Recent research by GitGuardian highlights a growing concern within enterprises: the proliferation of Non-Human Identities (NHIs). Organizations are learning to tame an overwhelming average of 45 machine identities for each human user. This change has a tremendous effect on security and identity management. Our organizations are having a hard time understanding the intricacies of these new digital agents.
One of the key drivers behind growth in Non-Human Identities (NHIs) is increased demand for agents to authenticate with a variety of services. This demand has led to a big and quiet growth of NHIs under corporate clouds. Yet as organizations have become more and more dependent on automated systems, the NHI population has started to outstrip traditional enterprise security mitigations.
According to GitGuardian’s State of Secrets Sprawl 2025 report, NHIs are on the rise with some staggering statistics. Just in 2024 so far, more than 23.7 million secrets associated with NHIs appeared on public GitHub repos. This disturbing number is a clear indication that businesses must re-evaluate their security practices related to machine identities. As detailed above, the report found that 5.2% of all MCP servers had at least one hardcoded secret tied to NHIs. This creates major questions about what vulnerabilities could be exposed.
The problems posed by NHIs are worsened by their potential to disseminate classified information when not securely contained. What these organizations might not realize is that Non-Human Identities can inadvertently gain access to sensitive data. This is anything from valid credentials from trusted sources like Confluence pages. This threat is further enhanced when secrets are baked within these identities, leaving them open to discovery.
To prevent facing such risks, GitGuardian recommends taking a proactive identity management approach. The best approach is to remove the mystery or remove access completely to ensure that NHIs don’t spill proprietary internal information. Tools such as GitGuardian’s ggshield are designed to proactively scan for these secrets. This allows for a more risk-based, programmatic way to handle NHIs.
The dynamics of granting access to NHIs are an important piece of the security equation as well. Insufficient access can frustrate the utility of Retrieval-Augmented Generation (RAG) models and too much access can introduce security flaws. So adding a exposure minimization step like sanitizing the data before it’s saved or shared with third-party software is simply good practice.
Today, organizations are encountering the biggest challenges yet with machine identities. This makes the case for robust authentication and authorization capabilities all the more critical.
“If you cannot measure it, you cannot improve it.” – Lord Kelvin
