Encryption protects data in transit or at rest, but it does not stop misuse by identities that already hold valid access. If secrets are static, shared, or hard to revoke, an attacker or insider can use legitimate credentials to reach protected systems. The control failure is governance over the identity, not the cipher.
Why This Matters for Security Teams
Encryption is only one layer of protection. If a workload, pipeline, or service account already holds valid access, encrypted data can still be read, copied, or moved without triggering any cryptographic failure. That is why secrets governance, not just cipher strength, determines whether exposed systems remain exploitable. The control problem is especially visible in Guide to the Secret Sprawl Challenge, where duplicated and poorly tracked secrets multiply the number of places an attacker can abuse legitimate access. Current guidance also aligns with the NIST Cybersecurity Framework 2.0, which treats identity, access, and recovery as core operational outcomes rather than afterthoughts.
NHIMG research shows how quickly poor lifecycle control turns into exposure: in the 2025 State of NHIs and Secrets in Cybersecurity, Entro Security reported that 44% of NHI tokens are exposed in the wild. That matters because encryption does not protect against a valid token being pasted into a ticket, embedded in code, or reused long after issuance. In practice, many security teams encounter serious compromise only after a leaked secret has already been used to authenticate, not through intentional access review.
How It Works in Practice
Encrypted data still depends on identities that can unlock it. When a secret, token, certificate, or API key is static and widely reused, the attacker does not need to break encryption. They only need to obtain a credential that the system already trusts. That is why robust programmes focus on secret lifecycle control, short TTLs, revocation, and workload identity rather than assuming encryption alone will contain the blast radius.
Operationally, the strongest pattern is to replace long-lived shared secrets with ephemeral credentials issued for a specific task, then revoked automatically on completion. That means:
- using workload identity to prove what the service or agent is, not just what secret it knows;
- issuing secrets just in time, with narrow scope and short duration;
- centralising storage and rotation so leaked credentials can be invalidated quickly;
- logging secret use and correlating it to the workload, pipeline, or human requester;
- blocking plaintext secrets in tickets, chat tools, repositories, and build logs.
This approach is reinforced by OWASP Non-Human Identity Top 10, which focuses on the failure modes that let machine identities outlive their intended use, and by 52 NHI Breaches Analysis, which shows that compromise often spreads through forgotten tokens and over-privileged service access. The practical lesson is simple: encryption protects the payload, but secret governance protects the path to the payload. These controls tend to break down in CI/CD pipelines with shared runners and long-lived deployment tokens because the same credential is reused across too many environments.
Common Variations and Edge Cases
Tighter secret rotation often increases operational overhead, requiring organisations to balance faster revocation against application stability and support burden. That tradeoff becomes real in legacy systems, clustered services, and third-party integrations that cannot re-authenticate cleanly on demand. In those environments, current guidance suggests a phased approach: inventory the highest-risk secrets first, remove duplicate storage, and reduce token lifetime before attempting full replacement.
There is no universal standard for every environment, but the direction is consistent. Shared secrets between services are especially risky because one compromise can unlock multiple systems. Backup systems and disaster recovery vaults are another common edge case, since stale credentials often survive long after production rotation has improved. Teams should also distinguish encryption key management from application secret management: a strong key vault does not help if developers still commit API keys into source control or paste tokens into collaboration tools.
For governance, the most useful question is not whether the data is encrypted, but whether any identity can still use a credential after it should have expired. Where answerable by policy, that is a secrets lifecycle issue. Where not, it is usually a process failure that will reappear in another system until ownership and revocation are made explicit.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses secret rotation and overlong credential lifetimes. |
| NIST CSF 2.0 | PR.AC-4 | Covers access control for valid identities that can still misuse encrypted systems. |
| NIST AI RMF | Useful where autonomous agents use secrets to reach protected systems. |
Define governance, monitoring, and accountability for any AI workload that can request or use secrets.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
