The future of secrets and identity management

If you've ever had to…

• Troubleshoot a production outage caused by an expired service account token
• Audit a codebase only to find API keys hard-coded in configuration files
• Tried to track down which CI/CD pipeline has access to which cloud resources

…you understand the problem. Non-human identities (NHIs) — service accounts, API keys, OAuth tokens, certificates, and machine credentials — now vastly outnumber human users in most organizations, yet we're still managing them with approaches designed for people.

»The NHI problem: Static secrets at scale

The explosion of microservices, containerized workloads, and cloud-native architecture has created an NHI crisis. A typical Kubernetes cluster might contain hundreds of pods, each requiring credentials to access:

• Databases
• Message queues
• Object storage
• External APIs, etc.

Multiply this across development, staging, and production environments, then add:

• CI/CD pipelines
• Monitoring agents
• Backup services
• Infrastructure automation tools, etc.

At this point, you're managing thousands or tens of thousands of non-human identities.

Static secrets are the Achilles' heel of this architecture. This could be…

• A database password embedded in an environment variable
• The AWS access key in your Terraform state file
• The service account JSON sitting in a mounted volume
• And countless other things

These long-lived credentials represent persistent attack surfaces. When a static secret is compromised, attackers gain access until someone manually rotates it, assuming the breach is even detected. The CircleCI breach of 2023 is a classic example, where compromised OAuth tokens and credentials stored in their systems gave attackers potential access to thousands of customer environments.

The operational burden is equally problematic. Manual credential rotation is error-prone and rarely happens on schedule. Tracking where secrets are used becomes impossible as infrastructure scales. When you need to revoke access, can you confidently identify every location where a particular API key or certificate is deployed? The answer in most organizations is “no,” leading to the accumulation of zombie credentials that persist indefinitely because teams are worried about breaking unknown dependencies.

»Passwordless authentication for humans: Setting the foundation

Before diving into a deeper discussion of NHI solutions, it's worth noting that human identity management is also evolving rapidly. Technologies like WebAuthn, FIDO2, and passkeys are eliminating passwords for end users, using public-key cryptography and biometric authentication to provide phishing-resistant authentication. While this represents significant progress for human users, the more complex challenge lies in securing the non-human authentication that powers modern infrastructure.

»Workload identity: Eliminating static secrets for NHIs

The most promising development in NHI management is the shift toward workload identity: treating non-human identities as first-class citizens with dynamically issued, short-lived credentials. Rather than distributing and managing static secrets, workload identity systems leverage the infrastructure itself to establish identity and issue temporary credentials.

Cloud providers have led this evolution. AWS IAM Roles for Service Accounts (IRSA), Azure Managed Identities, and Google Cloud Workload Identity allow workloads to authenticate based on their execution context rather than embedded secrets. A pod running in Kubernetes can assume an IAM role and receive temporary credentials that expire in minutes or hours, never requiring a static access key to be stored anywhere. The infrastructure attests to the workload's identity, and credentials are vended just-in-time.

Service meshes extend this concept to service-to-service communication, automatically issuing and rotating X.509 certificates through SPIFFE/SPIRE implementations. Every service gets a cryptographically verifiable identity, and mutual TLS happens transparently without developers managing certificates. When implemented properly, no service ever needs to handle a long-lived secret.

The practical implications are significant:

• Your CI/CD pipeline authenticates to your cloud provider using OIDC federation, receiving temporary credentials scoped to exactly what that pipeline run needs.
• Your application pods never see database passwords. They authenticate using their workload identity and receive time-limited access tokens.
• When you decommission a service, its identity disappears with it, automatically revoking access without manual cleanup.

»Secrets management for the transition period

Despite the promise of workload identity, complete elimination of static secrets remains aspirational for most organizations.

The reality is that most organizations use legacy systems, third-party SaaS APIs, and databases that don't support dynamic credentials. This means having to manage some static secrets for the foreseeable future.

The question is how to do it safely.

Modern secrets management has evolved from simple encrypted key-value stores to platforms that enforce least-privilege access and automate rotation. HashiCorp Vault pioneered many of these patterns:

• Dynamic secrets generation for databases and cloud providers
• Leasing and renewal mechanisms
• Detailed audit logging, etc.

Vault can also easily integrate with cloud-native secret managers like AWS Secrets Manager, Azure Key Vault, and Google Secret Manager for more centralized visibility and control in a multi-cloud environment.

The critical capabilities for contemporary secrets management include:

• Automated rotation with rollback capabilities
• Just-in-time access provisioning where secrets are injected at runtime rather than stored in configuration
• Policy-based access control that restricts which workloads can access which secrets
• Comprehensive audit trails showing exactly when and by whom secrets were accessed

Integration with CI/CD pipelines is also essential. Secrets should be pulled during deployment and injected as environment variables or mounted volumes, never committed to repositories or stored in pipeline definitions.

For organizations still distributing secrets manually or storing them in configuration management systems, the path forward involves:

• Consolidating secrets into a dedicated management platform
• Automating injection into workloads
• Implementing rotation policies
• Progressively migrating to dynamic credentials where possible

This is a multi-year journey for most organizations, so it’s important to adopt a realistic perspective, which means accepting that you'll operate in a hybrid state for some time.

»Zero trust architecture: Continuous verification for NHIs

Zero trust principles apply as much to NHIs as to human users. The castle-and-moat model of "authenticate once at the perimeter and trust thereafter" has proven inadequate in environments where lateral movement and privilege escalation are primary attack vectors. For NHIs, zero trust means continuous validation of identity, context, and authorization throughout a request lifecycle.

Policy engines and cloud-native authorization services enable fine-grained, context-aware access control. Rather than binary "can this service account access this resource" decisions, policies can incorporate factors like:

• Requesting a workload's namespace
• Time of day
• Sensitivity of the requested data
• Security posture of the underlying infrastructure
• and more

A database query from a production namespace might be allowed, while the identical query from a developer's laptop is denied.

Implementing zero trust for NHIs requires infrastructure that can continuously verify workload identity and provide contextual mapping to policy engines. Service meshes excel here, embedding identity and policy enforcement directly in the data path. Every request carries verifiable identity information, and authorization decisions happen at microsecond latency, making fine-grained control practical even in high-throughput environments.

»Observability and detection: Knowing your blast radius

You can't secure what you can't see. One of the most significant challenges in NHI management is simply maintaining an inventory of NHIs and understanding their access patterns. Most organizations discover they have far more service accounts, API keys, and machine credentials than they realized when they attempt comprehensive enumeration.

Modern credential management requires continuous discovery and monitoring. This means having tools that scan repositories for leaked secrets and tools that can inventory cloud IAM roles and service accounts. These platforms discover hidden API keys, passwords, and machine identities across entire infrastructures, enabling organizations to:

• Map dependencies between services and credentials
• Identify migration candidates ready for managed identity transformation
• Assess risks associated with current secret usage and triage exposed secrets
• Plan strategic migrations rather than blind transformations

Detection of anomalous NHI behavior is equally critical. It’s important to be able to identify unusual activity, such as:

• A service account accessing resources outside its typical scope
• Authentication from unexpected network locations
• Sudden spikes in API usage, etc.

Unlike human behavior, machine workloads tend to be highly predictable, making anomaly detection particularly effective for NHIs. For example, if your batch processing service starts making database queries at noon instead of 2 a.m., or your CI/CD service account suddenly accesses production resources, these represent unusual activities worth investigating.

»The road ahead: Practical steps for technical leaders

The transformation from static secrets to workload identity represents a multi-year journey that requires coordinated effort across development, operations, and security teams. For technical decision makers charting this path, several strategic priorities emerge.

1. Establish workload identity as the default for new services. Cloud-native workloads should leverage native identity services from day one rather than falling back to static credentials out of familiarity or perceived simplicity. The initial investment in understanding IAM roles, service accounts, and OIDC federation pays dividends immediately and avoids accumulating technical debt that must be remediated later.
2. Implement comprehensive secrets management for existing static credentials. Consolidating secrets into a centralized platform with automated rotation and access policies provides immediate security benefits and brings visibility into your secret footprint, helping you to prioritize which systems to migrate to dynamic credentials.
3. Make NHI governance a priority. Implement processes for provisioning, reviewing, and decommissioning non-human identities with the same discipline applied to human accounts. Periodic access reviews should include service accounts and API keys, not just user permissions. Automated discovery and inventory management should feed into your security operations, providing visibility into the true scope of your NHI footprint.
4. Invest in observability for NHI behavior. Understanding normal patterns enables anomaly detection. Comprehensive audit logging of credential usage provides both security monitoring and compliance evidence. The ability to answer "which services accessed this resource and when" is foundational to incident response and forensics.
5. Embrace federation and standards. OIDC, OAuth 2.0, SPIFFE, and other open standards enable interoperability and reduce vendor lock-in. As identity moves increasingly toward distributed, heterogeneous environments spanning multiple clouds and on-premises infrastructure, standards-based approaches will be essential to maintaining consistent security policies.

The future of credential and identity management for NHIs is going to require automation, discovery, and visibility. Organizations that lead us into this future will make workload identity the default. Their secrets will rotate themselves, and when policy enforcement happens transparently in the infrastructure layer, security will stop being a manual process prone to human error. Gradually, security will become a property of the architecture itself.

That future is achievable today for new cloud native workloads, and it represents the target state for existing infrastructure. The important point for technical leaders to understand is that this evolution won’t be done in isolation. Secrets management, identity management, secure access — these all need to become threads in the larger fabric of a unified platform, tying together the software delivery pipeline from CI/CD, to infrastructure provisioning, to workload orchestration.