Machine identities now outnumber human users by as much as 100 to 1. From API tokens to service accounts to AI agents, organizations are overwhelmed by a growing ecosystem of non-human identities (NHIs) that are poorly managed, often invisible, and dangerously overprivileged.
At GitGuardian SecDays Virtual 2025, leaders from Akeyless, Aembit, GitGuardian, the NHI Management Group, and Vermeer gathered for a candid roundtable on what’s fast becoming one of the biggest blind spots in enterprise security, and what to do about it.
The Scale Problem: More Identities Than You Can Count
The numbers shared were sobering. Eric Fourrier (GitGuardian) kicked things off with a powerful reality check:
“We looked at all the secrets leaked in 2022 and checked if they were still valid. 70% of them still are.”
That means credentials that are often long-lived, static, and over-permissioned are sitting exposed, sometimes for years, waiting to be exploited.
Oded Hareven (Akeyless) highlighted the multiplying effect of the AI boom:
“Post-DevOps and microservices, every company is now experimenting with AI agents. But to make them useful, you have to give them access—lots of access.”
And with access comes risk. These agents are granted secrets to databases, internal systems, and SaaS platforms, scaling the threat surface even further.
The Visibility Trap (and the Real Bottleneck)
Everyone agrees visibility is essential. But David Goldschlag (Aembit) argued that the bigger issue is volume:
“It’s not just about finding everything. It’s about knowing where to start. Once you see the full scope, it can feel paralyzing.”
The answer isn’t just more dashboards—it’s prioritization and automation.
Static Secrets Are Security Debt
One of the roundtable’s core themes: static secrets are the enemy.
Even when secrets are vaulted, they often stay in code, Slack threads, or Jira tickets. Panelists shared war stories about shared production credentials, legacy app passwords no one dares rotate, and secrets so deeply embedded in critical workflows that cleaning them up seems impossible.
Lalit Choda (NHI Management Group) called it what it is:
“Security debt with interest that compounds daily.”
The future is ephemeral, just-in-time credentials governed by policy, not by manually rotating secrets every 30 or 90 days.
Why It’s Not Easy to Go Secretless (Yet)
So why aren’t we all secretless already? The panel outlined several blockers:
- Legacy code that can’t be refactored easily
- Educational gaps about what’s even possible
- Fear of breaking things in production
- Siloed responsibility between the dev, platform, and security teams
But there’s hope. Oded noted how GenAI is lowering barriers:
“We now have AI that can help refactor old code automatically. That unlocks secret rotation at scale in places we never thought possible.”
The Multi-Persona Problem
Eric Fourrier captured a subtle but critical challenge: managing NHIs is a multi-persona problem.
“Fixing a leaked secret doesn’t just require the developer. It requires SREs to manage credentials and security, as well as to coordinate and enforce. Most identity solutions weren’t built for that kind of collaboration.”
This is why modern NHI solutions must integrate across workflows, not force new ones.
So What’s Actually Working?
Despite the scope of the challenge, the panel shared practical strategies that are working today:
1. Start With Greenfield
Begin in environments that are already modernized—Kubernetes, containerized services, or new microservices. Use injectors to replace static credentials with dynamically provisioned secrets.
2. Focus on Hygiene First
Stale, unused secrets are low-hanging fruit. Many companies find that 60–70% of their tokens are still active but unused. Clean these up to reduce risk immediately.
3. Build Trust Through Use Cases
Security and DevOps need to partner. Choose high-value use cases with minimal blast radius to build trust and prove value.
4. Embrace AI for Good
Yes, AI agents introduce risk, but they’re also the key to automating remediation. From generating secure pull requests to triggering rotation workflows, AI can help scale security response in a way humans alone can’t.
Culture Eats Strategy for Breakfast
CJ May (Vermeer) reminded the panel that all the tech in the world means little without buy-in:
“We need people who care about doing things the right way and making it easy to do the right thing.”
Cultural transformation must go hand-in-hand with new tooling. That means shifting how developers think about identity, sharing lessons learned, and building a learning loop between teams.
As Eric put it:
“If you don’t convince developers not to put secrets in code or Slack, you’re already lost. They outnumber security engineers 100 to 1.”
Looking Ahead: The Secretless Future
While no one claimed the problem was fully solved, there was optimism.
Oded summed it up:
“There is a world where static secrets don’t exist. With OIDC, short-lived tokens, and advanced authentication, we can get there.”
David added:
“Don’t wait for the perfect moment. Start small, start early. There’s already technology that works, and the longer you wait, the harder it becomes.”
Key Takeaways for Security Leaders
- Start Now, Start Small: Don’t aim for perfection. Focus on modern environments and easy wins.
- Partner Across Teams: NHIs touch dev, ops, IT, and security. No one owns it alone.
- Clean Up Your Mess First: Tackle stale credentials and shared secrets. Hygiene builds momentum.
- Embrace AI Thoughtfully: Let AI help automate, enrich, and fix, not just accelerate risk.
- Think Platform, Not Tool: Don’t bolt on NHI management. Embed it into your workflows.
Final Word
The non-human identity crisis isn’t a niche issue. It’s the new normal. But it’s solvable. The tools are here. The frameworks are emerging. What’s needed now is urgency, collaboration, and execution.
As Eric Fourrier closed:
“If we provide automation and holistic visibility into NHIs, we don’t just fix security, we enable a better way to build.”
Let’s get to it.
Explore GitGuardian NHI Governance.
Watch the full SecDays 2025 Roundtable Replay:
