The Need for Stronger Non-Human Identity Governance in DevOps and DevSecOps
March 25, 2025

Dwayne McDaniel
GitGuardian

According to CyberArk research, Non-Human Identities (NHIs) outnumbered human identities by at least 45-to-1 in 2022. This ratio has likely increased in 2025, driven by agentic AI and,vibe coding(link is external) accelerating system deployment.

At the core of every NHI is an authentication credential, aka a secret. GitGuardian's 2025 State of Secrets Sprawl Report reveals concerning trends in secrets exposure, indicating current management approaches are insufficient to address NHI-related risks.

The report found 23.77 million new secrets exposed on GitHub in 2024 — a 25% increase year-over-year. This surge correlates directly with the growing complexity and volume of authenticating NHIs.


Automated Secret Rotation and Lifecycle Management

70% of valid secrets first detected in public repositories in 2022 remain active as of January 2025. This indicates not a detection problem but a rotation problem. The first step toward automating secrets rotation is the adoption of secret management platforms, commonly referred to as vaults.


But even organizations using vault solutions experience significant leaks, with 5.1% of studied repositories containing at least one secret in 2024. Simply storing a secret in a vault once isn't sufficient. We need to adopt better governance models that ensure secrets stored in vaults are being managed and rotated.

Related to rotation is offboarding. Many organizations focus on human onboarding while neglecting NHI offboarding processes. Automated secret rotation and NHI decommissioning should be standard security practices. Governance frameworks must require continuous NHI monitoring to ensure the prompt removal of inactive or unnecessary identities.

Generic Secrets and Homegrown NHIs

GitGuardian found that 58% of detected secrets were classified as generic — from username/password pairs to database connection strings to custom API keys. Specific secrets, by contrast, belong to known providers and follow predictable patterns that many security tools can detect.


Organizations building homegrown NHIs (internal APIs, microservices, automation tools) face significant governance challenges. These systems often use proprietary authentication mechanisms whose secrets don't match known detection patterns, creating an unmanaged layer of vulnerable credentials. Attackers who obtain these secrets can exploit NHIs to move laterally across systems.

Effective NHI governance requires context-aware tools to discover and account for generic secrets. Machine learning tools that analyze entire codebases can identify NHI secrets regardless of structure.

AI Assistants as Breach Pathways

AI-powered tools like GitHub Copilot increased secrets leak incidents by 40% compared to repositories not using Copilot. An increasing reliance on AI-assisted development and low-code/no-code platforms introduces new challenges for NHI governance, as these tools can unintentionally generate or expose credentials. This trend also raises concerns about NHIs in cloud-based collaboration platforms, where secrets are shared between automated systems and human users.

From an NHI governance perspective, this highlights the need for real-time monitoring of non-traditional secret exposure channels as well as policy enforcement mechanisms that prevent NHIs from interacting with unsecured collaboration tools and platforms. Ideally, developer tooling that prevents these secrets from ever entering the commit history via Git hooks or code editing extensions should be adopted.

Excessive Permissions Enable NHI Exploitation

The GitGuardian report found that excessive permissions make secret leaks significantly more dangerous. Analysis of GitHub and GitLab API tokens revealed that 99% of GitLab API keys had excessive permissions, and 58% had full access. At the same time, 96% of GitHub tokens had write access, with 95% allowing full repository access.

This indicates organizations lack granular control over NHI permissions and systematic mechanisms to audit and restrict excessive permissions. NHI governance must include automated permission analysis, ensuring each NHI secret follows least-privilege and zero-trust principles.

The Future of NHI Governance

The report paints a stark picture of how poor NHI governance is fueling security risks in DevOps. The exponential growth of secrets exposure, excessive permissions, collaboration tool vulnerabilities, and AI-assisted coding risks all point to a singular problem: The current approach to managing NHIs is reactive, fragmented, and incomplete.

To build a secure DevOps ecosystem, organizations must move beyond traditional secrets management and embrace end-to-end NHI governance. This includes:

■ Mapping NHI interdependencies to understand how machine identities interact.

■ Enforcing least privilege policies in an automatable way to eliminate excessive permissions.

■ Integrating security tooling that prevents secrets leakage, especially from AI-generated code.

■ Implementing automated secret rotation and NHI decommissioning.

The future of DevSecOps depends on a proactive, automated, and structured approach to NHI security. The report findings serve as a wake-up call: it’s time to redefine NHI governance as a first-class security priority.

Dwayne McDaniel is a Senior Developer Advocate at GitGuardian
Share this

Industry News

May 22, 2025

Red Hat announced enhanced features to manage Red Hat Enterprise Linux.

May 22, 2025

StackHawk has taken on $12 Million in additional funding from Sapphire and Costanoa Ventures to help security teams keep up with the pace of AI-driven development.

May 21, 2025

Red Hat announced jointly-engineered, integrated and supported images for Red Hat Enterprise Linux across Amazon Web Services (AWS), Google Cloud and Microsoft Azure.

May 21, 2025

Komodor announced the integration of the Komodor platform with Internal Developer Portals (IDPs), starting with built-in support for Backstage and Port.

May 21, 2025

Operant AI announced Woodpecker, an open-source, automated red teaming engine, that will make advanced security testing accessible to organizations of all sizes.

May 21, 2025

As part of Summer '25 Edition, Shopify is rolling out new tools and features designed specifically for developers.

May 21, 2025

Lenses.io announced the release of a suite of AI agents that can radically improve developer productivity.

May 20, 2025

Google unveiled a significant wave of advancements designed to supercharge how developers build and scale AI applications – from early-stage experimentation right through to large-scale deployment.

May 20, 2025

Red Hat announced Red Hat Advanced Developer Suite, a new addition to Red Hat OpenShift, the hybrid cloud application platform powered by Kubernetes, designed to improve developer productivity and application security with enhancements to speed the adoption of Red Hat AI technologies.

May 20, 2025

Perforce Software announced Perforce Intelligence, a blueprint to embed AI across its product lines and connect its AI with platforms and tools across the DevOps lifecycle.

May 20, 2025

CloudBees announced CloudBees Unify, a strategic leap forward in how enterprises manage software delivery at scale, shifting from offering standalone DevOps tools to delivering a comprehensive, modular solution for today’s most complex, hybrid software environments.

May 20, 2025

Azul and JetBrains announced a strategic technical collaboration to enhance the runtime performance and scalability of web and server-side Kotlin applications.

May 19, 2025

Docker, Inc.® announced Docker Hardened Images (DHI), a curated catalog of security-hardened, enterprise-grade container images designed to meet today’s toughest software supply chain challenges.

May 19, 2025

GitHub announced that GitHub Copilot now includes an asynchronous coding agent, embedded directly in GitHub and accessible from VS Code—creating a powerful Agentic DevOps loop across coding environments.