Research Reveals 44% Growth in NHIs from 2024 to 2025

Entro Labs has released a critical update on the evolving risks surrounding machine identities and credential exposure in modern enterprise environments. The NHI & Secrets Risk Report – H1 2025, based on data collected and analyzed by Entro Labs across enterprise environments between January 1 and June 30, 2025, reveals the most critical risks and threats in NHI and secrets security as well as what security and IAM
professionals can do today to close them. The findings point to an urgent need for updated governance where software, automation, and AI agents dominate. 

In the past year alone, NHIs have grown by 44%. They now outnumber human identities at a ratio of 144 to 1, a major leap from the 92 to 1 ratio seen in H1 2024. These machine identities, such as service accounts, tokens, and API keys, are essential for cloud services and automation. However, their growth often outpaces oversight. Long-lived credentials, unmanaged roles, and a lack of visibility contribute to a rising number of exposures that place systems and data at risk.

5 Key Insights from the report:

• 44% Growth in NHIs YoY: The number of non-human identities in the average enterprise increased by 44% between H1 2024 and H1 2025.
• 144:1 NHI-to-Human Ratio: Non-human identities now outnumber human identities by 144 to 1 a 56% increase from the 92:1 observed in H1 2024.
• Shift-Left ≠ Shift-Enough: 43 % of all exposed secrets surface outside source code.
• Shadow Admins: 1 in 20 AWS machine identities carries full-admin privileges ( Super NHIs ).
• Cloud Sync Hazard: SharePoint holds troves of secrets originating from auto-synced files on endpoints. Half are found within spreadsheets (.xls).

Where Secrets Actually Leak and Why Many Go Undetected

While source code remains the leading source of exposed secrets at 57%, the report reveals that nearly half of all exposed secrets were found outside of code repositories. CI/CD workflows account for 26% of exposures, with collaboration and messaging platforms adding another 14%. Tools like Jira, Slack, SharePoint, and Confluence are being used for rapid communication and project tracking, but they are also becoming unexpected repositories for sensitive credentials.

A standout finding is that SharePoint alone was responsible for almost one in five exposed secrets. These secrets often came from spreadsheets, logs, and other files automatically synced from local machines via OneDrive. Because files stored locally can be synced to the cloud without user intent, secrets left in Excel files or scripts often end up widely accessible across the organization.

Entro’s analysis of 13,841 private GitHub repositories showed an average of 102 exposed secrets per repository. Even with built-in secret scanning, generic tokens and internal credentials continue to evade detection. GitHub Actions, Buildkite, Jenkins, and other CI/CD platforms were also significant contributors, often logging environment variables and credentials during pipeline execution. If these logs are not restricted or regularly cleared, they remain accessible to anyone with permission, creating an ongoing exposure risk.

A major real-world incident underlined this concern. In March 2025, attackers compromised the popular tj-actions GitHub Action using a stolen personal access token. They injected malicious code that silently exfiltrated secrets from the CI/CD logs of more than 23,000 repositories. This incident demonstrates how vulnerable automated systems become when credentials are exposed and machine identities are compromised.

Long-Lived, Overprivileged, and Forgotten Identities

Many NHIs are not only unmanaged but also persist far longer than necessary. Nearly half are over a year old, and 7.5% are between five and ten years old. One in every thousand NHIs is over a decade old. These accounts often outlive the humans who created them. Without regular audits or lifecycle policies, they quietly retain access, expanding the potential attack surface.

Secrets show a similar aging trend to NHIs, only worse. While over 55% are under a year old, a surprising 2.3% of all active secrets are over 10 years old, more than 20x the share of decade-old NHIs. These include hardcoded values buried in legacy systems or foundational configuration files that teams consider too risky or complex to replace. Without expiry policies or vault management, they persist in environments and increase the risk of misuse.

In AWS environments, 62% of NHIs showed no activity in the past 90 days but retained access permissions. Nearly 9% were found to be overprivileged, having access to services they rarely or never use. The average AWS role could interact with 43 different services, from EC2 to Secrets Manager, significantly increasing the blast radius if compromised.

An alarming finding is that over 5.5% of AWS NHIs are full administrators. These "Super NHIs" are non-human identities with unrestricted access across cloud services. In some organizations, the rate of Super NHIs was as high as 18%. While these roles support automation and orchestration, they also present critical risk if accessed by attackers. A single exposed Super NHI token could grant entry to sensitive systems and data across the entire cloud environment.

A Call to Action for Security and IAM Leaders

Organizations need to modernize their approach to identity and secrets management. Traditional IAM systems designed for human access do not scale to the volume and complexity of machine identities seen today. Entro recommends a proactive strategy built around full NHI lifecycle governance, continuous monitoring, and privilege reduction.

What Security Leaders Should Do Now:

• Because many of your leaked secrets originate beyond code repos, you mandate organization-wide secrets scanning projects for logs, chats, and file shares – and cap log retention at 90 days to limit exposure.
• Treat SharePoint files with the same scrutiny you give source code. Expand secret-scanning to office formats, restrict who can read synced folders, and remind teams that just a spreadsheet can contain the literal keys to the kingdom.
• With Slack bot tokens alone driving more than 40% of SaaS-secret leaks, immediately inventory every third-party API key, beginning with Slack, and force-rotate or delete any longlived or over-scoped tokens; mandate the usage of vaults, then wire continuous secrets canning into chat, CI logs and cloud storage and impose short, automatic expiry windows with alerts for any token spotted outside approved secret management solutions.
• Traditional IAM practices designed for humans no longer scale in 2025. Organizations must adopt NHI-first visibility, governance and risk detection models. 
• Because many of your AWS machine identities carry "*" level or AdministratorAccess policies, start with a ruthless sweep, locate and delete any IAM roles that are unused or unnecessary, then quarantine the few essential admin NHIs in a locked-down account, enforce MFA or hardware keys and audit every AssumeRole call.

You can download the full report here: https://lp.entro.security/nhi-secrets-risk-report-h1-2025