Your secrets outnumber yourpeople. Can you kill a leaked one?
Service accounts, API keys, tokens, OAuth apps, and agent credentials now outnumber humans many times over — the fastest-growing attack surface there is. Grade each class on the six controls that decide whether a leaked or orphaned secret stays a non-event or becomes a breach.
Not a scanner or security audit. This grades your non-human-identity governance from your own marks — it finds no keys, stores nothing, revokes nothing, scores no people, and guarantees no outcome. It is distinct from the AI Agent & Connector Access Auditor. Validate high-stakes identity classes with your security team.
The credential you forgot about is the one that gets you.
machine identities now outnumber human ones in most orgs — and each is a credential someone has to govern.
the credential nobody owns is the one that never gets rotated, never gets scoped, and never gets revoked.
the breach isn't a leaked key alone — it's a leaked key you can't shut off. That pairing is the whole game.
Non-human-identity security is a chain. A perfectly scoped, perfectly rotated key you can't revoke is still a breach waiting to happen; an inventory you don't have hides every other gap. This Gate grades the weakest link, not the comforting average, class by class.
Mean 83%. Verdict UNMANAGED. That gap is the point.
Mark each control. The verdict is the weakest link, not the average — and two controls (★) form the leaked-key gate.
Gate tripped: these secrets are neither fully vaulted nor fully revocable — a leaked key here is both reachable and un-killable. UNMANAGED regardless of the average. Vault it or wire a revocation path to release.
Fix first: Vault secrets (stop hardcoding).
Grades the setup, never people. Not a secret scanner or vault. Runs offline in the workbook and engine.
A runnable engine, a workbook that reproduces it, and two playbooks.
The verdict comes three ways — Python engine, Excel workbook, and on-page demo, byte-for-byte identical. Here is the engine's real output on the five-class sample:
====================================================================
NON-HUMAN IDENTITY & CREDENTIAL SPRAWL GATE
Grades the setup, not people. Not a scanner, vault, or discovery tool.
====================================================================
IDENTITY CLASS: CI/CD & deploy keys
Verdict: UNMANAGED (weakest control; mean 83% for context)
>> GATE: secrets are neither fully vaulted nor fully revocable —
a leaked key here is both reachable and un-killable. UNMANAGED
regardless of the rest. Vault it OR wire a revocation path to release.
Fix first: Secrets vaulted, not hardcoded in repos / config
Controls:
[2] GOVERNED Inventory / discovery of every machine identity & secret
[2] GOVERNED Each identity has a named human owner
[2] GOVERNED Least-privilege scope (not broad / admin)
[2] GOVERNED Rotation & expiry (credentials are not eternal)
[1] PARTIAL Secrets vaulted, not hardcoded in repos / config <-- gate
[1] PARTIAL A working revocation / offboarding path (kill it fast) <-- gate
IDENTITY CLASS: Third-party SaaS API tokens
Verdict: SPRAWLING (weakest control; mean 67% for context)
Fix first: Secrets vaulted, not hardcoded in repos / config
Controls:
[2] GOVERNED Inventory / discovery of every machine identity & secret
[1] PARTIAL Each identity has a named human owner
[1] PARTIAL Least-privilege scope (not broad / admin)
[1] PARTIAL Rotation & expiry (credentials are not eternal)
[1] PARTIAL Secrets vaulted, not hardcoded in repos / config <-- gate
[2] GOVERNED A working revocation / offboarding path (kill it fast) <-- gate
IDENTITY CLASS: Service accounts (cloud IAM)
Verdict: SPRAWLING (weakest control; mean 83% for context)
Fix first: A working revocation / offboarding path (kill it fast)
Controls:
[2] GOVERNED Inventory / discovery of every machine identity & secret
[2] GOVERNED Each identity has a named human owner
[1] PARTIAL Least-privilege scope (not broad / admin)
[2] GOVERNED Rotation & expiry (credentials are not eternal)
[2] GOVERNED Secrets vaulted, not hardcoded in repos / config <-- gate
[1] PARTIAL A working revocation / offboarding path (kill it fast) <-- gate
IDENTITY CLASS: Agent / bot credentials
Verdict: UNMANAGED (weakest control; mean 42% for context)
>> GATE: secrets are neither fully vaulted nor fully revocable —
a leaked key here is both reachable and un-killable. UNMANAGED
regardless of the rest. Vault it OR wire a revocation path to release.
Fix first: Rotation & expiry (credentials are not eternal)
Controls:
[1] PARTIAL Inventory / discovery of every machine identity & secret
[1] PARTIAL Each identity has a named human owner
[1] PARTIAL Least-privilege scope (not broad / admin)
[0] OPEN Rotation & expiry (credentials are not eternal)
[1] PARTIAL Secrets vaulted, not hardcoded in repos / config <-- gate
[1] PARTIAL A working revocation / offboarding path (kill it fast) <-- gate
IDENTITY CLASS: Internal microservice secrets
Verdict: GOVERNED (weakest control; mean 100% for context)
Controls:
[2] GOVERNED Inventory / discovery of every machine identity & secret
[2] GOVERNED Each identity has a named human owner
[2] GOVERNED Least-privilege scope (not broad / admin)
[2] GOVERNED Rotation & expiry (credentials are not eternal)
[2] GOVERNED Secrets vaulted, not hardcoded in repos / config <-- gate
[2] GOVERNED A working revocation / offboarding path (kill it fast) <-- gate
--------------------------------------------------------------------
ORG: UNMANAGED (2 of 5 unmanaged, exposure rate 40%)
Worst identity class to fix first: Agent / bot credentials
--------------------------------------------------------------------Every machine identity and secret is actually inventoried — you can't govern, rotate, or revoke what you can't see.
Each identity has a human owner. Orphaned credentials nobody owns are where sprawl lives and offboarding fails.
Scoped to the minimum it needs, not a broad or admin grant that turns one leaked key into full access.
Credentials rotate on a schedule and expire — an eternal key is a permanent liability the day it leaks.
Secrets live in a vault or secret manager, not hardcoded in repos, config, or CI logs. The first gate control.
A working way to kill any identity fast — on a leak or an offboarding. The second gate control.
The weakest link is the headline. The gate names the catastrophe.
NHI security is a chain, so the headline is the weakest of the six controls, not the average. A class can average 83% and still read UNMANAGED — and that's the honest read, not a harsh one.
When secrets are both un-vaulted and un-revocable — reachable and un-killable at once — the class is UNMANAGED even if the weakest-link rule alone would read SPRAWLING. Vault it or wire revocation and it releases.
Every verdict points to a control to harden — an inventory to build, a vault to adopt, a revocation path to wire — never a judgment of whoever owns the credential. Sometimes the answer is to retire a class entirely.
A governance gate, not a scanner.
- A deterministic, offline gate that grades your NHI governance from your own marks, class by class.
- A way to find the one control to harden first for each identity class, before a breach.
- A review aid for anyone who owns service accounts, keys, tokens, and bot credentials at scale.
- Not a secret scanner, a credential discovery tool, a vault, or a CSPM.
- Not the AI Agent & Connector Access Auditor (that grades a connection's reach) — this grades the credentials behind it.
- Not a clearance or a guarantee no key leaks, and not legal advice.
Not a scanner or security audit. This grades your non-human-identity governance from your own marks — it finds no keys, stores nothing, revokes nothing, scores no people, and guarantees no outcome. It is distinct from the AI Agent & Connector Access Auditor. Validate high-stakes identity classes with your security team.
Anyone who owns more secrets than they can name.
- Platform & DevOps leads drowning in service accounts, CI/CD keys, and microservice secrets.
- Security & IT who need a repeatable governance baseline per identity class.
- Founders & CTOs wiring up agents and bots that each need their own credential.
- Teams adopting AI agents that multiply non-human identities faster than anyone is tracking.
- Anyone post-incident who found an orphaned key and wants to know where the rest are.
- Auditors & vCISOs needing a structured NHI posture read across classes.
Govern the credentials, then the reach and the runtime.
The reach layer: audit what each connected agent, MCP server, and OAuth connector can actually read and write.
ViewGrade an agent against the operational controls it needs before it touches real users or live systems.
ViewRun OWASP-mapped probes against a live app to see what an attacker could actually get an agent to do.
ViewThe honest answers.
Find the key you can't kill
before someone else does.
Grade every identity class, harden the named control first, and make sure no secret is both reachable and un-killable. One purchase, lifetime access, 12 months of updates. $79, once.
Not a scanner or security audit. This grades your non-human-identity governance from your own marks — it finds no keys, stores nothing, revokes nothing, scores no people, and guarantees no outcome. It is distinct from the AI Agent & Connector Access Auditor. Validate high-stakes identity classes with your security team.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai