SaaS?
- How should security teams decide whether JIT access is safe for non-human identities?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org