Yes. Governing secrets in place gives teams a stable way to standardise policy, logging, and access review before any irreversible consolidation. It also exposes shadow vaults and duplicate dependencies early, which makes retirement decisions safer and more defensible.
Why This Matters for Security Teams
Governing secrets in place is less about preserving an old vault and more about creating a defensible control point before any retirement decision. If secrets are scattered across multiple vaults, CI/CD systems, tickets, and code repositories, teams cannot reliably prove what exists, who can use it, or whether a migration will break production. Current guidance from the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 both point toward asset visibility, access discipline, and continuous governance as prerequisites, not afterthoughts.
This is especially important because secrets sprawl usually hides in plain sight. NHIMG research shows 62% of secrets are duplicated and stored in multiple locations, while 44% of NHI tokens are exposed in the wild, often in collaboration tools or code commits. That means the “old vault” is often only one part of a wider control problem. The Guide to the Secret Sprawl Challenge shows why centralising governance first is the safer sequence: discover, classify, standardise, then retire. In practice, many security teams discover the real dependency map only after a migration has already caused an outage or exposed a shadow vault.
How It Works in Practice
Governing secrets in place means applying one policy model across all vaults before you move anything. The practical goal is to create a single, trusted inventory of secrets, applications, owners, and access paths. Teams should standardise naming, metadata, rotation rules, and approval workflows so the old vault becomes a managed source of truth rather than a forgotten island. That usually includes read-only integration, discovery scans, and logging that captures every retrieval, update, and administrative change.
A common operating pattern is:
- Inventory all vaults and identify overlapping secret classes, owners, and consumers.
- Map each secret to an application, environment, and non-human identity.
- Enforce one access policy and one review cadence across all repositories.
- Flag duplicates, stale credentials, and secrets with unknown provenance.
- Only retire a vault after every dependency is remediated and validated.
This approach aligns with the Ultimate Guide to NHIs — Static vs Dynamic Secrets, which explains why static credentials need stronger lifecycle control than ephemeral ones. It also matches operational realities described in the 52 NHI Breaches Analysis: compromise often spreads through reused or duplicated credentials, not through a single vault failure. The strongest pattern is to govern in place long enough to prove ownership, reduce duplication, and confirm whether migration is even necessary. These controls tend to break down when applications hard-code secret paths or when teams cannot trace which CI/CD jobs and service accounts still depend on the retiring vault.
Common Variations and Edge Cases
Tighter control over secrets usually increases migration time and operational overhead, so organisations must balance speed against the risk of breaking hidden dependencies. Best practice is evolving here: there is no universal standard for how long a legacy vault should remain in read-only mode, but current guidance suggests keeping it available until discovery, remediation, and audit evidence are complete.
Edge cases matter. Some vaults exist only to support a single legacy application, while others serve shared platform services or multiple business units. In those environments, a “big bang” retirement is risky because one stale integration can halt deployments or trigger emergency secret creation outside approved controls. The safest path is often staged containment, not immediate removal.
NHIMG research on the 2025 State of NHIs and Secrets in Cybersecurity found that 50% of organisations are onboarding new vaults without proper security approval, which is a strong warning against swapping one unmanaged system for another. If governance is not standardised first, retirement simply relocates risk instead of reducing it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret rotation and lifecycle control are central to safe vault retirement. |
| NIST CSF 2.0 | PR.AC-1 | Access control and identity governance underpin safe in-place secret management. |
| NIST AI RMF | AI RMF supports governance of automated secret usage across dynamic systems. |
Standardise secret lifecycle rules before migration and retire only after rotation, revocation, and owner validation.
Related resources from NHI Mgmt Group
- How should security teams govern social media accounts that do not support standard IAM integration?
- How should security teams govern social media accounts that sit outside IAM?
- What should IAM teams do before using AI for role mining?
- How should IAM teams govern access across large connector ecosystems?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
