The Need for Stronger Non-Human Identity Governance in DevOps and DevSecOps
March 25, 2025

Dwayne McDaniel
GitGuardian

According to CyberArk research, Non-Human Identities (NHIs) outnumbered human identities by at least 45-to-1 in 2022. This ratio has likely increased in 2025, driven by agentic AI and,vibe coding accelerating system deployment.

At the core of every NHI is an authentication credential, aka a secret. GitGuardian's 2025 State of Secrets Sprawl Report reveals concerning trends in secrets exposure, indicating current management approaches are insufficient to address NHI-related risks.

The report found 23.77 million new secrets exposed on GitHub in 2024 — a 25% increase year-over-year. This surge correlates directly with the growing complexity and volume of authenticating NHIs.


Automated Secret Rotation and Lifecycle Management

70% of valid secrets first detected in public repositories in 2022 remain active as of January 2025. This indicates not a detection problem but a rotation problem. The first step toward automating secrets rotation is the adoption of secret management platforms, commonly referred to as vaults.


But even organizations using vault solutions experience significant leaks, with 5.1% of studied repositories containing at least one secret in 2024. Simply storing a secret in a vault once isn't sufficient. We need to adopt better governance models that ensure secrets stored in vaults are being managed and rotated.

Related to rotation is offboarding. Many organizations focus on human onboarding while neglecting NHI offboarding processes. Automated secret rotation and NHI decommissioning should be standard security practices. Governance frameworks must require continuous NHI monitoring to ensure the prompt removal of inactive or unnecessary identities.

Generic Secrets and Homegrown NHIs

GitGuardian found that 58% of detected secrets were classified as generic — from username/password pairs to database connection strings to custom API keys. Specific secrets, by contrast, belong to known providers and follow predictable patterns that many security tools can detect.


Organizations building homegrown NHIs (internal APIs, microservices, automation tools) face significant governance challenges. These systems often use proprietary authentication mechanisms whose secrets don't match known detection patterns, creating an unmanaged layer of vulnerable credentials. Attackers who obtain these secrets can exploit NHIs to move laterally across systems.

Effective NHI governance requires context-aware tools to discover and account for generic secrets. Machine learning tools that analyze entire codebases can identify NHI secrets regardless of structure.

AI Assistants as Breach Pathways

AI-powered tools like GitHub Copilot increased secrets leak incidents by 40% compared to repositories not using Copilot. An increasing reliance on AI-assisted development and low-code/no-code platforms introduces new challenges for NHI governance, as these tools can unintentionally generate or expose credentials. This trend also raises concerns about NHIs in cloud-based collaboration platforms, where secrets are shared between automated systems and human users.

From an NHI governance perspective, this highlights the need for real-time monitoring of non-traditional secret exposure channels as well as policy enforcement mechanisms that prevent NHIs from interacting with unsecured collaboration tools and platforms. Ideally, developer tooling that prevents these secrets from ever entering the commit history via Git hooks or code editing extensions should be adopted.

Excessive Permissions Enable NHI Exploitation

The GitGuardian report found that excessive permissions make secret leaks significantly more dangerous. Analysis of GitHub and GitLab API tokens revealed that 99% of GitLab API keys had excessive permissions, and 58% had full access. At the same time, 96% of GitHub tokens had write access, with 95% allowing full repository access.

This indicates organizations lack granular control over NHI permissions and systematic mechanisms to audit and restrict excessive permissions. NHI governance must include automated permission analysis, ensuring each NHI secret follows least-privilege and zero-trust principles.

The Future of NHI Governance

The report paints a stark picture of how poor NHI governance is fueling security risks in DevOps. The exponential growth of secrets exposure, excessive permissions, collaboration tool vulnerabilities, and AI-assisted coding risks all point to a singular problem: The current approach to managing NHIs is reactive, fragmented, and incomplete.

To build a secure DevOps ecosystem, organizations must move beyond traditional secrets management and embrace end-to-end NHI governance. This includes:

■ Mapping NHI interdependencies to understand how machine identities interact.

■ Enforcing least privilege policies in an automatable way to eliminate excessive permissions.

■ Integrating security tooling that prevents secrets leakage, especially from AI-generated code.

■ Implementing automated secret rotation and NHI decommissioning.

The future of DevSecOps depends on a proactive, automated, and structured approach to NHI security. The report findings serve as a wake-up call: it’s time to redefine NHI governance as a first-class security priority.

Dwayne McDaniel is a Senior Developer Advocate at GitGuardian
Share this

Industry News

April 23, 2025

Kubernetes 1.33 was released today.

Kubernetes 1.33 Release Information

April 23, 2025

Docker announced a major expansion of its AI initiative with the upcoming Docker MCP Catalog and Docker MCP Toolkit.

April 23, 2025

Perforce Software announced the release of its latest platform update for Puppet Enterprise Advanced, designed to streamline DevSecOps practices and fortify enterprise security postures.

April 23, 2025

Azul announced JVM Inventory, a new feature of Azul Intelligence Cloud designed to address the complexity and risk of migrating off Oracle Java.

April 23, 2025

LaunchDarkly announced the acquisition of Highlight, a powerful, open source, full-stack application monitoring platform known for its error monitoring, logging, distributed tracing and session replay capabilities.

April 22, 2025

O’Reilly announced AI Codecon—a groundbreaking virtual conference series dedicated to exploring the rapidly evolving world of AI-assisted software development.

April 22, 2025

Veracode unveiled new capabilities offering proactive risk mitigation and automated security at enterprise scale.

April 22, 2025

Snyk launched Snyk API & Web, delivering a dynamic application security testing (DAST) solution designed to meet the growing demands of modern and increasingly AI-powered software development.

April 21, 2025

Postman announced new releases designed to help organizations build APIs faster, more securely, and with less friction.

April 21, 2025

SnapLogic announced AgentCreator 3.0, an evolution in agentic AI technology that eliminates the complexity of enterprise AI adoption.

April 17, 2025

GitLab announced the general availability of GitLab Duo with Amazon Q.

April 17, 2025

Perforce Software and Liquibase announced a strategic partnership to enhance secure and compliant database change management for DevOps teams.

April 17, 2025

Spacelift announced the launch of Saturnhead AI — an enterprise-grade AI assistant that slashes DevOps troubleshooting time by transforming complex infrastructure logs into clear, actionable explanations.

April 16, 2025

CodeSecure and FOSSA announced a strategic partnership and native product integration that enables organizations to eliminate security blindspots associated with both third party and open source code.