Security shouldn’t just protect—it should enable.

This philosophy echoed powerfully at GitGuardian SecDays Virtual 2025, where Cameron Tekiyeh, Head of Global Security Analytics at Snowflake, led a candid, data-driven session on the future of Non-Human Identity (NHI) management.

The statistics set the stage: 70% of secrets leaked in 2022 remain valid today. Meanwhile, NHIs like service accounts, automation tools, and increasingly, AI agents, are growing exponentially and outnumbering human users. In this new landscape, traditional identity and secrets management strategies are outdated, and just relying on them could be actively dangerous.

Why NHI Management is More Critical Than Ever

Cameron painted a stark picture of scale:

Multiply NHIs by your SaaS app count—300 to 400 in many enterprise environments—and you're staring at a mountain of unmanaged risk.

And the problem isn't just scale. NHIs are:

• Highly distributed
• Long-lived and overprivileged
• Hidden across code, tools, and platforms
• Rapidly exposed by AI-assisted development

This creates a perfect storm, where visibility gaps, manual rotation, and ad hoc governance leave organizations vulnerable.

The Vault Sprawl Problem

Cameron talked about a concept that resonated throughout the session: "vault sprawl." Organizations attempting to solve secrets management through multiple vaults often find themselves "treating the symptoms and not the root cause." Even with vaults in place, secrets can still exist in Slack, Jira, Confluence, and countless other collaboration tools, failing to reduce actual risk exposure.

The Shift That Changed Everything

Snowflake's security team didn’t just analyze the problem—they lived it. They started by applying lessons from their human identity strategy (using MFA and FIDO), and then had to reimagine that success for NHI. The key was to treat security as a business enabler, not a blocker.

Their strategy was to use a combination of GitGuardian for detection and Aembit for prevention:

• GitGuardian gave them visibility into thousands of secrets—50% of which are already remediated today—and was adopted by over 1,800 developers across Snowflake. 1 in 3 developers now use GitGuardian pre-commit to shift security left.

• Aembit, described by Cameron as “Okta for NHIs”, lets them eliminate static credentials for high-value service accounts, starting with their internal Snowflake implementation (Snowhouse) that serves as a security data lake. DevOps teams gained back 10 hours a day previously spent rotating and managing secrets.

From Internal Success to Organization-Wide Impact

One of the most compelling takeaways was Snowflake’s “Customer Zero” approach: Start with internal teams, test and validate new tools, then scale out as a peer, not a policymaker.

We're not trying to sell you on a solution... we’re just practitioners who solved a problem and want to make your life easier.

This approach helped security win over other stakeholders—IT, compliance, and engineering—by proving value before asking for adoption.

What Didn't Work (And Why)

Before finding their solution, Snowflake explored several paths that didn’t scale:

• Secrets Managers: Still required rotations. Still left secrets in chat tools. Only masked symptoms.
• Cloud-Native Tools: Too fragmented for their multi-cloud + SaaS-heavy environment.
• Governance-Only Tools: Useful, but not enough on their own.

Instead, they needed an orchestrated solution that prevented leaks, removed static secrets, and provided real-time observability.

Lessons Security Leaders Can Act On

Cameron shared several key lessons that other organizations can apply:

1. You Own the Risk, Not the Tools
   Security rarely owns engineering infrastructure, but it must influence it. Becoming "customer zero" gives you leverage.
2. Enable the Business, Don’t Just Secure
   The most successful security initiatives make people's jobs easier. Productivity and protection aren’t trade-offs. They’re design requirements.
3. Start Where You Can Win
   By tackling security team tooling first, Snowflake built credibility to expand adoption.
4. Don’t Just Scan—Shift Left and Remove
   Scanning for secrets is table stakes. Prevention at the source and removal through secretless architectures are the real endgame.
5. Track and Quantify Value
   Whether it’s developer time saved, compliance lift reduced, or incidents avoided, make sure you can prove your success.

What’s Next: Stitching Together the Security Fabric

When asked about what's next, Cameron shared their vision:

We have all the right tools. Now it’s about stitching them together.

That means:

• Conditional Access for NHIs powered by Aembit
• Threat Detection integrated with GitGuardian telemetry
• Automated Incident Response workflows tied to identity changes
• Organization-wide rollout led by DevSecOps champions

Final Word: NHI Security Is a Shared Responsibility

As Apurva Dave from Aembit noted, the NHI management presents a unique challenge due to the breadth of stakeholders involved. Cameron confirmed this, explaining that Snowflake doesn't have a single owner of their identity program but rather "a virtual team, a council that consists of different folks from compliance, corporate security, IT, and product security."

Identity programs are no longer isolated. They are federated ecosystems.

Snowflake’s journey shows that with the right tools, clear strategy, and internal advocacy, modern identity security can be smooth, scalable, and empowering.

The future of identity isn’t just about managing more identities—it’s about managing them better.

Want to Make the Shift?

Explore GitGuardian and Aembit’s solutions to take the next step in your journey toward secure, scalable machine identity management.

Here’s the video if you’d like to watch.