Security teams should stop using Slack as a credential transport channel and use it only as the request and approval surface. The right pattern is JIT access to a resource or vault-held secret, with justification, approver identity and expiration captured in the workflow. That preserves speed without exposing reusable credentials in chat.
Why This Matters for Security Teams
password sharing in Slack turns a collaboration tool into an uncontrolled credential distribution path. That is risky because the message history is durable, searchable, easy to copy, and often visible to people who never needed the access in the first place. NHI Management Group’s The State of Non-Human Identity Security shows that organisations still struggle with credential rotation, monitoring, and over-privilege, which are the same weaknesses exposed when secrets move through chat.
The problem is not just leakage. Once a reusable password is shared, the approver cannot prove who used it, for what purpose, or when it should expire. Current guidance from the OWASP Non-Human Identity Top 10 and the Ultimate Guide to NHIs points to the same direction: treat access as a governed event, not a shared artifact. In practice, many security teams discover the abuse only after a password has been forwarded, pasted into another channel, or reused long after the original task ended.
How It Works in Practice
The safer pattern is to keep Slack as the request surface and move the actual access grant into a controlled workflow. A user requests access in Slack, but approval triggers a JIT entitlement, a short-lived vault response, or a scoped token issued for one task. The approval record should capture the requester, approver, business justification, resource, and expiration so the access path is auditable and revocable.
This is where NHI practice matters. Shared passwords are static secrets, while modern access workflows should rely on ephemeral credentials and workload identity. For services and automation, the better primitive is cryptographic workload identity, not a human-readable password. That aligns with the OWASP Non-Human Identity Top 10 and with broader identity guidance in the Ultimate Guide to NHIs.
- Use Slack for request, context, and approval, not for secret delivery.
- Issue JIT access with a short TTL and automatic revocation.
- Store the underlying secret in a vault and expose only a scoped, temporary credential.
- Log approver identity, justification, and the exact resource accessed.
- Prefer per-task tokens or workload identity for automation instead of reusable shared credentials.
For implementation patterns, teams often pair policy-as-code with vault controls and identity-aware access gateways. That gives security teams runtime enforcement instead of relying on trust in a chat thread. These controls tend to break down when legacy systems only accept a shared local admin password because the application cannot issue scoped, time-bound access.
Common Variations and Edge Cases
Tighter access workflows often increase operational friction, so teams need to balance speed against auditability and revocation. That tradeoff is real, especially for incident response, customer support, and small engineering teams that have relied on Slack for rapid coordination. Current guidance suggests preserving the fast request flow while changing what happens after approval.
There is no universal standard for every environment yet. Some organisations can move immediately to vaulted, JIT-delivered credentials; others need a transition period where Slack approvals feed an access broker or PAM layer. The key is to eliminate credential transport in chat even if the approval workflow remains conversational. NHI Management Group’s 52 NHI Breaches Analysis is useful here because it reinforces how often access failures come from weak operational habits rather than sophisticated attacks.
For broader operational context, the State of Secrets Sprawl 2025 highlights that collaboration tools are already a critical leakage channel. That makes Slack-based password sharing especially hard to justify. The practical target is not “no Slack,” but “no reusable secrets in Slack.”
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses secret sharing and weak rotation in non-human identity workflows. |
| NIST CSF 2.0 | PR.AC-1 | Access management must prevent credential reuse in informal channels. |
| NIST AI RMF | GOVERN | Governance is needed when automated or AI-assisted workflows handle access decisions. |
Route approvals into governed access workflows and block secret transmission through chat.
Related resources from NHI Mgmt Group
- How should security teams decide whether JIT access is safe for non-human identities?
- How should security teams treat DNS in identity and access programmes?
- How should security teams use activity-based access control without replacing RBAC entirely?
- How should security teams replace static secrets in gateway-to-service authentication?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
