Secrets are leaking everywhere, and bots are to blame

Secrets like API keys, tokens, and credentials are scattered across messaging apps, spreadsheets, CI/CD logs, and even support tickets. According to Entro Security’s NHI & Secrets Risk Report H1 2025, non-human identities (NHIs), including bots, service accounts, and automation tools, are now the fastest-growing source of security risk in enterprise environments.

Non-human identity risk fuels rising secret exposures

Between January and June 2025, Entro saw a 44% year-over-year increase in NHIs. These machine identities now outnumber human ones by 144 to 1, up from 92 to 1 last year.

Each new bot brings more secrets to manage. But many of those secrets are forgotten, over-scoped, or left sitting in risky places. Entro’s telemetry, which spans cloud providers, code repositories, CI/CD tools, and SaaS platforms, paints a clear picture: secrets are everywhere, and most of them aren’t protected.

“Agentic AI and automation are fueling a machine identity explosion, but most of these NHIs are invisible, ungoverned, and overprivileged. You can’t secure what you can’t see, and attackers know it,” said Itzik Alvas, CEO of Entro Security.

It’s not just code anymore

While hardcoded secrets in source code still make up the largest chunk (57 percent) of exposures, nearly half of all leaks now come from elsewhere.

More than a quarter of secrets leaked from CI/CD workflows. Logs from tools like GitHub Actions, Jenkins, and GitLab CI often contain tokens and credentials accidentally output during builds and tests. One major incident involved a compromised GitHub Action that quietly exfiltrated secrets from over 23,000 repositories, including at Coinbase.

Messaging and collaboration tools are also a growing problem. About 14 percent of leaks came from platforms like Slack, Jira, Confluence, and Microsoft Teams. Developers often drop credentials into chats or tickets during troubleshooting, and once shared, those secrets stick around.

One unexpected hotspot is SharePoint. Thanks to automatic OneDrive syncing, local files with embedded secrets often end up stored in the cloud. Spreadsheets are the worst offenders, accounting for over half of all SharePoint-based exposures. CSVs, text files, scripts, and even Word docs also showed up with secrets buried inside.

Long-lived bots, forgotten risks

The report also highlights a lifecycle problem: machine identities and secrets don’t get retired. Nearly half of all active NHIs are over a year old, and 7.5 percent are between five and ten years old. One in every thousand NHIs is more than a decade old.

This growing population of old, unmanaged service accounts illustrates how non-human identity risk becomes harder to track over time. Without regular reviews, these forgotten credentials expand the attack surface quietly and persistently.

Secrets age poorly too. 2.3 percent of active secrets are more than ten years old, likely embedded deep in code or config files and considered too risky or complex to replace.

Even worse, many of these old identities are sitting idle but still have broad permissions. Entro found that 62 percent of AWS NHIs showed no activity in the past 90 days. Nearly 9 percent had access to services they never actually used, a classic sign of overprovisioning. And 5.5 percent of all AWS machine identities had full admin access.

What security teams can do

Entro recommends treating secrets outside of code, like those in spreadsheets or Slack, with the same seriousness as those in source code. This includes expanding secret-scanning to cover office files, logs, and tickets, and limiting retention wherever possible.

For NHIs, organizations should start by auditing old or unused identities, removing unnecessary privileges, and enforcing ownership and expiry. Admin-level NHIs should be locked down, monitored, and used only when absolutely necessary.