What breaks is accountability. Vaults may store secrets, and spreadsheets may list some accounts, but neither reliably proves ownership, current usage, expiry, or revocation. That leaves teams unable to tell whether a credential is active, abandoned, or already in the hands of an attacker.
Why This Matters for Security Teams
Vaults and spreadsheets can reduce chaos, but they do not create a trustworthy control plane for machine identities. A vault can store a secret, yet still leave teams guessing which application uses it, who approved it, whether it is still needed, and when it should be revoked. That gap matters because machine identities are often shared, copied, and long lived, which turns one missed record into a broad exposure problem. NIST’s Cybersecurity Framework 2.0 emphasises governance, inventory, and continuous risk management, but those outcomes require more than storage.
NHIMG’s 2025 State of NHIs and Secrets in Cybersecurity found that 91% of former employee tokens remain active after offboarding, which shows how quickly “managed” secrets become orphaned access. Teams usually discover the problem when incident response starts asking basic ownership questions and nobody can answer them with confidence. In practice, many security teams encounter token abuse only after an offboarding gap or application outage has already made the blind spot visible.
How It Works in Practice
Vaults are useful for secret storage and controlled retrieval, but they are not a complete identity system. Spreadsheets can help with inventory, yet they age immediately after the next deployment, rotation, or handoff. For machine identities, the key question is not just “where is the secret stored?” but “what workload owns it, what is it allowed to do, and what is the revocation path if that workload changes?” NHIMG’s NHI Lifecycle Management Guide and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both stress that lifecycle ownership is the control, not storage alone.
Operationally, stronger practice usually includes:
- Assigning every machine identity to a named system owner and business service.
- Tracking issuance, usage, TTL, renewal, and revocation in an authoritative system of record, not a static spreadsheet.
- Using short-lived credentials where possible so expired access disappears automatically.
- Reviewing vault access logs alongside workload logs to confirm actual usage, not assumed usage.
- Requiring change control when an identity is copied, shared, or embedded into a new pipeline.
Current guidance suggests that storage should support governance, not replace it. The best control plane ties secrets, workload identity, and lifecycle events together so teams can answer who, what, when, and why in real time. NIST’s identity guidance and the Ultimate Guide to NHIs — Static vs Dynamic Secrets both point toward reducing standing secret exposure and tightening expiry discipline. These controls tend to break down when identities are hard-coded into legacy scripts and multiple teams independently copy the same credential because ownership and revocation become impossible to reconcile.
Common Variations and Edge Cases
Tighter secret governance often increases operational overhead, requiring organisations to balance faster delivery against stronger accountability. Not every environment can move immediately to dynamic credentials, and some legacy systems still need durable secrets while they are modernised. In those cases, best practice is evolving, but the direction is clear: minimise shared secrets, reduce manual tracking, and shorten the time between issuance and revocation. NHIMG’s Guide to the Secret Sprawl Challenge is especially relevant where duplication across teams, tickets, and code repositories makes spreadsheet inventories unreliable.
Edge cases often appear in outsourced operations, ephemeral CI/CD runners, and service meshes where credentials rotate faster than humans can document them. A vault may still be part of the solution, but it must be paired with authoritative identity metadata, automated expiry, and event-driven revocation. The main limitation is environments where tool sprawl and manual handoffs are still the norm, because those conditions create stale records faster than any spreadsheet can be corrected. In that setting, the spreadsheet becomes a comfort artifact, not a control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Addresses unmanaged machine identity inventory and ownership gaps. |
| NIST CSF 2.0 | GV.RM-01 | Governance and risk management require accurate identity inventory and accountability. |
| NIST AI RMF | AI RMF stresses governance and lifecycle accountability for autonomous workloads. |
Apply governance and measurement so identity ownership and misuse are continuously monitored.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
