Subscribe to the Non-Human & AI Identity Journal
Home Glossary Architecture & Implementation Patterns Secrets Custody
Architecture & Implementation Patterns

Secrets Custody

← Back to Glossary
By NHI Mgmt Group Updated June 10, 2026 Domain: Architecture & Implementation Patterns

Secrets custody is the operational responsibility for storing, decrypting, and exposing credentials only to the systems that truly need them. In workflow and agent platforms, weak custody means a runtime compromise can reveal API keys, OAuth tokens, certificates, and cloud credentials at once.

Expanded Definition

Secrets custody is the control layer that determines where credentials live, who or what can decrypt them, and how narrowly they are exposed at runtime. In NHI and agentic systems, custody is not just storage hygiene. It is the operational boundary between a protected secret and a secret that can be copied, logged, cached, or replayed by a compromised workflow.

Definitions vary across vendors, but the practical standard is simple: custody should keep secrets bound to the smallest viable trust domain, with short exposure windows and explicit retrieval paths. That means distinguishing custody from adjacent concepts such as secret discovery, rotation, and vaulting. A vault can hold a secret, but custody also covers the decision logic that releases it to a CI runner, AI agent, service account, or orchestration task. For a standards-oriented reference point, the OWASP Non-Human Identity Top 10 frames the broader risk of weak NHI control, while NHIMG’s Ultimate Guide to NHIs helps distinguish static and dynamic secret handling.

The most common misapplication is treating “stored in a vault” as equivalent to proper custody, which occurs when runtime access is broader than the storage policy.

Examples and Use Cases

Implementing secrets custody rigorously often introduces operational friction, requiring organisations to weigh lower blast radius against added retrieval complexity and runtime dependencies.

  • A CI/CD pipeline fetches a short-lived deployment token only for one job, then discards it after use instead of persisting it in logs or artifacts.
  • An AI agent requests a scoped API key from a broker at task start, with the key bound to one tool action and one approval context.
  • A Kubernetes workload receives a certificate through workload identity and ephemeral delivery rather than a long-lived secret mounted across the cluster.
  • A GitHub Actions workflow is reviewed after a supply chain incident to ensure no reusable cloud credential is exposed to every runner in the job graph, as seen in NHIMG’s Reviewdog GitHub Action supply chain attack.
  • A migration team replaces static credentials with ephemeral ones after comparing custody models in the Guide to the Secret Sprawl Challenge and the NIST guidance on digital identity assurance.

These use cases reflect a shared pattern: custody is strongest when retrieval is just-in-time, scoped, auditable, and hard to reuse outside the intended execution path.

Why It Matters in NHI Security

Secrets custody is central to NHI security because most non-human compromise becomes scalable only after credentials are exposed beyond the intended execution boundary. Once an attacker or malicious agent can read a token from memory, environment variables, config files, or build output, every downstream system that trusts that credential becomes reachable. NHIMG research shows how quickly this becomes material: the average estimated time to remediate a leaked secret is 27 days, even though 75% of organisations express strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.

That gap matters because custody failures are rarely isolated. They often appear alongside secret sprawl, overbroad CI/CD runner permissions, and AI tooling that can reproduce sensitive patterns. The same research also found that 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases. When custody is weak, incident response becomes a revocation problem, not just a detection problem, as shown in NHIMG’s CI/CD pipeline exploitation case study and Shai Hulud npm malware campaign.

Organisations typically encounter the consequence only after a credential is already replayed in production, at which point secrets custody becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-02Addresses improper secret storage, exposure, and reuse in NHI workflows.
NIST CSF 2.0PR.AC-1Supports least-privilege access to credentials and runtime identities.
NIST Zero Trust (SP 800-207)Maps to continuous verification and minimizing implicit trust in secret use.

Grant secrets only to approved workloads and review exposure boundaries regularly.

Deepen Your Knowledge

Ultimate Guide to NHIs → NHI Foundation Course → Discussion Forum →
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.