Addressing the broader issue: As AI-assisted coding expands, security leaders must rethink how they manage risk. That means looking beyond repositories and securing the full software development lifecycle (SDLC), including collaboration tools where credentials often show up.”We focus on both, but the risk profile is very different, what’s identified in Jira or Slack is far different from what you’ll find in your code repository,” says David MacKinnon, chief security officer at N-able. “A mature SDLC, which includes things like effective credential vaulting, separation of duties, source code scanning, separated dev, stage/production environments, and more, helps to minimize the business risk.”At WithSecure, Bejerasco says secrets and agent access are kept “as transient as possible” to reduce risk. And there’s also a Lifecycle Security Policy in place that mandates code reviews. “This policy is effectively the security ‘bible’ for developers,” she says. “It covers privacy impact assessments, threat modeling, security testing, and code review.”R Systems’ Gupta agrees, advising organizations to rotate credentials, revoke exposed versions, audit for unauthorized use during any exposure window, and purge from history wherever feasible. “For the long-tail legacy service accounts, third-party integrations, embedded vendor credentials rotation is still a coordinated manual exercise, and we’re steadily moving more of it into automation,” he says.A key step in fixing the issue is knowing it exists. “If an organization is not aware of how many secrets they’re exposing in their code base, or the level of access those secrets hold, they have a tremendous amount of business risk that they’re unaware of,” says N-able CSO MacKinnon.He advises CISOs to raise awareness around the scale of the problem. He also suggests stronger developer training, better tools to detect and manage risks, and solutions that enable both human and AI-driven development to operate securely. Just as important, he says, is embedding these practices into everyday workflows so that security becomes part of how code is written, not something added afterward.”‹His organization scans for secrets when code is committed to block any commits that would introduce risk into the products. “The creator of that code, whether it be human or AI, is held to the same level of security maturity,” MacKinnon adds.Bejerasco agrees. “We need to be deliberate about assigning ownership upfront and continuously validating it, and by cracking down on anything that falls through the cracks,” she says. “Otherwise, these unmanaged identities and secrets will accumulate faster than we can control them.”
Advice for CISOs: If there is one clear lesson from the rise of AI-driven development, it’s this: The biggest mistake CISOs can make is treating secrets sprawl as a scanning problem. “It is really an ownership and governance problem for machine identities at scale,” McDaniel says.Gupta goes even further. “A leaked secret is a symptom of an ungoverned non-human identity (NHI) issue,” he says. “Treat it as detection and response, and you’ll chase leaks forever. Treat it as identity governance, inventory every NHI, assign ownership, enforce short-lived credentials, prefer workload identity over static keys, rotate automatically, decommission aggressively, and the problem starts to shrink instead of grow.””‹And while public leaks draw attention, most secrets exposure builds up privately, in internal repositories, build systems, and developer workflows, where ownership is unclear and remediation is often deferred.”Private tends to get mistaken for safe, when it really just means there are fewer eyes on it,” says Gupta. “Inside private repos, people loosen up. Because it feels contained, the guard can get dropped. All it takes is one supply-chain issue or someone walking out the door with unauthorized access.”The real risk lies in the sheer volume of NHIs being created faster than organizations can track them. “The smartest CISOs right now are pushing their DevOps and dev teams to embrace better ways to handle authorization than long-lived, overprivileged API keys,” he says.To WithSecure’s Bejerasco, the security issues associated with AI-generated code are urgent. “‹”The appetite for AI adoption from organizational leaders is high right now, and we need to manage that risk even though the capabilities and controls are not fully mature yet,” she says.Yet, despite the urgency, the industry is still figuring out how to respond. “I don’t think anyone has the right answers yet; we’re all building governance as we go,” Bejerasco says. As AI agents become more widespread, traditional approaches might not keep up, and organizations might need to use AI to help govern AI, she adds.MacKinnon believes CISOs should not be alone in this. They should involve CEOs and CTOs in the process and explain to them that “the risk is real and it’s rampant.””‹”There’s never a perfecttime to address it, but the investment in proactively reducing that risk is far easier and cheaper than learning about it after it’s been used to compromise your company,” MacKinnon says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4171954/ai-coding-is-fueling-a-secrets-sprawl-crisis-few-cisos-are-containing.html
