When talking about cybersecurity identity, most people think about usernames, passwords, and the occasional MFA prompts. However, lurking beneath the surface is a growing threat that does not contain any human credentials, as it witnesses the exponential growth of non-human identity (NHI).
When NHIS is mentioned, at the top of the mind, most security teams immediately think of service accounts. But that’s far beyond that. There are service principals such as AWS, Azure, GCP, Snowflake roles, IAM roles, and platform-specific components. The truth is that NHIS can be as different as the services and environments of modern technology stacks, and managing them means understanding this diversity.
The real danger lies in how these identities are authenticated.
Secret: Machine Currency
Most nonhuman identities use secrets to authenticate: API keys, tokens, certificates, and other credentials that grant access to systems, data, and critical infrastructure. These secrets are what attackers want most. And to my surprise, most companies don’t know how many secrets they have, where they are stored, or who is using them.
The secret state spread in 2025, revealing statistics of two jaw dropping.
23.7 million new secrets were leaked on public Github in 2024 alone, and 70% of the secrets leaked in 2022 are still valid today
Why is this happening?
Part of the story is that there is no MFA for the machine. There is no verification prompt. When developers create tokens, they often allow more access than they need to be, just to make sure things work.
date of expiry? option. Several secrets have been created in the 50-year effectiveness window. why? Because the team doesn’t want to break the app next year. They choose speed over security.
This creates a large blast radius. If one of these secrets is leaking, you can unlock everything from production databases to cloud resources without triggering an alert.
Detecting compromised NHIS is much more difficult than humans. Logging in from Tokyo at 2am may raise a red flag for people, but the machines speak 24/7 from all over the world. Malicious activities blend quickly.
Many of these secrets act like an invisible background, allowing for lateral movement, supply chain attacks, and undetected violations. The Toyota Incident is a perfect example. Leaked secrets can defeat the global system.
This is why attackers love the NHIS and its secrets. There are too many permits, generally low visibility, and the results can be enormous.
The rise of machines (and their secrets)
The transition to cloud-native, microservice-rich environment has implemented thousands of NHIs per organization. NHIS currently outperforms human identity from a ratio of 50:1 to 100:1 to 100:1. This is expected to increase. These digital workers connect services, automate tasks, and drive AI pipelines. All of them need a secret to work.
However, unlike human qualifications:
Secrets are hardcoded in a codebase shared by multiple tools, and dormant teams in legacy systems passed to AI agents with minimal monitoring.
Many lack expiration dates, ownership and auditability.
result? The secrets spread. Over-access. And one small leak from a massive violation.
Why Older Playbooks Don’t Work anymore
Legacy Identity Governance and PAM tools were built for human users, in an age where everything is centrally managed. These tools do great jobs that implement password complexity, manage your breakgrass accounts, and dominate access to internal apps. However, NHIS completely defeats this model.
Here’s why:
IAM and PAM are designed for human identity, often tied to individuals and protected by MFA. Meanwhile, NHI is decentralized. It is created and managed by developers across the team, and is often not central IT or security monitoring. Today, many organizations operate multiple safes, with no uniform inventory or policy enforcement. Secret Managers help you save secrets, but if secrets are leaked across infrastructure, codebases, CI/CD pipelines, and even public platforms like GitHub and Postman, they won’t help you. They are not designed to detect, correct, or investigate exposure. Although CSPM tools focus on the cloud, the secrets are everywhere. They are found in source control management systems, messaging platforms, developer laptops, and unmanaged scripts. When secrets are leaked, it’s not just a hygiene issue, it’s a security incident. NHIS does not follow the traditional identity lifecycle. Often there is no onboarding, offboarding, clear ownership and expiration date. They will remain in your system under the radar until something goes well.
The security team is chasing the shadows and trying to manually stitch together where the secret comes from, what it accesses, and whether it is still in use. This reactive approach is not scaled and exposes tissue to a dangerous extent.
This is where Gitguardian NHI governance comes into play.
Gitguardian NHI Governance: Mapping Machine Identity Mazes
Gitguardian took deep expertise in detecting and repairing secrets and turned it into something more powerful. It is a complete governance layer of machine identity and its qualifications.
This is what stands out:
Map for confusion
Think of it as an end-to-end visual graph of the entire secret. The map connects the dots between the following:
If the secret is stored (e.g. Hashicop Vault, AWS Secret Manager), which system to use does it access the system that accesses the owner, whether it is leaked internally or used in public code?
Complete Lifecycle Control
NHI governance exceeds visibility. This allows for true lifecycle management of secrets – tracking their creation, usage, rotation, and cancellation.
The security team:
Auto-rotation policy setting deprecated Unused/orphan credentials detect secrets that have not been accessed for several months (aka zombie credentials)
Security and compliance, built-in
The platform also includes a policy engine that helps teams implement consistent control across all safes and benchmark themselves against standards such as the OWASP Top 10.
You can track it:
Vault coverage between teams and environments Secret Hygiene Indicators (age, usage, rotation frequency) Over-rich compliance attitudes drift over time
AI Agent: The New Wild West
The driver of this high risk is RAG (searched generation), where AI uses internal data to answer questions. It is useful, but if the secrets are hidden in that data, they can be falsely surfaced.
AI agents are connected to everything: Slack, Jira, Confluence and Internal Docs to unlock productivity. However, with each new connection, the risk of a secret sprawl increases.
The secret is not leaked from the code anymore. They appear in documents, tickets, messages, and when AI agents access those systems, they can incorrectly publish their credentials to the response or log.
What’s not going well?
Secrets stored in Jira, Concepts, Slack, etc. are leaking AI logs that capture sensitive input and output development and output dev and third party vendors that store undegraded logs.
One of the most positive aspects of the Gitguardian platform is that it helps to fix AI-driven secret sprawls.
To detect secrets that can be exposed to AI, it scans all connected sources, including messaging platforms, tickets, wikis and internal apps, indicating where the AI agent is accessing your data, leading to flags insecure paths that could lead to leaks, and removes secrets before deleting secrets before they are stored.
AI is moving fast. But the secrets are leaking faster.
Bottom line: You cannot protect what you do not govern
With NHI governance, Gitguardian provides a blueprint for organizations to bring order to chaos and control over identity layers that have long remained in the dark.
Whether you are trying to:
Enforce the zero-trust principle of machine-wide minimizing attack surfaces that map secret ecosystems, or sleep better at night
The GitGuardian platform may be your new best friend.
Because in a world where identity is boundary, ignoring non-human identities is no longer an option.
Want to see NHI governance actually working?
Request a demo or check out Gitguardian’s overall product overview.
Source link
