DEVOPSdigest

According to CyberArk research, Non-Human Identities (NHIs) outnumbered human identities by at least 45-to-1 in 2022. This ratio has likely increased in 2025, driven by agentic AI and,vibe coding accelerating system deployment.

At the core of every NHI is an authentication credential, aka a secret. GitGuardian's 2025 State of Secrets Sprawl Report reveals concerning trends in secrets exposure, indicating current management approaches are insufficient to address NHI-related risks.

The report found 23.77 million new secrets exposed on GitHub in 2024 — a 25% increase year-over-year. This surge correlates directly with the growing complexity and volume of authenticating NHIs.

Automated Secret Rotation and Lifecycle Management

70% of valid secrets first detected in public repositories in 2022 remain active as of January 2025. This indicates not a detection problem but a rotation problem. The first step toward automating secrets rotation is the adoption of secret management platforms, commonly referred to as vaults.

But even organizations using vault solutions experience significant leaks, with 5.1% of studied repositories containing at least one secret in 2024. Simply storing a secret in a vault once isn't sufficient. We need to adopt better governance models that ensure secrets stored in vaults are being managed and rotated.

Related to rotation is offboarding. Many organizations focus on human onboarding while neglecting NHI offboarding processes. Automated secret rotation and NHI decommissioning should be standard security practices. Governance frameworks must require continuous NHI monitoring to ensure the prompt removal of inactive or unnecessary identities.

Generic Secrets and Homegrown NHIs

GitGuardian found that 58% of detected secrets were classified as generic — from username/password pairs to database connection strings to custom API keys. Specific secrets, by contrast, belong to known providers and follow predictable patterns that many security tools can detect.

Organizations building homegrown NHIs (internal APIs, microservices, automation tools) face significant governance challenges. These systems often use proprietary authentication mechanisms whose secrets don't match known detection patterns, creating an unmanaged layer of vulnerable credentials. Attackers who obtain these secrets can exploit NHIs to move laterally across systems.

Effective NHI governance requires context-aware tools to discover and account for generic secrets. Machine learning tools that analyze entire codebases can identify NHI secrets regardless of structure.

AI Assistants as Breach Pathways

AI-powered tools like GitHub Copilot increased secrets leak incidents by 40% compared to repositories not using Copilot. An increasing reliance on AI-assisted development and low-code/no-code platforms introduces new challenges for NHI governance, as these tools can unintentionally generate or expose credentials. This trend also raises concerns about NHIs in cloud-based collaboration platforms, where secrets are shared between automated systems and human users.

From an NHI governance perspective, this highlights the need for real-time monitoring of non-traditional secret exposure channels as well as policy enforcement mechanisms that prevent NHIs from interacting with unsecured collaboration tools and platforms. Ideally, developer tooling that prevents these secrets from ever entering the commit history via Git hooks or code editing extensions should be adopted.

Excessive Permissions Enable NHI Exploitation

The GitGuardian report found that excessive permissions make secret leaks significantly more dangerous. Analysis of GitHub and GitLab API tokens revealed that 99% of GitLab API keys had excessive permissions, and 58% had full access. At the same time, 96% of GitHub tokens had write access, with 95% allowing full repository access.

This indicates organizations lack granular control over NHI permissions and systematic mechanisms to audit and restrict excessive permissions. NHI governance must include automated permission analysis, ensuring each NHI secret follows least-privilege and zero-trust principles.

The Future of NHI Governance

The report paints a stark picture of how poor NHI governance is fueling security risks in DevOps. The exponential growth of secrets exposure, excessive permissions, collaboration tool vulnerabilities, and AI-assisted coding risks all point to a singular problem: The current approach to managing NHIs is reactive, fragmented, and incomplete.

To build a secure DevOps ecosystem, organizations must move beyond traditional secrets management and embrace end-to-end NHI governance. This includes:

■ Mapping NHI interdependencies to understand how machine identities interact.

■ Enforcing least privilege policies in an automatable way to eliminate excessive permissions.

■ Integrating security tooling that prevents secrets leakage, especially from AI-generated code.

■ Implementing automated secret rotation and NHI decommissioning.

The future of DevSecOps depends on a proactive, automated, and structured approach to NHI security. The report findings serve as a wake-up call: it’s time to redefine NHI governance as a first-class security priority.