This is part 3 in our series on non-human identity (NHI) governance. In this post, we focus on one of the most persistent risks in production infrastructure: static credentials and standing privilege.
Static credentials are still at large in most environments and many enable dangerously over-permissioned and under-governed access to sensitive systems and data. API keys, tokens, and service-account passwords that rarely expire, rotate, or trigger alerts when compromised. Non-human identities often rely on secrets that outlive their purpose. Discover how to replace static credentials with governed, ephemeral access and take this essential first step toward stronger NHI security.
The hidden risk beneath the cloud
We’ve spent the last decade trying to harden the cloud: isolated workloads, segmented networks, user gating human access with SSO, MFA, and granular roles. Yet standing privilege continues to proliferate and lurk in the background. It’s buried in terraform modules, CI/CD configurations, scripts, and internal documents.
Despite repeated breaches tied to exposed secrets, most organizations still neglect to think of them as access risk. Few have formal offboarding or rotation processes for secrets, and many rely solely on vaults. Let’s get into why vaults can create a false sense of security for organizations.
Vaulting is not governance
Vaulting secrets is important. But it’s not governance – and it’s certainly not robust NHI access management. Storing credentials in a secrets manager does protect them from plaintext exposure. But it doesn’t track whether they’re still in use. It doesn’t tie them to a specific owner. It doesn’t expire them, rotate them automatically, or revoke access if the service they belong to gets deprecated. In other words, it does not manage and govern the entire lifecycle.
While vaults have helped teams easily point to where secrets are stored, they have not solved for where those secrets are actually used and how entitled that access that they facilitate is for both human and non-human identities.
As infrastructure scaled, credential sprawl and manual rotations became bottlenecks. Vaults still work in on-prem infrastructure, albeit fragile and slow, but fall short in dynamic cloud environments. Leaving persistent entitlements unmanaged and encouraging developers to bypass controls. Secrets have a tendency to drift too. They’re copied between repos, reused across environments, embedded into containers, and passed around in CI/CD pipelines. Even when vaulted, they often remain long-lived, over-permissioned, and entirely unmonitored.
This is where many NHI problems begin: unmanaged privilege that persists through static credentials without any oversight.
From static to ephemeral
Once a static credential is created, like an API key, a long-lived token, a service account password, it tends to stay right where it was dropped. And because it’s working (the build runs, the deployment succeeds, no errors are triggered), no one wants to touch it at risk of slowing down the business.
It’s time teams adopt a fundamentally different approach. Bring these static credentials into the light in order to effectively manage the access lifecycle of the NHIs that leverage them. Enforcing ephemeral, least-privileged access for any non-human identity.
As Lalit Choda outlines in his Non-Human Identity Lifecycle framework, ephemeral access is essential for breaking long-lived risk and moving toward accountable, policy-driven NHI practices.
What good looks like in practice
True NHI governance treats every credential as an access-granting entity throughout its lifecycle:
- Assign ownership at creation. Every credential should have an accountable owner.
- Define scope with least-privilege policy. Access should be limited to only the systems, environments, and actions required.
- Automate Just-In-Time access. No credential should live indefinitely.
- Automate rotation and revocation. Credentials should update or depreciate automatically when access is no longer needed.
- Monitor for drift and violations. Detect credentials created outside governance policies and treat them as policy violations.
Platforms like P0 Security help enforce these practices consistently and contextually, providing ownership, automated JIT, and drift detection through a continuous, identity-first access control engine.
Organizations that want to govern NHIs at scale should consider this approach.
Start cleaning up the NHI mess
Here is a maturity path for making steady, deliberate changes to how you manage the lifecycles of credentials to help reduce risk and reestablish control over NHIs:
Step 1: Start with an audit
Using tools like AWS CloudTrail can get you started here, but something purpose built for access governance, like P0, will provide more context and can see across all identity types, systems, and production resources.
Step 2: Roll out federated identity
Replace static keys with role assumption or identity federation via Okta, Google Workspace, or IAM federation. This removes the need for hardcoded secrets entirely.
Step 3: Restrict new static credentials
Use service control policies (SCPs) in your CSP to set permission boundaries, or CI/CD guardrails to block the creation of net new long-lived credentials.
Step 4: Automate secrets rotation
Certain secrets cannot be removed, because they are used by an app that does not support workload identity federation for example. Automating the rotation of these secrets requires ownership assignment and concrete governance policies.
Step 5: Manage access, not credentials
NHI Credentials should be short lived (see step 2) and on an ongoing basis, you should use identity-first access control engines like P0 to continuously manage the access lifecycle of NHIs alongside human users.
Governance isn’t a one-time cleanup process. It’s an always-on effort. Each of these steps helps bring NHIs under control to minimize persistence, addressing drift, improving auditability, and reinforcing the principle of least privilege throughout the access lifecycle.
Conclusion: Secrets Are Where NHI Governance Begins
We like to say identity is the new perimeter. In the cloud, Non-Human Identities (NHIs) are the fastest-growing identity and credentials are often their front door. Static credentials, secrets in particular, grant persistent access but without ownership, expiration, or oversight. That makes secrets the most dangerous element of NHI access: privileged, persistent and ungoverned.
The answer isn’t more vaulting. It’s governance. If a secret can live forever, it can be exploited forever. And if it grants access to production, it’s not just a credential, it’s privileged access that must be scoped, ephemeral, and accountable by design.
Watch P0’s recent webinar with Wiz, Shared Secrets to Zero Standing Privilege, for a deeper dive on this subject.
About the Author: Kelsey Brazill is the Head of Product Marketing at P0 Security.
About the Company: P0 Security is the Unified Access Control Plane, redefining how security teams manage production access lifecycle across modern infrastructure. Unlike legacy approaches that stitch together PAM, IGA, CIEM, and ISPM, P0 delivers privilege visibility, just-in-time access, and API-driven orchestration in a single solution, purpose-built for production environments to achieve zero touch production. At the core is P0’s continuously updated Access Graph and Identity DNA layer, giving teams real-time insight and control across all identities, resources and environments, spanning multi-cloud and hybrid infrastructure. With P0, production access is secure and auditable —from humans to service accounts to agents. Deployed across cloud-native startups, hybrid enterprises and global financial institutions, P0 goes live in under 60 days. No portals, proxies, or patchy workflows required. To explore P0 Security further and book a demo, visit p0.dev
