Start Governing NHIs by Managing Access, Not Credentials

This is part 3 in our series on non-human identity (NHI) governance. In this post, we focus on one of the most persistent risks in production infrastructure: static credentials and standing privilege.

Static credentials are still at large in most environments and many enable dangerously over-permissioned and under-governed access to sensitive systems and data. API keys, tokens, and service-account passwords that rarely expire, rotate, or trigger alerts when compromised. Non-human identities often rely on secrets that outlive their purpose. Discover how to replace static credentials with governed, ephemeral access and take this essential first step toward stronger NHI security.

The hidden risk beneath the cloud

We’ve spent the last decade trying to harden the cloud: isolated workloads, segmented networks, user gating human access with SSO, MFA, and granular roles. Yet standing privilege continues to proliferate and lurk in the background. It’s buried in terraform modules, CI/CD configurations, scripts, and internal documents.

Despite repeated breaches tied to exposed secrets, most organizations still neglect to think of them as access risk. Few have formal offboarding or rotation processes for secrets, and many rely solely on vaults. Let’s get into why vaults can create a false sense of security for organizations.

Vaulting is not governance

Vaulting secrets is important. But it’s not governance – and it’s certainly not robust NHI access management. Storing credentials in a secrets manager does protect them from plaintext exposure. But it doesn’t track whether they’re still in use. It doesn’t tie them to a specific owner. It doesn’t expire them, rotate them automatically, or revoke access if the service they belong to gets deprecated. In other words, it does not manage and govern the entire lifecycle.

While vaults have helped teams easily point to where secrets are stored, they have not solved for where those secrets are actually used and how entitled that access that they facilitate is for both human and non-human identities.

As infrastructure scaled, credential sprawl and manual rotations became bottlenecks. Vaults still work in on-prem infrastructure, albeit fragile and slow, but fall short in dynamic cloud environments. Leaving persistent entitlements unmanaged and encouraging developers to bypass controls. Secrets have a tendency to drift too. They’re copied between repos, reused across environments, embedded into containers, and passed around in CI/CD pipelines. Even when vaulted, they often remain long-lived, over-permissioned, and entirely unmonitored.

This is where many NHI problems begin: unmanaged privilege that persists through static credentials without any oversight.

From static to ephemeral

Once a static credential is created, like an API key, a long-lived token, a service account password, it tends to stay right where it was dropped. And because it’s working (the build runs, the deployment succeeds, no errors are triggered), no one wants to touch it at risk of slowing down the business.

It’s time teams adopt a fundamentally different approach. Bring these static credentials into the light in order to effectively manage the access lifecycle of the NHIs that leverage them. Enforcing ephemeral, least-privileged access for any non-human identity.

As Lalit Choda outlines in his Non-Human Identity Lifecycle framework, ephemeral access is essential for breaking long-lived risk and moving toward accountable, policy-driven NHI practices.

What good looks like in practice

True NHI governance treats every credential as an access-granting entity throughout its lifecycle:

1. Assign ownership at creation. Every credential should have an accountable owner.
2. Define scope with least-privilege policy. Access should be limited to only the systems, environments, and actions required.
3. Automate Just-In-Time access. No credential should live indefinitely.
4. Automate rotation and revocation. Credentials should update or depreciate automatically when access is no longer needed.
5. Monitor for drift and violations. Detect credentials created outside governance policies and treat them as policy violations.

Platforms like P0 Security help enforce these practices consistently and contextually, providing ownership, automated JIT, and drift detection through a continuous, identity-first access control engine.

Organizations that want to govern NHIs at scale should consider this approach.

Start cleaning up the NHI mess

Here is a maturity path for making steady, deliberate changes to how you manage the lifecycles of credentials to help reduce risk and reestablish control over NHIs:

Step 1: Start with an audit

Using tools like AWS CloudTrail can get you started here, but something purpose built for access governance, like P0, will provide more context and can see across all identity types, systems, and production resources.

Step 2: Roll out federated identity

Replace static keys with role assumption or identity federation via Okta, Google Workspace, or IAM federation. This removes the need for hardcoded secrets entirely.

Step 3: Restrict new static credentials

Use service control policies (SCPs) in your CSP to set permission boundaries, or CI/CD guardrails to block the creation of net new long-lived credentials.

Step 4: Automate secrets rotation

Certain secrets cannot be removed, because they are used by an app that does not support workload identity federation for example. Automating the rotation of these secrets requires ownership assignment and concrete governance policies.

Step 5: Manage access, not credentials

NHI Credentials should be short lived (see step 2) and on an ongoing basis, you should use identity-first access control engines like P0 to continuously manage the access lifecycle of NHIs alongside human users.

Governance isn’t a one-time cleanup process. It’s an always-on effort. Each of these steps helps bring NHIs under control to minimize persistence, addressing drift, improving auditability, and reinforcing the principle of least privilege throughout the access lifecycle.

Conclusion: Secrets Are Where NHI Governance Begins

We like to say identity is the new perimeter. In the cloud, Non-Human Identities (NHIs) are the fastest-growing identity and credentials are often their front door. Static credentials, secrets in particular, grant persistent access but without ownership, expiration, or oversight. That makes secrets the most dangerous element of NHI access: privileged, persistent and ungoverned.

The answer isn’t more vaulting. It’s governance. If a secret can live forever, it can be exploited forever. And if it grants access to production, it’s not just a credential, it’s privileged access that must be scoped, ephemeral, and accountable by design.

Watch P0’s recent webinar with Wiz, Shared Secrets to Zero Standing Privilege, for a deeper dive on this subject.

‍