Why NHIs Are Security’s Most Dangerous Blind Spot

When we talk about identity in cybersecurity, most people think of usernames, passwords, and the occasional MFA prompt. But lurking beneath the surface is a growing threat that does not involve human credentials at all, as we witness the exponential growth of Non-Human Identities (NHIs).

At the top of mind when NHIs are mentioned, most security teams immediately think of Service Accounts. But NHIs go far beyond that. You’ve got Service Principals, Snowflake Roles, IAM Roles, and platform-specific constructs from AWS, Azure, GCP, and more. The truth is, NHIs can vary just as widely as the services and environments in your modern tech stack, and managing them means understanding this diversity.

The real danger lies in how these identities authenticate.

Secrets: The Currency of Machines

Non-Human Identities, for the most part, authenticate using secrets: API keys, tokens, certificates, and other credentials that grant access to systems, data, and critical infrastructure. These secrets are what attackers want most. And shockingly, most companies have no idea how many secrets they have, where they’re stored, or who is using them.

The State of Secrets Sprawl 2025 revealed two jaw-dropping stats:

• 23.7 million new secrets were leaked on public GitHub in 2024 alone
• And 70% of the secrets leaked in 2022 are still valid today

Why is this happening?

A part of the story is that there’s no MFA for machines. No verification prompt. When a developer creates a token, they often grant it wider access than needed, just to make sure things work.

Expiration dates? Optional. Some secrets are created with 50-year validity windows. Why? Because teams don’t want the app to break next year. They choose speed over security.

This creates a massive blast radius. If one of those secrets leaks, it can unlock everything from production databases to cloud resources, without triggering any alerts.

Detecting compromised NHIs is much harder than with humans. A login from Tokyo at 2 am might raise red flags for a person, but machines talk to each other 24/7 from all over the world. Malicious activity blends right in.

Many of these secrets act like invisible backdoors, enabling lateral movement, supply chain attacks, and undetected breaches. The Toyota incident is a perfect example — one leaked secret can take down a global system.

This is why attackers love NHIs and their secrets. The permissions are too often high, the visibility is commonly low, and the consequences can be huge.

The Rise of the Machines (and Their Secrets)

The shift to cloud-native, microservices-heavy environments has introduced thousands of NHIs per organization. NHIs now outnumber human identities from 50:1 to a 100:1 ratio, and this is only expected to increase. These digital workers connect services, automate tasks, and drive AI pipelines — and every single one of them needs secrets to function.

But unlike human credentials:

• Secrets are hardcoded in codebases
• Shared across multiple tools and teams
• Lying dormant in legacy systems
• Passed to AI agents with minimal oversight

They often lack expiration, ownership, and auditability.

The result? Secrets sprawl. Overprivileged access. And one tiny leak away from a massive breach.

Why the Old Playbook Doesn’t Work Anymore

Legacy identity governance and PAM tools were built for human users, an era when everything was centrally managed. These tools still do a fine job enforcing password complexity, managing break-glass accounts, and governing access to internal apps. But NHIs break this model completely.

Here’s why:

• IAM and PAM are designed for human identities, often tied to individuals and protected with MFA. NHIs, on the other hand, are decentralized — created and managed by developers across teams, often outside of any central IT or security oversight. Many organizations today are running multiple vaults, with no unified inventory or policy enforcement.
• Secrets Managers help you store secrets — but they won’t help you when secrets are leaked across your infrastructure, codebases, CI/CD pipelines, or even public platforms like GitHub or Postman. They’re not designed to detect, remediate, or investigate exposure.
• CSPM tools focus on the cloud, but secrets are everywhere. They’re in source control management systems, messaging platforms, developer laptops, and unmanaged scripts. When secrets leak, it’s not just a hygiene issue — it’s a security incident.
• NHIs don’t follow traditional identity lifecycles. There’s often no onboarding, no offboarding, no clear owner, and no expiration. They linger in your systems, under the radar, until something goes wrong.

Security teams are left chasing shadows, manually trying to piece together where a secret came from, what it accesses, and whether it’s even still in use. This reactive approach doesn’t scale, and it leaves your organization dangerously exposed.

This is where GitGuardian NHI Governance comes into play.

GitGuardian NHI Governance: Mapping the Machine Identity Maze

GitGuardian has taken its deep expertise in secrets detection and remediation and turned it into something much more powerful: a complete governance layer for machine identities and their credentials.

Here’s what makes it stand out:

A Map for the Mess

Think of it as an end-to-end visual graph of your entire secrets landscape. The map connects the dots between:

• Where secrets are stored (e.g., HashiCorp Vault, AWS Secrets Manager)
• Which services consume them
• What systems do they access
• Who owns them
• Whether they’ve been leaked internally or used in public code

Full Lifecycle Control

NHI Governance goes beyond visibility. It enables true lifecycle management of secrets — tracking their creation, usage, rotation, and revocation.

Security teams can:

• Set automated rotation policies
• Decommission unused/orphaned credentials
• Detect secrets that haven’t been accessed in months (aka zombie credentials)

Security and Compliance, Built In

The platform also includes a policy engine that helps teams enforce consistent controls across all vaults and benchmark themselves against standards like OWASP Top 10.

You can track:

• Vault coverage across teams and environments
• Secrets hygiene metrics (age, usage, rotation frequency)
• Overprivileged NHIs
• Compliance posture drifts over time

AI Agents: The New Wild West

A big driver of this risk is RAG (Retrieval-Augmented Generation), where AI answers questions using your internal data. It’s useful, but if secrets are hiding in that data, they can be surfaced by mistake.

AI agents are being plugged into everything — Slack, Jira, Confluence, internal docs — to unlock productivity. But with each new connection, the risk of secret sprawl grows.

Secrets aren’t just leaking from code anymore. They show up in docs, tickets, messages, and when AI agents access those systems, they can accidentally expose credentials in responses or logs.

What can go wrong?

• Secrets stored in Jira, Notion, Slack, etc, are getting leaked
• AI logs capturing sensitive inputs and outputs
• Devs and third-party vendors storing unsanitized logs
• Access control breakdowns across systems

One of the most forward-looking aspects of the GitGuardian platform is that it can help fix AI-driven secret sprawl:

• Scans all connected sources — including messaging platforms, tickets, wikis, and internal apps — to detect secrets that might be exposed to AI
• Shows you where AI agents are accessing data, and flags unsafe paths that could lead to leaks
• Cleans up logs, removing secrets before they get stored or passed around in ways that put the organization at risk

AI is moving fast. But secrets are leaking faster.

The Bottom Line: You Can’t Defend What You Don’t Govern

With NHI Governance, GitGuardian is offering a blueprint for organizations to bring order to chaos and control to an identity layer that’s long been left in the dark.

Whether you’re trying to:

• Map out your secrets ecosystem
• Minimize attack surface
• Enforce zero trust principles across machines
• Or just sleep better at night

The GitGuardian platform might just be your new best friend.

Because in a world where identities are the perimeter, ignoring non-human identities is no longer an option.

Want to see NHI Governance in action?

Request a Demo or check out the full product overview at GitGuardian.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.