When most people think of cybersecurity, they picture usernames, passwords, and maybe an MFA prompt. But one of the biggest threats today doesn’t involve humans at all. The real danger now lies in the rise of Non-Human Identities (NHIs) — and the secrets they use to access everything.
We’re not just talking about service accounts. NHIs now include a wide range of digital identities like IAM Roles, Service Principals, Snowflake Roles, and custom identities from cloud platforms like AWS, Azure, and GCP. Each of these can act independently to perform tasks, access systems, or move data — and that makes them powerful. But it also makes them dangerous.
Secrets: The Keys Machines Use to Move
Most NHIs authenticate not with passwords, but with secrets — API tokens, certificates, and access keys. These secrets grant machines the power to interact with apps, databases, and entire cloud environments. And here’s the scary part: most organizations don’t know how many secrets they have, where they’re stored, or whether they’re even being used.
According to the State of Secrets Sprawl 2025 report:
- 23.7 million secrets were leaked on public GitHub in 2024 alone.
- Even worse, 70% of secrets leaked in 2022 are still active today.
This happens because there’s no MFA for machines. Developers often grant excessive permissions to ensure systems don’t break, with some secrets set to expire decades from now — if ever. That creates a massive blast radius when secrets leak. One exposed token can unlock production environments, databases, or critical infrastructure, all without raising a single alert.
Unlike human logins, machine activity isn’t tied to time zones or working hours. So a 2 a.m. login from Tokyo might look suspicious for a person, but for an NHI? Totally normal. Attackers know this. And that’s why they’re targeting secrets more than ever.
Secrets Are Sprawling Faster Than Security Can Catch Up
Today’s cloud-native, microservices-driven world has shifted the balance dramatically. NHIs now outnumber humans by as much as 100 to 1. These machine identities are powering integrations, running background jobs, and feeding AI systems — all of which rely on secrets.
But secrets often:
- Get hardcoded into codebases
- Spread across CI/CD pipelines and developer tools
- Linger in legacy systems or outdated scripts
- Pass through AI agents without any controls
Many don’t expire. Few have owners. And most lack audit logs. This leads to secrets sprawl — a hidden mess that attackers are eager to exploit.
Old Security Tools Aren’t Built for Machines
Most identity tools — like IAM, PAM, and traditional vaults — were designed with human users in mind. They enforce password policies, MFA, and lifecycle management. But they fall short when it comes to managing NHIs.
Why? Because NHIs:
- Are created ad hoc by developers, not centrally managed
- Often bypass IT or security teams entirely
- Don’t have onboarding/offboarding processes
- Can exist across multiple cloud accounts, tools, and platforms
Secrets managers may store credentials securely, but they won’t help you if secrets are scattered across GitHub, Postman, Slack, or a forgotten test script. And when something leaks, the response is usually manual and chaotic.
GitGuardian’s NHI Governance: Finally, Some Control
GitGuardian is tackling the machine identity mess head-on with NHI Governance — a platform designed to track, control, and secure every non-human identity and the secrets it uses.
What makes it stand out?
1. A Map for the Mess
GitGuardian creates a complete graph of your secrets ecosystem — linking where secrets are stored (like AWS Secrets Manager or HashiCorp Vault), which services use them, what systems they access, and who owns them.
It also detects leaked secrets, whether they’re in code, scripts, or external platforms.
2. Full Lifecycle Control
Beyond visibility, NHI Governance gives security teams real management power:
- Automatically rotate secrets
- Remove unused or orphaned credentials
- Flag “zombie” secrets that haven’t been used in months
3. Policy Enforcement and Compliance
The built-in policy engine lets teams enforce best practices, align with standards like the OWASP Top 10, and track secrets hygiene over time — from age and usage to rotation frequency.
It also benchmarks vault coverage across environments and flags overly privileged identities.
AI Agents: A New Risk Frontier
A growing risk comes from how AI agents are being plugged into tools like Slack, Confluence, and Jira — often with access to internal data. This is useful, but it’s also risky.
Secrets are now leaking from:
- Documentation platforms
- Tickets and chat messages
- Unsanitized logs created by developers or vendors
These secrets can accidentally appear in AI-generated outputs or get stored in logs. GitGuardian scans all these surfaces, flags risky behavior, and removes secrets from logs or systems before they spread.
The Takeaway: You Can’t Protect What You Don’t See
NHIs have become one of the most critical blind spots in cybersecurity. They don’t behave like humans. They don’t follow traditional identity lifecycles. And their secrets, if unmanaged, can bring down entire systems.
GitGuardian’s NHI Governance platform offers visibility, control, and peace of mind — a way to enforce zero trust, reduce your attack surface, and take control of an identity layer that’s been left to grow wild for far too long.
In today’s world, where identity is the new perimeter, ignoring NHIs isn’t just risky — it’s reckless.
