GitGuardian Report Identifies Non-Human Identity Sprawl as Primary Security Risk for Enterprise Infrastructure 2026
TL;DR
- Non-human identities now outnumber human users by an 80-to-1 ratio.
- AI coding assistants are fueling a massive surge in secret leaks.
- Managing machine credentials costs $172,000 annually per 10 developers.
- Internal repositories are six times more likely to harbor hardcoded secrets.
- Proactive governance is needed to close the critical machine-identity gap.
The modern enterprise is no longer run by people alone. In fact, if you look at the math, humans are becoming a rounding error in the digital infrastructure they built. According to the GitGuardian State of Secrets Sprawl Report 2026, non-human identities (NHIs)—the API keys, service accounts, and machine tokens that keep the lights on—now outnumber human users by a staggering 80-to-1 ratio.
We’ve spent decades obsessing over password policies and multi-factor authentication for employees, but we’ve largely ignored the ghost in the machine. This isn't just a technical debt issue; it’s a massive, ungoverned attack surface that’s quietly spiraling out of control.
The Productivity Tax
Why is this happening? Blame the speed of innovation. AI-driven development tools have turned code production into a high-octane sport. As teams lean harder into automated workflows, the sheer volume of machine-to-machine authentication has blown past the capabilities of our legacy security frameworks.
The result is a hidden "productivity tax." Engineering teams are drowning in the manual labor of managing these credentials, a process that costs organizations roughly $172,000 annually for every 10 developers. It’s a classic case of the tools intended to make us faster actually creating a massive bottleneck in our security posture.
Corporate leadership is starting to feel the heat. The BDO 2025 Board Survey shows that 63% of directors are planning to pump more money into cybersecurity. Half of all audit committees now rank cyber-risk as their primary headache for the year ahead. But here’s the kicker: only 24% of those organizations are actually shifting their budget toward proactive measures. Most are still throwing money at reactive patches, leaving the door wide open for orphaned infrastructure and credential leaks.
A Sea of Secrets
The scale of the problem is laid bare in the latest GitGuardian State of Secrets Sprawl Report 2026. In 2025 alone, 29 million secrets were detected on public GitHub. The culprit? AI coding assistants. They’ve fueled an 81% year-over-year jump in AI-service leaks.
It gets worse. Internal repositories—the ones your team thinks are "safe"—are actually six times more likely to contain hardcoded secrets than public ones. If an attacker gains a foothold, the potential for lateral movement across your network isn't just a possibility; it’s a statistical certainty.
The fragmentation of modern infrastructure only makes this harder to track. NHIs are scattered across secrets managers, CI/CD pipelines, Kubernetes clusters, and cloud environments. Without a centralized "source of truth," these identities lack clear ownership. We’re seeing "security drift" everywhere: credentials that stay active long after a project is dead or an engineer has moved on, just waiting to be harvested.
As explored in the hidden cost of secrets sprawl, this isn't just a balance sheet issue. It’s a fundamental failure in visibility. If you don't know where your machine identities live, what they can access, or who owns them, you don't really have a security strategy—you have a hope-based strategy.
The Reality Check: Key Metrics
| Metric | Observation |
|---|---|
| NHI-to-Human Ratio | At least 80-to-1 |
| Secrets Growth Rate | 1.6x faster than developer population |
| AI-Service Leak Increase | 81% year-over-year |
| Public Commits Growth | 43% year-over-year |
The drivers of this risk are clear:
- Fragmented Governance: When identities live everywhere, they are effectively governed nowhere.
- Orphaned Credentials: When projects end, the keys to the kingdom often stay active, creating long-term vulnerabilities.
- AI-Generated Vulnerabilities: AI tools are writing code faster than they are writing secure code, leading to an explosion of leaked secrets.
- The Proactive Deficit: We are still spending more on cleaning up messes than on building systems that prevent them.
Moving Toward a Machine-First Model
As noted in recent analysis on GitGuardian boards and NHI governance, the transition to a machine-first security model is no longer optional. Boards of directors are now expected to treat machine identity governance as a core component of digital trust. According to PwC’s Global Digital Trust Insights, your ability to control these machine identities is becoming the gold standard for measuring cybersecurity maturity.
Fixing this requires a shift from manual oversight to automated discovery and strict policy enforcement. You need a centralized, searchable inventory that forces accountability. If every machine identity has a clear owner and a defined lifecycle, you can catch leaks and credential exposure before they become headlines.
The BDO 2025 Board Survey makes it clear: the intent to secure the enterprise is there, but the complexity is outpacing our current methods. As secrets continue to proliferate faster than the people writing them, the ability to govern the machine-to-machine layer will be the single biggest factor determining which companies survive the rest of the decade intact. It’s time to stop treating machines like background noise and start treating them like the primary security risk they’ve become.
