The three blind spots I keep finding: After years working in cloud security and identity management, certain patterns show up everywhere I look. Three problems in particular appear in nearly every environment I assess.
- Secrets where they should never be. I still find API keys hardcoded in source files. Still. In 2026. Last year, GitGuardian detected 13 million secrets exposed in public GitHub repositories. Google API keys, MongoDB credentials, AWS access keys, sitting in plaintext for anyone to harvest. But the public repos are not even the biggest problem. In my own assessments, I have found production database passwords in Jira tickets, Slack messages, Confluence runbooks and shared Google Docs. A colleague once discovered an admin token for a payment gateway pasted into a Teams chat from 2023, still valid, still granting full access. Once secrets escape into collaboration tools, you have lost control. They get copied, forwarded, indexed, archived. They never truly disappear.Service accounts with absurd privilege levels. This one makes me angry because it is so preventable. A developer needs a service account for a new Lambda function. They are under deadline pressure. Figuring out the exact minimum permissions takes time, so they attach AdministratorAccess and move on. The function works. Nobody revisits it. That account now has god-mode access to your entire AWS environment for a task that needed read access to one S3 bucket. Multiply this across every team, every sprint, every year. The 2025 State of Non-Human Identities report from Entro Security found 97% of NHIs have excessive privileges. Ninety-seven percent. Even more alarming: just 0.01% of machine identities control 80% of cloud resources. Compromise one of those accounts and the attacker owns your environment.No lifecycle ownership whatsoever. When an employee leaves, HR triggers offboarding. Access gets revoked. There is a process. When a service account is no longer needed, what happens? Nothing. It sits there. I routinely find accounts untouched for six months, twelve months, sometimes three years, all still holding production access. Veza’s research found dormant accounts nearly doubled year over year. Orphaned identities grew 40%. Former employees, 78,000 of them in one dataset, still had active credentials because HR systems flagged them as inactive but nobody revoked their service accounts. These are not theoretical vulnerabilities. These are live credentials waiting for someone to find them.
A practical path forward for security leaders: Acknowledging the problem is step one. Fixing it requires treating machine identities with the same governance discipline we finally learned to apply to human users. Based on what I have seen actually work, here is where I would focus.
Build a real inventory. You cannot protect what you cannot see. Before anything else, discover every non-human identity in your environment. Every service account across your cloud platforms. Every API key in your applications. Every secret in your vaults, config files, CI/CD pipelines. Every third-party integration with access to your systems. Most organisations I work with drastically underestimate their footprint. The actual number is typically three to five times what teams expect. This cannot be a manual exercise or an annual audit. Identities are created faster than humans can count them. Automate discovery and make it continuous.Enforce least privilege without exceptions. Every NHI needs to be scoped to the minimum access required for its function. Yes, this takes work. Yes, developers will push back. Do it anyway. Start with new deployments and make least privilege the default from day one. For existing accounts, compare assigned permissions against actual usage patterns. You will find plenty of accounts with broad access that only ever touch one or two resources. Those are quick wins. Require security approval before any NHI gets elevated privileges. Make it a gate, not a suggestion.Eliminate static credentials wherever possible. Long-lived secrets are the root cause behind most NHI breaches. The goal should be eliminating them entirely. Replace permanent API keys with short-lived tokens that expire automatically. Implement just-in-time access that grants permissions for a specific task and revokes them immediately after. Automate credential rotation on a defined schedule, weekly, daily, even hourly for sensitive systems. Research shows 71% of non-human identities are not rotated within recommended timeframes. Every day a credential sits unchanged is another day an attacker could be using it without detection.The security industry is converging on a clear consensus for 2026: machine identities will become the primary breach vector in cloud environments. Tenable predicts it. Delinea predicts it. One Identity predicts it. Attackers already know that compromising a service account is often easier and quieter than targeting humans. They are not breaking down doors anymore. They are walking through the ones we forgot to lock.The organisations that get ahead of this threat will be the ones treating their non-human identities with the same seriousness they apply to their executive accounts. Full visibility. Strict governance. No exceptions. The ones who keep treating NHIs as an afterthought will be the ones explaining to their boards how a forgotten service account from a cancelled project brought down the house.We locked the front door years ago. It has been a long time since we secured the back.This article is published as part of the Foundry Expert Contributor Network.Want to join?
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4125156/why-non-human-identities-are-your-biggest-security-blind-spot-in-2026.html
