Skip to main content

Why secret sprawl may be your biggest security threat (and how to help fix it)

Published Date
Author Matt Barker

Secret Sprawl Security

Picture this: You’re having your morning coffee when your phone buzzes with the kind of alert that makes security professionals break into a cold sweat. A single API key, leaked on GitHub months ago, has just given attackers a VIP pass to your entire infrastructure.

Sound familiar? It should. The 2024 U.S. Treasury breach started exactly this way. One compromised machine identity opened the floodgates. And here’s the kicker: in most organizations today, machine identities outnumber humans by more than 80 to 1. That’s 80 potential entry points for every one person on your team.

With AI agents multiplying faster than we can track them, this isn’t just a growing problem—it’s an avalanche waiting to happen. I call it “identity hell,” and if you’re not already living in it, you probably will be soon.

But here’s the good news: there’s a way out.

The rapid growth of machine identities

Let me tell you something that keeps me up at night. Just five years ago, when I started focusing on workload identity, we talked about machine identities outnumbering humans 20 to 1. Then it jumped to 45 to 1. Now we’re at 82 to 1 in most organizations, and that number isn’t slowing down.

Three forces are creating this perfect storm:

Cloud-native adoption at hyperspeed. Remember when you had one big application sitting on a server? Those days are gone. Modern microservices architectures break applications into hundreds or thousands of components. Each container, each service, each function needs its own identity. I recently worked with a financial services company that discovered they had over 50,000 workload identities scattered across their cloud environments. They thought they had maybe 5,000.

Multi-cloud complexity run amok. Organizations aren’t just dipping their toes in the cloud anymore—they’re doing cannonballs into multiple cloud pools simultaneously. For instance, AWS for compute, Azure for productivity, Google Cloud for AI workloads, plus their on-premises infrastructure. Each environment has its own identity quirks, and managing credentials across all of them? It’s like trying to conduct an orchestra where every musician is playing a different song.

AI agents joining the workforce. Here’s where things get really wild. AI agents don’t just process data—they actively create new workloads, spin up infrastructure, and call APIs autonomously. They’re essentially digital employees with admin privileges and zero awareness of security protocols.

Each of these digital workers needs credentials to function. And right now, most organizations are managing those credentials the same way they managed human passwords in 2005. Spoiler alert: it didn’t work well then, and it’s a disaster now.

AI agents admin

The risks of secret sprawl

Here’s the uncomfortable truth: most organizations are securing machine-to-machine communication with the digital equivalent of sticky notes under keyboards. These “secrets”—API keys, service accounts, tokens, certificates—are scattered everywhere.

I recently did a security assessment for a mid-sized tech company. We found API keys hard-coded in application source code, shared in Slack channels, stored in multiple secret vaults that didn’t talk to each other, and my personal favorite—written on actual sticky notes attached to developer monitors. The kicker? Most of these secrets hadn’t been rotated in over two years.

GitGuardian’s latest research found 24 million leaked secrets on GitHub alone—a 25% increase from the previous year. Even more alarming, most of these secrets remain valid two years after being discovered. From an attacker’s perspective, why bother with sophisticated phishing campaigns when you can browse GitHub for valid credentials like you’re shopping at a digital mall?

This traditional approach to securing workload access also creates what we call the “secret zero problem”: storing secrets in secret stores means you need a master secret to access them, then another to protect that one, and another to protect that one. It’s an infinite loop of trust issues. Essentially it’s “turtles all the way down.”

I’ve watched organizations spend millions on advanced threat detection while leaving API keys exposed in their repositories. It’s like installing a state-of-the-art alarm system while leaving your front door wide open.

Workload identity as a solution to secret sprawl

After years of wrestling with secret management, I’ve become convinced there’s a fundamentally better approach: workload identity.

The concept is beautifully simple. Instead of giving each workload a static secret to wave around like an ID card, you give it a cryptographically verifiable identity based on where it’s running and what it’s authorized to do. Other systems can verify this identity without the workload ever sharing a long-lived credential.

The technology making this possible is SPIFFE (Secure Production Identity Framework For Everyone)—an open-source standard I’ve been tracking for many years. Originally developed by the team that created Kubernetes, SPIFFE creates universal identities for workloads across any environment.

Here’s why this is revolutionary: When a workload needs to talk to another service, instead of presenting a static API key that could be compromised, it presents a dynamically issued certificate that proves its identity. The receiving service can verify this identity cryptographically. No shared secrets, no credential theft, no sticky notes required.

Transitioning to workload identity

I get it—transforming your entire infrastructure sounds overwhelming. The good news? You don’t need to. I’m working with organizations making this transition, and the key is starting strategically.

Begin with discovery. You can’t protect what you don’t know exists. I always start by helping organizations catalog their workloads and identities. This visibility exercise alone usually reveals quick wins—like API keys with excessive permissions that have been forgotten for years.

Focus on high-impact, low-friction areas. If you’re already using cloud-native technologies like service meshes (Istio, Linkerd), you’re probably already using SPIFFE without realizing it. These are natural starting points for expanding workload identity adoption.

Think hybrid, not replacement. The goal isn’t to eliminate secrets overnight—it’s to gradually shift the balance. I recommend starting with 10% of workloads using identity-based authentication. As teams get comfortable with the technology and processes, expand that percentage.

Securing AI agents with workload identity

Here’s where things get really interesting. AI agents are already exhibiting behaviors that challenge traditional security models. They create infrastructure autonomously, call APIs without human oversight, and make decisions that impact entire systems.

I recently worked with an organization where an AI agent spun up 500 new database instances in a single day to process a large dataset. Traditional secret management would have been a nightmare—imagine manually provisioning and rotating credentials for 500 short-lived workloads.

With workload identity, each AI agent gets a verifiable identity that can be audited and controlled. When an AI agent creates a new resource or modifies a configuration, there’s a clear audit trail back to a specific, identifiable entity.

The organizations implementing workload identity now are positioning themselves to manage AI agents securely as they become more autonomous. Those that don’t risk losing control of their expanding digital workforce.

Steps for adopting workload identity

Based on my experience helping organizations make this transition, here’s a practical roadmap that works:

Ready to make the shift? Here’s your action plan, refined from dozens of real-world implementations I’ve guided:

  • Assemble a cross-functional working group including security, platform engineering, and identity management representatives. Their first mission: understand where your machine identities live and which ones represent the highest risk.
  • Identify pilot projects where workload identity can replace secrets without major application changes. Look for cloud-native workloads or services that already use certificates for authentication.
  • Expand systematically based on initial successes, gradually increasing the percentage of workloads using identity-based authentication instead of static secrets.
  • Stay ahead of the curve. Every day you continue relying solely on static secrets, the problem grows larger and more complex.

The future belongs to organizations that can manage thousands of autonomous digital workers securely. Your machines are already talking to each other. The question is: are you listening to the security implications?

For a deeper dive into these challenges and solutions, check out my recent appearance on the Security Matters podcast, where I explore the evolving world of workload identity and what it means for the future of cybersecurity.

Matt Barker is vice president and global head of Workload Identity Architecture at CyberArk.