The Need for Stronger Non-Human Identity Governance in DevOps and DevSecOps
March 25, 2025

Dwayne McDaniel
GitGuardian

According to CyberArk research, Non-Human Identities (NHIs) outnumbered human identities by at least 45-to-1 in 2022. This ratio has likely increased in 2025, driven by agentic AI and,vibe coding(link is external) accelerating system deployment.

At the core of every NHI is an authentication credential, aka a secret. GitGuardian's 2025 State of Secrets Sprawl Report reveals concerning trends in secrets exposure, indicating current management approaches are insufficient to address NHI-related risks.

The report found 23.77 million new secrets exposed on GitHub in 2024 — a 25% increase year-over-year. This surge correlates directly with the growing complexity and volume of authenticating NHIs.


Automated Secret Rotation and Lifecycle Management

70% of valid secrets first detected in public repositories in 2022 remain active as of January 2025. This indicates not a detection problem but a rotation problem. The first step toward automating secrets rotation is the adoption of secret management platforms, commonly referred to as vaults.


But even organizations using vault solutions experience significant leaks, with 5.1% of studied repositories containing at least one secret in 2024. Simply storing a secret in a vault once isn't sufficient. We need to adopt better governance models that ensure secrets stored in vaults are being managed and rotated.

Related to rotation is offboarding. Many organizations focus on human onboarding while neglecting NHI offboarding processes. Automated secret rotation and NHI decommissioning should be standard security practices. Governance frameworks must require continuous NHI monitoring to ensure the prompt removal of inactive or unnecessary identities.

Generic Secrets and Homegrown NHIs

GitGuardian found that 58% of detected secrets were classified as generic — from username/password pairs to database connection strings to custom API keys. Specific secrets, by contrast, belong to known providers and follow predictable patterns that many security tools can detect.


Organizations building homegrown NHIs (internal APIs, microservices, automation tools) face significant governance challenges. These systems often use proprietary authentication mechanisms whose secrets don't match known detection patterns, creating an unmanaged layer of vulnerable credentials. Attackers who obtain these secrets can exploit NHIs to move laterally across systems.

Effective NHI governance requires context-aware tools to discover and account for generic secrets. Machine learning tools that analyze entire codebases can identify NHI secrets regardless of structure.

AI Assistants as Breach Pathways

AI-powered tools like GitHub Copilot increased secrets leak incidents by 40% compared to repositories not using Copilot. An increasing reliance on AI-assisted development and low-code/no-code platforms introduces new challenges for NHI governance, as these tools can unintentionally generate or expose credentials. This trend also raises concerns about NHIs in cloud-based collaboration platforms, where secrets are shared between automated systems and human users.

From an NHI governance perspective, this highlights the need for real-time monitoring of non-traditional secret exposure channels as well as policy enforcement mechanisms that prevent NHIs from interacting with unsecured collaboration tools and platforms. Ideally, developer tooling that prevents these secrets from ever entering the commit history via Git hooks or code editing extensions should be adopted.

Excessive Permissions Enable NHI Exploitation

The GitGuardian report found that excessive permissions make secret leaks significantly more dangerous. Analysis of GitHub and GitLab API tokens revealed that 99% of GitLab API keys had excessive permissions, and 58% had full access. At the same time, 96% of GitHub tokens had write access, with 95% allowing full repository access.

This indicates organizations lack granular control over NHI permissions and systematic mechanisms to audit and restrict excessive permissions. NHI governance must include automated permission analysis, ensuring each NHI secret follows least-privilege and zero-trust principles.

The Future of NHI Governance

The report paints a stark picture of how poor NHI governance is fueling security risks in DevOps. The exponential growth of secrets exposure, excessive permissions, collaboration tool vulnerabilities, and AI-assisted coding risks all point to a singular problem: The current approach to managing NHIs is reactive, fragmented, and incomplete.

To build a secure DevOps ecosystem, organizations must move beyond traditional secrets management and embrace end-to-end NHI governance. This includes:

■ Mapping NHI interdependencies to understand how machine identities interact.

■ Enforcing least privilege policies in an automatable way to eliminate excessive permissions.

■ Integrating security tooling that prevents secrets leakage, especially from AI-generated code.

■ Implementing automated secret rotation and NHI decommissioning.

The future of DevSecOps depends on a proactive, automated, and structured approach to NHI security. The report findings serve as a wake-up call: it’s time to redefine NHI governance as a first-class security priority.

Dwayne McDaniel is a Senior Developer Advocate at GitGuardian
Share this

Industry News

May 01, 2025

Check Point® Software Technologies Ltd.(link is external) announced that its Quantum Firewall Software R82 — the latest version of Check Point’s core network security software delivering advanced threat prevention and scalable policy management — has received Common Criteria EAL4+ certification, further reinforcing its position as a trusted security foundation for critical infrastructure, government, and defense organizations worldwide.

May 01, 2025

Postman announced full support for the Model Context Protocol (MCP), helping users build better AI Agents, faster.

May 01, 2025

Opsera announced new Advanced Security Dashboard capabilities available as an extension of Opsera's Unified Insights for GitHub Copilot.

May 01, 2025

Lineaje launched new capabilities including Lineaje agentic AI-powered self-healing agents that autonomously secure open-source software, source code and containers, Gold Open Source Packages and Gold Open Source Images that enable organizations to source trusted, pre-fixed open-source software, and a software crawling and analysis engine, SCA360, that discovers and contextualizes risks at all software development stages.

April 30, 2025

Lenses.io announced the release of Lenses 6.0, enabling organizations to modernize applications and systems with real-time data as AI adoption accelerates.

April 30, 2025

Sonata Software has achieved Amazon Web Services (AWS) DevOps Competency status.

April 29, 2025

vFunction® announced significant platform advancements that reduce complexity across the architectural spectrum and target the growing disconnect between development speed and architectural integrity.

April 29, 2025

Sonatype® introduced major enhancements to Repository Firewall that expand proactive malware protection across the enterprise — from developer workstations to the network edge.

April 29, 2025

Aqua Security introduced Secure AI, full lifecycle security from code to cloud to prompt.

April 29, 2025

Salt Security announced the launch of the Salt Model Context Protocol (MCP) Server, giving enterprise teams a novel access point of interaction with their API infrastructure, leveraging natural language and artificial intelligence (AI).

April 28, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of in-toto, a software supply chain security framework developed at the NYU Tandon School of Engineering.

April 28, 2025

SnapLogic announced the launch of its next-generation API management (APIM) solution, helping organizations accelerate their journey to a composable and agentic enterprise.

April 28, 2025

Apiiro announced Software Graph Visualization, an interactive map that enables users to visualize their software architectures across all components, vulnerabilities, toxic combinations, blast radius, data exposure and material changes in real time.

April 24, 2025

Check Point® Software Technologies Ltd.(link is external) and Illumio, the breach containment company, announced a strategic partnership to help organizations strengthen security and advance their Zero Trust posture.