Full Report
Artificial intelligence is driving a massive shift in enterprise productivity, from GitHub Copilot’s code completions to chatbots that mine internal knowledge bases for instant answers. Each new agent must authenticate to other services, quietly swelling the population of non‑human identities (NHIs) across corporate clouds. That population is already overwhelming the enterprise: many companies
Analysis Summary
## Best Practices: Managing Non-Human Identities (NHIs) and Secrets Sprawl in the Age of AI
## Overview
These practices address the rapidly escalating security risks associated with Non-Human Identities (NHIs)—including service accounts, CI/CD bots, containers, and AI agents—and the proliferation of unsecured secrets (API keys, tokens, certificates) they utilize across enterprise cloud environments. The goal is to govern NHI credentials rigorously to prevent excessive sprawl, credential exposure, and potential exploitation by threat actors.
## Key Recommendations
### Immediate Actions
1. **Inventory Existing Secrets Visibility:** Immediately scan all developer repositories (especially those integrated with AI coding assistants like Copilot) for publicly exposed secrets and API keys. Prioritize scanning public repositories first.
2. **Isolate High-Risk Credentials:** Immediately revoke and re-issue any high-privilege secrets found to be actively exposed on public platforms. Implement a mandatory, time-bound rotation schedule for all existing, known secrets.
3. **Implement Pre-Commit Hook Scanning:** Deploy local secret scanning tools (e.g., GitGuardian scanner, pre-commit hooks) on developer workstations to prevent the accidental ingestion of secrets into Git history before code is even pushed.
### Short-term Improvements (1-3 months)
1. **Establish Credential Scoping Policies:** Define and enforce the Principle of Least Privilege (PoLP) specifically for NHIs, ensuring each identity only has the minimum permissions necessary to perform its designated, narrow function.
2. **Deploy Automated Secret Detection in CI/CD:** Integrate automated secret detection tools into the Continuous Integration/Continuous Delivery (CI/CD) pipeline to fail builds immediately upon the introduction of hardcoded credentials.
3. **Implement Secret Rotation Strategy:** Mandate and automate credential rotation policies for all service accounts and machine identities (e.g., quarterly rotation minimum, or shorter for short-lived tokens).
### Long-term Strategy (3+ months)
1. **Adopt Secrets Management Solution:** Fully migrate from storing secrets in configuration files or environment variables to a dedicated secrets management platform (e.g., Vault, Cloud IAM features) that supports dynamic secrets generation and centralized auditing.
2. **Govern AI Agent/LLM Access (RAG Context):** Define strict access controls for Retrieval-Augmented Generation (RAG) systems. Ensure LLM training data or retrieval contexts explicitly exclude credentials, sensitive configuration, or PII, and audit RAG outputs for inadvertent secret exposure.
3. **Decommission Dormant NHIs:** Establish an organizational policy and automated process to regularly audit and systematically decommission all unused or orphaned machine identities and their associated credentials.
## Implementation Guidance
### For Small Organizations
- **Focus on Centralization:** Prioritize adopting one secure method for credential storage (e.g., leveraging native cloud secrets management services integrated with developer workflows) rather than creating numerous ad-hoc secrets files.
- **Mandate Local Scanning:** Enforce the use of client-side secret scanning tools (like IDE plugins or pre-commit hooks) as mandatory requirements for all code contribution, as formal centralized scanning infrastructure might be premature.
- **Simple Policy:** Implement a "No Plaintext Secrets in Code" policy with clear, documented disciplinary action for violations.
### For Medium Organizations
- **Integrate Scanning in CI/CD:** Fully integrate automated secret scanning into the core CI/CD pipeline (as described in Short-term improvements).
- **Standardize Credentials:** Select and deploy a standardized, centralized secrets vault solution that integrates with primary cloud providers and source code management systems.
- **Develop NHI Lifecycle:** Create simple documentation defining the process for requesting, issuing, inspecting, and retiring credentials for new agents or services.
### For Large Enterprises
- **Mature Governance Framework:** Implement a formal governance model that specifically addresses the unique lifecycle management of NHIs, differentiating them structurally and policy-wise from human identities.
- **Dynamic Secrets Implementation:** Move heavily away from static API keys toward dynamic credential provisioning systems (e.g., leveraging short-lived tokens automatically generated by a secrets manager upon request).
- **Audit Log Analysis:** Implement proactive monitoring and alerting on anomalies in secret usage patterns (e.g., a service account accessing resources outside its known scope) leveraging centralized security information and event management (SIEM) systems.
## Configuration Examples
*Configuration details are highly environment-specific, but the standard configuration best practice involves:*
1. **Enforcing Fine-Grained IAM Roles:** Instead of using broad programmatic access keys, configure cloud services (AWS IAM, Azure AD, GCP IAM) to assign specific execution roles directly to containers or compute instances, eliminating the need to manage static keys entirely.
2. **Secrets Vault Integration:** Configure the application deployment process to query the central secrets manager *at runtime* using an identity established via the orchestration platform (e.g., Kubernetes Service Account or ECS Task Role), retrieving the necessary secret dynamically.
## Compliance Alignment
- **NIST SP 800-53 (AC-2, CM-3, IA-5):** Focuses on controlling physical and logical access, configuration management, and authentication mechanisms, directly applicable to securing non-human access.
- **ISO/IEC 27001 (A.5, A.8):** Addresses information security policies, asset management, and access control, requiring formal documented management of credentials and identities.
- **CIS Critical Security Controls (Control 4: Asset Management, Control 5: Account Management):** Direct emphasis on maintaining an inventory of all accounts (human and non-human) and rigorously managing the credentials associated with them.
## Common Pitfalls to Avoid
- **Treating NHIs Like Humans:** Do not apply human-centric access policies (like simple password complexity) to machine identities. NHIs require granular, scope-based authorization policies.
- **Ignoring AI Tool Contamination:** Assuming AI coding assistants prevent secrets exposure; the report indicates they increase the frequency of leaks when not properly constrained by local scanning.
- **Relying on Obscurity:** Believing that simply hiding secrets in deep configuration trees or environment variables is sufficient. All secrets, regardless of location, must be encrypted and centrally managed for rotation and revocation.
- **Failing to Decommission:** Leaving old service accounts active indefinitely, creating ghost credentials that attackers can eventually discover and utilize.
## Resources
- GitGuardian's State of Secrets Sprawl 2025 Report (For context on current threat landscape).
- Documentation for enterprise secrets management tools (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) regarding dynamic secret provisioning.
- NIST Special Publication 800-161 for supply chain risk management relevant to software components relying on secrets.