They should do both, but rotation is the control that reduces immediate exposure when a secret is already live. Discovery tells you where the problem is. Rotation and revocation tell you whether the credential still works. If you can only choose one urgent action after a leak, invalidate the credential and confirm it is no longer active.
Why This Matters for Security Teams
Secret rotation and secret discovery solve different problems, but they are often treated as if one can substitute for the other. Discovery shows where secrets live, where they are duplicated, and where they are leaking into tickets, commits, chats, and vaults. Rotation reduces the blast radius of an already exposed credential. In practice, the order matters when exposure is active: a discovered secret that stays valid remains a live access path.
This is why current guidance increasingly treats discovery as the visibility layer and rotation as the containment layer. The risk is not theoretical. NHIMG research shows that 62% of all secrets are duplicated and stored in multiple locations in the 2025 State of NHIs and Secrets in Cybersecurity by Entro Security, which means a single leak can turn into multiple recovery actions. The challenge is echoed in the Guide to the Secret Sprawl Challenge and the OWASP Non-Human Identity Top 10, both of which emphasise that unmanaged sprawl undermines every downstream control.
In practice, many security teams encounter secret reuse only after an external leak, pipeline alert, or offboarding failure has already turned it into an incident.
How It Works in Practice
The operational answer is to run discovery continuously and make rotation event-driven. Discovery should inventory secrets across source control, chat, build systems, vaults, and workloads, then map each credential to an owner, usage path, and replacement method. Rotation should invalidate the old credential, issue a new one, and verify that the dependent service or agent has switched over before the old secret is considered dead. That last step matters because rotation without revocation can leave both credentials active.
For mature environments, the cleanest pattern is short-lived credentials rather than long-lived static secret. That aligns with the direction of NHI Lifecycle Management Guide and the Ultimate Guide to NHIs — Static vs Dynamic Secrets: reduce the number of secrets that need emergency rotation in the first place. Where possible, pair secret discovery with JIT provisioning, workload identity, and explicit owner approvals so the credential is created only when needed and revoked automatically when the task ends.
- Use discovery to find hidden copies before they become recovery surprises.
- Use rotation to shut down active exposure, then confirm revocation.
- Prefer dynamic credentials for workloads that can tolerate short TTLs.
- Map every secret to an application owner and a replacement path.
- Test whether the downstream system accepts the new secret before closing the incident.
For implementation detail, the OWASP guidance and the Guide to NHI Rotation Challenges both show that brittle integrations, hard-coded secrets, and shared service accounts are common blockers. These controls tend to break down when a secret is embedded in legacy firmware or third-party software because rotation can break availability faster than teams can reissue trust.
Common Variations and Edge Cases
Tighter rotation often increases operational overhead, requiring organisations to balance exposure reduction against application stability and change-management friction. That tradeoff is real, especially in legacy systems, cross-team shared accounts, and third-party integrations that do not support automated reauthentication. Best practice is evolving, but there is no universal standard for secret TTLs across every environment.
One important edge case is emergency response. If a token is known to be live in the wild, discovery is no longer the first move because the exposure path is already known; revocation and replacement come first. Another is high-churn CI/CD and agentic workloads, where static secrets should be phased out in favour of ephemeral credentials or workload identity. In those cases, discovery still matters, but it becomes a hygiene and assurance control rather than the primary containment action. The Top 10 NHI Issues and the CI/CD pipeline exploitation case study both reinforce that pipeline abuse and secret sprawl often move together.
For teams building policy, the safest rule is simple: discover everywhere, rotate immediately when exposure is plausible, and design systems so that rotation is routine rather than exceptional. That is the practical path away from secret sprawl and toward resilient NHI governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Rotation and revocation directly address exposed or stale NHI secrets. |
| NIST CSF 2.0 | PR.AC-1 | Secret discovery and least privilege support controlled access to workloads. |
| NIST AI RMF | Useful for governing autonomous agent credential use and lifecycle risk. |
Inventory secrets, rotate exposed credentials fast, and verify the old secret is no longer valid.
Related resources from NHI Mgmt Group
- Should organisations prioritise secret rotation or access review first
- When should organisations prioritise entitlement reduction over secret rotation?
- Should organisations prioritise discovery or access restriction first for shadow AI?
- What is the difference between rotating a secret and revoking access?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 26, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
