Use persistent storage only when a secret truly must remain available between runs, use runtime injection when the value is needed only during execution, and prefer federation when the platform can issue short-lived identity assertions. The best choice is the one that reduces credential persistence without breaking deployment control.
Why This Matters for Security Teams
The choice between Key Vault, runtime injection, and federation is really a choice about how long a secret or identity assertion should exist, who can retrieve it, and how much the platform must trust at runtime. That matters because secret sprawl is rarely a storage problem alone. It is usually an access, lifecycle, and deployment-control problem, as shown in the Guide to the Secret Sprawl Challenge and in the NIST Cybersecurity Framework 2.0 emphasis on governance, protection, and recovery.
Teams often reach for a vault by default, but a vault does not automatically reduce exposure if the same secret is copied into CI logs, deployment manifests, sidecars, or local caches. NHIMG research shows that 62% of secrets are duplicated across multiple locations, and that duplication becomes the real attack surface. In practice, the question is not just where the secret lives, but whether the workload can prove its identity and obtain what it needs only when it needs it.
That is why this decision should be tied to workload behavior, not platform preference. In practice, many security teams encounter misuse of static secrets only after tokens have already been exposed in tickets, commits, or operational tooling, rather than through intentional architecture review.
How It Works in Practice
Start by classifying the secret or credential need. If a value must persist across restarts, maintain a tightly controlled store such as Key Vault, but treat it as a source of truth, not a delivery mechanism. If the application only needs the value during execution, runtime injection reduces persistence by placing the secret into memory at deployment or task start, then removing it when the process ends. If the platform can issue short-lived identity assertions, federation is usually the stronger pattern because the workload authenticates itself and exchanges that proof for temporary access.
In practical terms, the decision often looks like this:
- Use persistent storage for long-lived configuration dependencies that cannot yet be reworked into dynamic credentials.
- Use runtime injection when the secret is required only for a specific job, container, or pipeline step.
- Use federation when the platform supports workload identity and can mint short-lived tokens on demand.
- Prefer short TTLs, automatic revocation, and per-workload identity over shared credentials.
Federation is usually the cleanest option when supported by mature workload identity controls, because it avoids reusing the same secret across environments. For teams evaluating implementation detail, the strongest patterns usually combine workload identity with standards such as SPIFFE or other short-lived token mechanisms, then enforce retrieval policy at request time. NHIMG’s Ultimate Guide to NHIs frames this as a shift from static custody to dynamic trust.
The practical test is whether the credential can be scoped to one workload, one purpose, and one time window without creating a second copy somewhere else. These controls tend to break down in legacy deployments where shared service accounts, sidecar caches, and manually managed environment variables force secrets to persist longer than the application actually needs them.
Common Variations and Edge Cases
Tighter secret handling often increases deployment complexity, requiring organisations to balance reduced persistence against operational overhead. That tradeoff is real, especially when legacy systems, batch jobs, or air-gapped environments cannot support federation cleanly.
Current guidance suggests using Key Vault as a control point for storage, but not confusing storage with secure delivery. Runtime injection can be useful for ephemeral jobs, yet it becomes fragile if logs, crash dumps, or orchestration metadata retain the injected value. Federation is best when the platform can issue identity assertions reliably, but there is no universal standard for every runtime, so some environments still need a hybrid model.
Edge cases usually appear in three places: pipelines that reuse the same secret across stages, applications that need both startup-time and in-process access, and third-party integrations that only accept static API keys. In those cases, teams should minimize scope, shorten TTLs where possible, and isolate the legacy exception so it does not become the default pattern. NHIMG’s research on Azure Key Vault privilege escalation exposure is a reminder that even a vault can become a source of overreach if role design is too broad.
For governance, the practical rule is simple: use the least persistent mechanism that still allows controlled deployment. When that is not possible, document the exception, restrict the blast radius, and plan a migration path toward federation or other short-lived identity models.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses secret rotation and lifetime, central to choosing persistence or ephemeral delivery. |
| NIST CSF 2.0 | PR.AC-1 | Covers identity and access governance for workloads and secret retrieval paths. |
| NIST AI RMF | Supports governance of runtime decision-making and context-aware access for agentic workloads. |
Evaluate credential delivery as a governed risk decision with ownership, monitoring, and lifecycle controls.
Related resources from NHI Mgmt Group
- How should security teams decide whether JIT access is safe for non-human identities?
- What is the difference between code scanning and runtime identity monitoring?
- How should security teams decide between posture, exposure, and runtime controls?
- How do teams decide between audit mode and enforce mode for runtime controls?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org