The Credentials Nobody's Managing
Non-human identities outnumber employees 82-to-1, and 91% survive off-boarding. A four-step audit to find the ghost credentials in your stack.
The Credentials Nobody’s Managing
Your company has ghost employees. They show up every day, connect to production databases, access customer records, and push code to your repositories. They never take a sick day. They never complain. Nobody manages them because they aren’t people.
They’re API keys, service accounts, and machine tokens - the credentials that keep your systems running. SpyCloud recaptured 18.1 million exposed API keys and tokens from criminal marketplaces in 2025. OWASP released its first-ever Non-Human Identity Top 10, ranking Improper Offboarding as the number one risk.
Your team enforces MFA. You run access reviews. You offboard employees when they leave. But the credentials that outnumber those employees by more than eighty to one? Those ghost employees keep working long after their creators have moved on.
What Are Non-Human Identities?
Non-human identities are every credential in your environment that isn’t tied to a person - API keys, service accounts, OAuth tokens, machine-to-machine certificates, CI/CD secrets, and increasingly, AI agent tokens. They outnumber human identities 82-to-1 at the average company, per CyberArk’s 2025 research. Other studies put the ratio even higher, and the gap is widening fast.
These aren’t exotic. If you’ve connected Stripe, deployed a GitHub Action, configured a Terraform resource, or integrated an AI tool, you’ve created non-human identities. Every SaaS integration, every CI/CD pipeline, every cloud resource comes with credentials that operate independently of anyone on your team.
Startups generate these faster per capita than large companies. You’re cloud-native by default. You integrate aggressively. You move fast on tool adoption. That velocity is a strength - until you realize nobody’s tracking the credentials each integration creates. And the data on what happens next isn’t reassuring.
Why Do Startups Have a Bigger NHI Problem Than They Think?
Startups create NHIs at a rate that outpaces their ability to track them, because every integration, deployment, and AI tool adds credentials that nobody categorizes as “identities.” The governance gaps are severe.
Think about how your offboarding works today. HR revokes the employee’s email. IT disables their SSO. Maybe someone remembers to remove their Slack account. But what about the API key they created to connect your CRM to your billing system? The service account they set up for the CI/CD pipeline? The OAuth token they authorized for an AI tool?
Those ghost employees keep working.
The AI adoption wave is making this worse. GitGuardian found that AI-service secret leaks nearly doubled year over year in 2025. Every time your team connects an AI coding assistant, a customer service bot, or an agent framework, they create credentials that need the same governance as human identities. Most teams don’t even think of them that way.
A recent CSA and Token Security survey found that 82% of enterprises have unknown AI agents operating in their environments. If enterprises with dedicated security teams can’t track their AI agent credentials, a startup with no security staff is flying blind.
What Does OWASP Say About NHI Risks?
The NHI Top 10 that OWASP published in 2025 places Improper Offboarding at number one and Secret Leakage at number two. That ranking confirms what the data already showed - the credential lifecycle is now a recognized attack surface.
OWASP doesn’t create Top 10 lists lightly. They’ve maintained the Web Application Security Top 10 since 2003, and adding a new category means the problem has reached a scale that the security community can no longer ignore. Building one specifically for non-human identities signals that NHI is no longer a niche concern for large enterprises with dedicated IAM teams. It’s a primary attack vector that applies to companies of every size.
The scale backs that up. The number of hardcoded secrets on public GitHub jumped by more than a third in 2025 alone. The problem isn’t limited to public code, either. Nearly a third of exposed secrets appeared in internal repositories, where teams assume they’re safe. And more than a quarter of incidents originated outside source code entirely - in Slack messages, Jira tickets, and Confluence pages.
When I see that data, I think about the startups I’ve worked with that keep API keys in shared Slack channels. OWASP just told you that’s a Top 10 risk.
What Happens When Nobody Manages These Credentials?
Credential-based breaches cost an average of $4.81 million and take 292 days to detect - the longest of any attack vector, per IBM’s 2024 Cost of a Data Breach report. Roughly half of organizations have already experienced a security incident from compromised machine identities, per CyberArk.
The reason these breaches take so long to find is that there’s nothing to catch. A stolen API key doesn’t trigger an MFA challenge. It doesn’t generate an unusual login location alert. It doesn’t behave differently from its normal use pattern. It just works, silently, until someone notices the damage.
The problem is accelerating.
For a startup, a breach at that scale isn’t a quarterly earnings dip. It’s the company. A single leaked API key that grants access to your customer database, your payment processor, and your infrastructure can cause damage that seed-stage capital can’t absorb.
I’ve seen this firsthand. During a vendor rotation at a startup I was advising, we discovered API keys with production database access that belonged to an engineer who had left eight months earlier. Those keys had more access than anyone currently on the team. Nobody knew they existed because nobody had ever inventoried them.
That’s the pattern. Not a sophisticated attack - just a credential that outlived the person who created it, sitting quietly with the keys to production.
Can’t You Just Buy a Tool for This?
Enterprise security has an answer to this problem. It’s called Privileged Access Management - PAM for short. Vendors like CyberArk, Delinea, and BeyondTrust sell platforms that vault credentials, enforce rotation policies, and log every privileged session. If you’re a Fortune 500 bank, PAM is table stakes. If you’re a 30-person startup, PAM is a six-figure annual contract, a months-long deployment, and a full-time engineer to operate it.
Think of PAM like a commercial building’s access control system - badge readers on every door, security cameras, visitor logs, a guard at the front desk. It works beautifully when you have a building manager and a security budget. It’s absurd for a four-bedroom house.
A newer category of NHI-specific platforms has emerged to address the machine identity problem directly. Companies like Astrix, Entro, and Token Security focus on discovering non-human identities, mapping their access, and flagging lifecycle risks. They’re closer to the right problem, but they’re still built for organizations with a security team to triage the findings. Pricing starts at mid-market and scales up.
Then there are secrets managers - HashiCorp Vault, AWS Secrets Manager, Doppler. These are the one category a startup can realistically adopt early. They centralize where secrets are stored, which is genuinely useful. But they don’t discover the credentials you’ve already scattered across your environment. They don’t tell you which keys are stale. They don’t revoke anything when someone leaves. A secrets manager without a governance process is a nicer filing cabinet for credentials nobody reviews.
The tooling landscape is real, and it’s maturing fast. But every tool in it assumes someone is watching the dashboard. For a startup with no dedicated security staff, buying a PAM platform before you’ve done a manual inventory is like installing a home security system before you’ve checked whether your doors have locks.
Start with the locks.
Where Should a Startup Start?
Start with an inventory. You can’t manage credentials you don’t know exist, and most startups have never counted their NHIs. This isn’t about building a full NHI governance program overnight - it’s about seeing the problem for the first time.
Four steps, prioritized for a team with no dedicated security staff:
Inventory your NHIs. Open your cloud console, your CI/CD platform, and your OAuth app authorizations. List every API key, service account, and token. The number will be larger than you expect.
Check your offboarding process. Does your employee offboarding checklist include NHI revocation? Only 19% of organizations have automated processes for offboarding API keys, per a CSA and Astrix Security survey. If enterprises haven’t solved this, you probably haven’t either.
Find stale credentials. Identify any credential older than 90 days with production access. Most valid secrets from years ago are still exploitable today. If you haven’t rotated it, assume it’s a risk.
Audit your AI integrations. Every AI tool your team uses - coding assistants, customer service bots, automation agents - has credentials connecting it to your systems. List them. Check their access scope. Determine who authorized them and whether that person still works here.
This is the “where to look first” list, not the full playbook. But for most startups, step one alone reveals enough to change how you think about evaluating AI vendor security and managing credentials across your stack.
Why Does This Matter Right Now?
Non-human identity security is the defining topic of 2026. Identiverse is hosting the first-ever Non-Human Identity Summit on June 15. OWASP’s NHI Top 10 gives the issue institutional weight. And every startup adopting AI tools is creating NHIs faster than ever.
This connects directly to how the CISO role has changed. The security leader’s job now includes governing identities that aren’t human - and at most startups, nobody has even started.
Nearly four in five IT professionals say they feel ill-equipped to prevent attacks through non-human identities. That number should prompt action, not resignation.
Your startup has more ghost employees than real ones. Most of them have more access than they should, and almost none of them leave when the people who created them do. The fix starts with counting them, then fixing your offboarding process, then setting rotation policies. Every AI tool you adopt adds more to the roster.
Open your cloud console, your CI/CD platform, and your OAuth app list. Count what you find.
When one of those ghost employees has an incident, you’ll want to know it was on the roster.