Machine identity · credential sprawl

Your secrets outnumber yourpeople. Can you kill a leaked one?

Service accounts, API keys, tokens, OAuth apps, and agent credentials now outnumber humans many times over — the fastest-growing attack surface there is. Grade each class on the six controls that decide whether a leaked or orphaned secret stays a non-event or becomes a breach.

Get the Gate — $79one-time · instant download · yours to keep

Not a scanner or security audit. This grades your non-human-identity governance from your own marks — it finds no keys, stores nothing, revokes nothing, scores no people, and guarantees no outcome. It is distinct from the AI Agent & Connector Access Auditor. Validate high-stakes identity classes with your security team.

Five deliverables · runnable
Runnable Python engine
stdlib
NHI governance workbook
.xlsx
Inventory & Triage Playbook
.docx
Credential-Hardening Runbook
.docx
5-class worked sample
.csv
Works alongside
Connector Access Auditor · Go-Live Gate · Red Team Kit
01.The Problem

The credential you forgot about is the one that gets you.

Many-to-1

machine identities now outnumber human ones in most orgs — and each is a credential someone has to govern.

Orphaned

the credential nobody owns is the one that never gets rotated, never gets scoped, and never gets revoked.

Reachable + un-killable

the breach isn't a leaked key alone — it's a leaked key you can't shut off. That pairing is the whole game.

Non-human-identity security is a chain. A perfectly scoped, perfectly rotated key you can't revoke is still a breach waiting to happen; an inventory you don't have hides every other gap. This Gate grades the weakest link, not the comforting average, class by class.

02.See It Work

Mean 83%. Verdict UNMANAGED. That gap is the point.

Try it — CI/CD & deploy keys

Mark each control. The verdict is the weakest link, not the average — and two controls (★) form the leaked-key gate.

Inventory / discovery of every machine identity
Each identity has a named human owner
Least-privilege scope (not broad / admin)
Rotation & expiry (credentials are not eternal)
Secrets vaulted, not hardcoded in repos / config
A working revocation / offboarding path
UNMANAGEDmean 83% · context only

Gate tripped: these secrets are neither fully vaulted nor fully revocable — a leaked key here is both reachable and un-killable. UNMANAGED regardless of the average. Vault it or wire a revocation path to release.

Fix first: Vault secrets (stop hardcoding).

Grades the setup, never people. Not a secret scanner or vault. Runs offline in the workbook and engine.

03.What's Inside

A runnable engine, a workbook that reproduces it, and two playbooks.

The verdict comes three ways — Python engine, Excel workbook, and on-page demo, byte-for-byte identical. Here is the engine's real output on the five-class sample:

====================================================================
NON-HUMAN IDENTITY & CREDENTIAL SPRAWL GATE
Grades the setup, not people. Not a scanner, vault, or discovery tool.
====================================================================

  IDENTITY CLASS: CI/CD & deploy keys
  Verdict: UNMANAGED   (weakest control; mean 83% for context)
  >> GATE: secrets are neither fully vaulted nor fully revocable —
     a leaked key here is both reachable and un-killable. UNMANAGED
     regardless of the rest. Vault it OR wire a revocation path to release.
  Fix first: Secrets vaulted, not hardcoded in repos / config
  Controls:
    [2] GOVERNED  Inventory / discovery of every machine identity & secret
    [2] GOVERNED  Each identity has a named human owner
    [2] GOVERNED  Least-privilege scope (not broad / admin)
    [2] GOVERNED  Rotation & expiry (credentials are not eternal)
    [1] PARTIAL   Secrets vaulted, not hardcoded in repos / config  <-- gate
    [1] PARTIAL   A working revocation / offboarding path (kill it fast)  <-- gate

  IDENTITY CLASS: Third-party SaaS API tokens
  Verdict: SPRAWLING   (weakest control; mean 67% for context)
  Fix first: Secrets vaulted, not hardcoded in repos / config
  Controls:
    [2] GOVERNED  Inventory / discovery of every machine identity & secret
    [1] PARTIAL   Each identity has a named human owner
    [1] PARTIAL   Least-privilege scope (not broad / admin)
    [1] PARTIAL   Rotation & expiry (credentials are not eternal)
    [1] PARTIAL   Secrets vaulted, not hardcoded in repos / config  <-- gate
    [2] GOVERNED  A working revocation / offboarding path (kill it fast)  <-- gate

  IDENTITY CLASS: Service accounts (cloud IAM)
  Verdict: SPRAWLING   (weakest control; mean 83% for context)
  Fix first: A working revocation / offboarding path (kill it fast)
  Controls:
    [2] GOVERNED  Inventory / discovery of every machine identity & secret
    [2] GOVERNED  Each identity has a named human owner
    [1] PARTIAL   Least-privilege scope (not broad / admin)
    [2] GOVERNED  Rotation & expiry (credentials are not eternal)
    [2] GOVERNED  Secrets vaulted, not hardcoded in repos / config  <-- gate
    [1] PARTIAL   A working revocation / offboarding path (kill it fast)  <-- gate

  IDENTITY CLASS: Agent / bot credentials
  Verdict: UNMANAGED   (weakest control; mean 42% for context)
  >> GATE: secrets are neither fully vaulted nor fully revocable —
     a leaked key here is both reachable and un-killable. UNMANAGED
     regardless of the rest. Vault it OR wire a revocation path to release.
  Fix first: Rotation & expiry (credentials are not eternal)
  Controls:
    [1] PARTIAL   Inventory / discovery of every machine identity & secret
    [1] PARTIAL   Each identity has a named human owner
    [1] PARTIAL   Least-privilege scope (not broad / admin)
    [0] OPEN      Rotation & expiry (credentials are not eternal)
    [1] PARTIAL   Secrets vaulted, not hardcoded in repos / config  <-- gate
    [1] PARTIAL   A working revocation / offboarding path (kill it fast)  <-- gate

  IDENTITY CLASS: Internal microservice secrets
  Verdict: GOVERNED   (weakest control; mean 100% for context)
  Controls:
    [2] GOVERNED  Inventory / discovery of every machine identity & secret
    [2] GOVERNED  Each identity has a named human owner
    [2] GOVERNED  Least-privilege scope (not broad / admin)
    [2] GOVERNED  Rotation & expiry (credentials are not eternal)
    [2] GOVERNED  Secrets vaulted, not hardcoded in repos / config  <-- gate
    [2] GOVERNED  A working revocation / offboarding path (kill it fast)  <-- gate

--------------------------------------------------------------------
  ORG: UNMANAGED   (2 of 5 unmanaged, exposure rate 40%)
  Worst identity class to fix first: Agent / bot credentials
--------------------------------------------------------------------
Inventory / discovery

Every machine identity and secret is actually inventoried — you can't govern, rotate, or revoke what you can't see.

Named owner

Each identity has a human owner. Orphaned credentials nobody owns are where sprawl lives and offboarding fails.

Least-privilege scope

Scoped to the minimum it needs, not a broad or admin grant that turns one leaked key into full access.

Rotation & expiry

Credentials rotate on a schedule and expire — an eternal key is a permanent liability the day it leaks.

Vaulted, not hardcodedgate

Secrets live in a vault or secret manager, not hardcoded in repos, config, or CI logs. The first gate control.

Revocation pathgate

A working way to kill any identity fast — on a leak or an offboarding. The second gate control.

04.The Standard

The weakest link is the headline. The gate names the catastrophe.

Weakest control = the verdict

NHI security is a chain, so the headline is the weakest of the six controls, not the average. A class can average 83% and still read UNMANAGED — and that's the honest read, not a harsh one.

A gate for the leaked key

When secrets are both un-vaulted and un-revocable — reachable and un-killable at once — the class is UNMANAGED even if the weakest-link rule alone would read SPRAWLING. Vault it or wire revocation and it releases.

It grades setup, not people

Every verdict points to a control to harden — an inventory to build, a vault to adopt, a revocation path to wire — never a judgment of whoever owns the credential. Sometimes the answer is to retire a class entirely.

05.What It Is — And Isn't

A governance gate, not a scanner.

What it is
  • A deterministic, offline gate that grades your NHI governance from your own marks, class by class.
  • A way to find the one control to harden first for each identity class, before a breach.
  • A review aid for anyone who owns service accounts, keys, tokens, and bot credentials at scale.
What it isn't
  • Not a secret scanner, a credential discovery tool, a vault, or a CSPM.
  • Not the AI Agent & Connector Access Auditor (that grades a connection's reach) — this grades the credentials behind it.
  • Not a clearance or a guarantee no key leaks, and not legal advice.

Not a scanner or security audit. This grades your non-human-identity governance from your own marks — it finds no keys, stores nothing, revokes nothing, scores no people, and guarantees no outcome. It is distinct from the AI Agent & Connector Access Auditor. Validate high-stakes identity classes with your security team.

06.Who It's For

Anyone who owns more secrets than they can name.

  • Platform & DevOps leads drowning in service accounts, CI/CD keys, and microservice secrets.
  • Security & IT who need a repeatable governance baseline per identity class.
  • Founders & CTOs wiring up agents and bots that each need their own credential.
  • Teams adopting AI agents that multiply non-human identities faster than anyone is tracking.
  • Anyone post-incident who found an orphaned key and wants to know where the rest are.
  • Auditors & vCISOs needing a structured NHI posture read across classes.
08.Common Questions

The honest answers.

No. It is not a secret scanner, a credential discovery tool, a vault, or a CSPM, and it connects to nothing. It grades whether your non-human-identity governance is sound — whether each class of machine identity is inventoried, owned, scoped, rotated, vaulted, and revocable — from your own answers about six controls. It points you at the work to do; the scanning, vaulting, and revoking happen in your own tools.

Find the key you can't kill
before someone else does.

Grade every identity class, harden the named control first, and make sure no secret is both reachable and un-killable. One purchase, lifetime access, 12 months of updates. $79, once.

Not a scanner or security audit. This grades your non-human-identity governance from your own marks — it finds no keys, stores nothing, revokes nothing, scores no people, and guarantees no outcome. It is distinct from the AI Agent & Connector Access Auditor. Validate high-stakes identity classes with your security team.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai