The organisation loses control over who can still publish, deploy, or upload through the pipeline. Old credentials can keep working after code changes, staff changes, or repository handoffs, which turns an automated workflow into a persistent access path. The failure is lifecycle drift, not just weak secret hygiene.
Why This Matters for Security Teams
Pipeline secrets are not just another credential class. They often sit inside CI/CD runners, build scripts, deployment jobs, package publish steps, and automation hooks that can reach production faster than a human can intervene. When those secrets are not rotated or revoked, the pipeline becomes a durable access path even after code changes, team changes, or repository transfers. That is why lifecycle drift is the real failure mode.
Current research shows how common this exposure is: the Guide to the Secret Sprawl Challenge and the NHI Lifecycle Management Guide both emphasise that secrets are only safe when their issuance, use, rotation, and revocation are managed as a continuous lifecycle. That aligns with the OWASP Non-Human Identity Top 10, which treats unmanaged non-human credentials as a core identity risk, not a tooling nuisance.
In practice, teams often discover the problem after a leaked token is reused from an old runner, fork, or archived repository, rather than through intentional rotation governance.
How It Works in Practice
The operational issue is simple: a pipeline secret is issued for a task, but the environment that uses it keeps changing. A token that was safe for one repository, branch, environment, or service account may still work long after the original purpose is gone. If nobody rotates or revokes it, the secret outlives the workflow it was meant to protect.
Good practice is to bind secrets to scope and time. That usually means short TTLs, automatic renewal only where justified, and revocation on event triggers such as deployment completion, repository handoff, maintainer exit, or suspected compromise. For mature teams, the better pattern is to reduce static secrets entirely by using workload identity and just-in-time access where possible. The Ultimate Guide to NHIs - Static vs Dynamic Secrets is useful here because it frames the issue as identity lifecycle management, not password rotation alone.
Security teams should also treat revocation as a control plane problem, not a manual helpdesk task. The CI/CD pipeline exploitation case study shows why automated pipelines can become a persistence mechanism when credentials are left valid. External guidance from the CISA Zero Trust Architecture guidance reinforces the same principle: access should be continuously verified and reduced to the minimum necessary. These controls tend to break down when secrets are shared across multiple pipelines because revocation in one place can unintentionally disrupt unrelated release paths.
- Rotate secrets on a schedule that matches blast radius, not convenience.
- Revoke immediately after ownership changes, incident response, or pipeline retirement.
- Prefer short-lived credentials issued just in time for the job.
- Track where each secret is used so revocation is complete, not partial.
Common Variations and Edge Cases
Tighter rotation often increases operational overhead, requiring organisations to balance security benefit against deployment friction and pipeline reliability.
There is no universal standard for every environment. Long-running release trains, offline build systems, air-gapped deployments, and legacy automation can make aggressive revocation difficult. In those cases, current guidance suggests compensating with stronger scoping, tighter monitoring, and faster incident containment rather than accepting indefinite validity. The biggest mistake is assuming that a secret is harmless because it is “only for CI.” CI credentials often have the broadest real-world reach.
This is especially true in ecosystems with many machine identities, where the same token may authenticate to artifact registries, cloud APIs, issue trackers, and deployment orchestrators. The 52 NHI Breaches Analysis shows that compromise often persists because credentials remain usable after teams believe they have been cleaned up. For broader supply chain context, the Reviewdog GitHub Action supply chain attack illustrates how one exposed automation path can cascade into many downstream systems.
Where organisations rely on long-lived secrets for compatibility, the safest stance is to treat those credentials as temporary technical debt with a documented retirement plan, not as a normal operating model.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Unrotated secrets are a core NHI lifecycle failure. |
| NIST CSF 2.0 | PR.AC-1 | Covers access control for machine credentials used by pipelines. |
| NIST Zero Trust (SP 800-207) | Supports continuous verification and reduced trust for pipeline access. |
Limit pipeline secrets to minimum access and remove them when workflow ownership changes.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
