The practice of regularly replacing secrets and credentials with new values to limit the window of exposure if a credential is compromised. Automated rotation, enforced by policy, is the security-optimal approach.
Expanded Definition
Credential rotation is the controlled replacement of a password, API key, token, certificate, or other secret with a new value before the current one is overexposed, reused, or likely to be recovered by an attacker. In NHI security, the goal is not just periodic change, but reducing the blast radius of inevitable secret exposure. That makes rotation a lifecycle control, not a one-off admin task.
Definitions vary across vendors on whether rotation includes revocation, regeneration, reissuance, or all three. In practice, the most defensible model is automated rotation tied to policy, because manual rotation tends to fail at scale when service dependencies, hard-coded credentials, and maintenance windows collide. The distinction matters: static secrets remain valid until changed, while dynamic secrets can expire quickly and reduce standing risk, as outlined in the Ultimate Guide to NHIs — Static vs Dynamic Secrets. The term aligns closely with the control intent in NIST SP 800-63 Digital Identity Guidelines, even though NIST is written primarily for human authentication assurance rather than NHI operations.
The most common misapplication is treating rotation as a calendar-only task, which occurs when teams change secrets on a schedule without confirming revocation, dependency updates, and downstream service continuity.
Examples and Use Cases
Implementing credential rotation rigorously often introduces orchestration overhead, requiring organisations to weigh reduced exposure against application compatibility, outage risk, and operational complexity.
- Rotating database credentials used by application workloads through a secrets manager, then updating the workload automatically so the old value cannot be reused.
- Replacing API keys for SaaS integrations after onboarding, offboarding, or suspected leakage, especially when keys appear in code commits or ticketing systems. NHIMG’s Guide to the Secret Sprawl Challenge shows how widely secrets can spread once they leave a controlled vault.
- Issuing short-lived certificates for service-to-service communication and renewing them before expiry, which reduces the chance that a stolen certificate remains useful for long.
- Rotating credentials after supply chain incidents where build systems, CI logs, or developer tooling may have exposed tokens, such as the Reviewdog GitHub Action supply chain attack.
- Using dynamic credentials rather than long-lived static secrets, a pattern also reflected in the operational guidance of the OWASP Non-Human Identity Top 10.
Rotation is most effective when paired with service discovery, secret inventorying, and owner attribution. Without those controls, a rotated credential may be technically changed yet still functionally unsafe because old copies continue to exist elsewhere.
Why It Matters in NHI Security
Credential rotation matters because NHIs tend to operate continuously, at machine speed, and across distributed environments where a single secret may be duplicated, shared, or embedded in automation. Once a secret leaks, the attacker’s advantage is measured by how long that secret remains valid. That is why rotation is one of the few controls that directly shortens attacker dwell time.
The scale of the problem is visible in NHIMG research: according to The 2025 State of NHIs and Secrets in Cybersecurity by Entro Security, 62% of all secrets are duplicated and stored in multiple locations, which makes delayed rotation especially dangerous. In that environment, rotating one credential without finding every copy leaves residual access in place. The same risk shows up in lifecycle failures covered in the NHI Lifecycle Management Guide and in incident-driven leakage patterns documented in the Shai Hulud npm malware campaign.
Organisations typically encounter the operational necessity of credential rotation only after a leak, compromise, or offboarding failure, at which point it becomes the fastest way to close the window of reuse.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses secret sprawl and rotation as core NHI secret controls. |
| NIST SP 800-63 | AAL2 | Sets assurance expectations that support strong credential lifecycle handling. |
| NIST CSF 2.0 | PR.AA | Supports identity assurance and authentication lifecycle governance. |
Match NHI credential handling to strong assurance and replace reusable secrets with better controls.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
