Listen to this Post
The Rise of AI and the Surge in Non-Human Identities
Artificial Intelligence is revolutionizing enterprise productivity. From GitHub Copilot automating code suggestions to smart chatbots that tap into internal data for quick answers, AI agents are becoming an integral part of modern digital operations. However, with every new AI deployment comes a non-human identity (NHI)—a bot, agent, or script that needs to authenticate with internal systems, typically through secrets like API keys, tokens, or certificates.
Enterprises are now facing a storm of unmanaged NHIs. On average, there are 45 machine identities per human user, and this imbalance is wreaking havoc on organizational security. These NHIs rarely follow the same access and rotation policies as human accounts, leading to massive risks. According to GitGuardian’s State of Secrets Sprawl 2025 report, over 23.7 million secrets were exposed on GitHub in 2024, and repositories with Copilot enabled leaked secrets 40% more frequently.
What makes NHIs particularly risky is their invisibility. Unlike human users, NHIs aren’t governed by robust access controls or rotation policies. This leads to a web of hidden vulnerabilities where secrets remain live long after their purpose has expired—ready for attackers to exploit.
The problem deepens when large language models (LLMs) and retrieval-augmented generation (RAG) systems are involved. A simple support bot using an LLM might inadvertently share internal credentials it pulls from documents like Confluence pages. Worse yet, it may suggest developers use these plaintext secrets—creating dangerous exposure scenarios.
But there is hope. Organizations that implement strong governance models and secrets management protocols can not only mitigate these risks but also boost their deployment speed and innovation capacity. The article outlines five actionable strategies to reduce AI-related NHI risks:
- Audit and Clean Up Data Sources – Eliminate or revoke secrets from platforms like Slack, Jira, or Confluence that could be exposed through LLMs.
- Centralize NHI Management – Use tools like HashiCorp Vault or AWS Secrets Manager to maintain control over all machine identities.
- Prevent Secrets Leaks in LLM Deployments – Employ Model Context Protocol (MCP) servers responsibly and scan for hardcoded secrets before code hits production.
- Improve Logging Security – Sanitize logs that might contain secrets exposed by AI-generated outputs.
- Restrict AI Data Access – Apply least-access principles to AI agents, especially those exposed to public interfaces.
Finally, none of these measures work without human coordination. Developers and security teams must align on processes, priorities, and policies. Enterprises that secure machine identities today will lead the AI-driven world of tomorrow.
What Undercode Say: 🧠💡
The Undercode team sees this issue not as a challenge, but as a call to evolution in modern cybersecurity.
The Hidden Threat of NHIs
We’re seeing an alarming expansion of machine identities—and with each comes a potential new attack vector. With AI agents continuously connecting to internal services, these NHIs have become soft targets. Why? Because they’re often invisible in audits, lack rotation policies, and accumulate over time like digital clutter.
The AI Security Dilemma
AI doesn’t inherently know what’s sensitive and what’s not. It retrieves what it’s trained to find. This means AI-powered tools can unwittingly leak secrets if left unchecked. Especially with RAG systems pulling data dynamically, a chatbot answering a question might expose a sensitive API key from an internal wiki page without even knowing it.
Attack Surface Expansion
This unchecked access creates what we call an “identity surface explosion.” Enterprises are now managing thousands of long-lived credentials, many of which outlive their purpose. A single leaked token from a Confluence page could be the start of a major data breach—especially if found in unmonitored logs or public GitHub repositories.
Tooling Isn’t Enough—Culture Matters
Sure, tools like GitGuardian, Vault, and ggshield are essential. But what really matters is whether teams use them proactively. If security scanning is left until production, it’s already too late. Developers need guardrails built into their IDEs and pipelines. Secrets detection should be baked into the dev workflow—not tacked on as an afterthought.
Centralization: From Chaos to Clarity
We at Undercode strongly advocate centralized governance. Without it, secrets are everywhere—in pipelines, in Slack messages, in internal docs. When centralized, organizations can enforce rotation, revoke access rapidly, and move toward short-lived credentials that minimize risk even when exposed.
Contextual AI Access: A Must
It’s not just about limiting access—it’s about contextualizing access. An LLM might need CRM data for internal use but should never touch production systems or customer information. Establishing granular access policies for AI agents must become a standard.
The Human Element
Lastly, awareness is everything. Developers need education on how secrets can leak, and how AI tools can become risks. Likewise, security teams must understand the development lifecycle. Cross-functional collaboration is key to building safe, scalable AI.
Fact Checker Results ✅🔍
Claim: Copilot-enabled repos leak secrets 40% more often
✅ Verified. GitGuardian’s 2025 report confirms a statistically significant rise in secret leaks from Copilot-enabled environments.
Claim: Over 23.7 million secrets were exposed in 2024
✅ True. Public GitHub repositories accounted for this staggering number of exposed secrets.
Claim: 5.2% of MCP servers contain hardcoded secrets
✅ Confirmed. GitGuardian’s research found this to be higher than the general 4.6% exposure rate.
Prediction 📊🔮
As AI becomes more embedded in enterprise infrastructure, machine identities will surpass human identities tenfold by 2027. Without intervention, the secret sprawl will trigger more frequent, large-scale data breaches. Organizations that invest now in centralized NHI governance, developer education, and AI-specific access control will not only avoid disasters—they’ll set the pace for secure, scalable AI-driven innovation.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
