Dual-secret cutover is the method of keeping an old credential active while a new one is deployed and verified. It is used to avoid downtime during rotation, but it only works when downstream systems can be updated reliably and the old secret is retired everywhere at the right moment.
Expanded Definition
Dual-secret cutover is a controlled rotation pattern for non-human identities in which the old credential remains valid while the new credential is deployed, tested, and confirmed across all dependent systems. It is a practical approach when service availability matters more than immediate revocation, but it demands tight coordination and clear retirement criteria. In NHI governance, the pattern is usually applied to API keys, tokens, and certificates that have many downstream consumers or uneven update cadence. Guidance varies across vendors on how long overlap should last, because no single standard governs this yet; the right window depends on propagation speed, telemetry quality, and rollback risk. The pattern differs from ordinary secret rotation because the change is intentionally staged rather than atomic, and it differs from long-term coexistence because the old secret must be retired once validation completes. The OWASP Non-Human Identity Top 10 treats secret handling as a core control area, which is why cutover discipline is a governance issue, not just an engineering convenience. The most common misapplication is leaving both secrets active indefinitely, which occurs when owners lack telemetry showing every consumer has switched.
Examples and Use Cases
Implementing dual-secret cutover rigorously often introduces a temporary overlap risk, requiring organisations to weigh uptime and rollback safety against a larger attack window.
- A CI/CD system updates deployment credentials in stages so pipelines continue running while agents are reconfigured, a pattern often seen in incidents discussed in the CI/CD pipeline exploitation case study.
- A customer-facing API rotates its token pair during a maintenance window, with the new token validated in production before the old token is revoked.
- A secrets manager issues a replacement certificate while legacy workloads still trust the previous certificate chain, then removes the old material once trust propagation is confirmed.
- An integration team uses staged rollout for third-party service accounts after a supply-chain event, similar to the failure mode highlighted in the Reviewdog GitHub Action supply chain attack.
- An organisation updates webhook credentials across regional replicas, keeping the older secret live only until logs show every endpoint has acknowledged the change, consistent with the rotation discipline described in the Ultimate Guide to NHIs.
For deeper context, the Guide to the Secret Sprawl Challenge shows why cutover fails when ownership is unclear or credentials are duplicated outside approved tooling. In practice, dual-secret cutover is most valuable when rollback speed is essential and every downstream consumer can be observed during the transition.
Why It Matters in NHI Security
Dual-secret cutover becomes a security issue when organisations confuse temporary overlap with safe coexistence. A second valid secret doubles the number of usable paths into a workload, and if the old credential is not retired everywhere, attackers can keep using stale access long after the intended rotation. This is especially dangerous in secret-sprawl environments where credentials appear in code, build systems, and third-party integrations. NHI Mgmt Group research shows that 79% of organisations have experienced secrets leaks, and 91.6% of exposed secrets remain valid five days after notification, which means delayed retirement is not a theoretical risk but a common operational failure. That risk is echoed in breach reporting such as the 52 NHI Breaches Analysis, where lingering credential validity repeatedly extends incident impact. The stronger the dependency graph, the more important it is to confirm revocation, not just deployment. Organisationally, the issue usually becomes visible only after an incident review finds the old secret was still accepted by one forgotten integration, at which point dual-secret cutover becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers improper secret handling and rotation gaps that cutover must avoid. |
| NIST CSF 2.0 | PR.AC-1 | Access enforcement depends on timely revocation of stale NHI credentials. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust requires continuous verification, not trust in overlapping credentials. |
Revoke the old secret promptly after validation and confirm no remaining access paths.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
