Non-Human Identity Governance: Managing Service Accounts, API Keys, and Secrets at Scale

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Non-human identities (NHIs) are any identity that is not a person: service accounts, managed identities, API keys, OAuth clients, deploy tokens, CI/CD pipeline credentials, and database connection strings. They are provisioned faster than human accounts, audited far less often, and almost never deprovisioned when the workload they serve is retired.
The governance gap is structural. Human identity lifecycle is tied to HR processes. Joiners trigger provisioning, leavers trigger deprovisioning, and movers trigger access review. NHIs have no equivalent trigger. A service account created for a project three years ago may still be active and privileged long after the project was shut down.
This guide takes a practical approach for teams without enterprise PAM tooling. The tools described here (TruffleHog, GitHub secret scanning, AWS IAM Credential Report, AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) are either free or included in platforms you likely already pay for. The goal is a working NHI inventory with assigned owners, automated rotation for the highest-risk credentials, and SIEM rules detecting anomalous usage within 90 days.
NHI Discovery: Finding What You Do Not Know You Have
Start with four discovery channels run in parallel: source code repositories, cloud IAM, secrets vaults, and network traffic.
For repositories, run TruffleHog against every repo in your GitHub organization: trufflehog github --org=yourorg --only-verified --json > findings.json. The --only-verified flag reduces noise by testing whether detected credentials are still active before reporting them. For GitHub's native secret scanning, enable it at the organization level under Security and Analysis settings. GitHub will alert on pushes containing known secret patterns for over 200 providers and, where the provider supports it, automatically revoke the secret.
For AWS, generate the IAM Credential Report from the console or CLI: aws iam generate-credential-report && aws iam get-credential-report --query Content --output text | base64 -d > cred-report.csv. The report lists every IAM user, their access key ages, last used timestamps, and MFA status. Filter for access keys unused for more than 90 days and keys older than 365 days. These are your first rotation targets.
For Azure, use the Service Principal activity report in Entra. Cross-reference service principals against the resources they have access to using the Azure Resource Graph: resources | where type == 'microsoft.web/sites' | join kind=leftouter (authorizationresources | where type == 'microsoft.authorization/roleassignments') on subscriptionId.
For network traffic, analyze NetFlow or VPC Flow Logs for outbound connections from internal services to external API endpoints. Source IPs that are servers rather than workstations making API calls are likely NHIs that do not appear in your IAM discovery.
Ownership Assignment Model
An NHI without an owner is an NHI that will never be rotated or deprovisioned. The ownership model needs to be simple enough that engineers will actually use it.
Assign ownership at the team level, not the individual level. Individuals leave. Teams persist. Tag every NHI with two metadata fields: owner-team (the Slack team handle or organizational unit) and purpose (a one-line description of what this credential is used for and which system it authenticates to).
For AWS IAM, use resource tags on IAM users and roles. For GitHub deploy tokens, use the Notes field. For Azure service principals, use the Description field and custom attribute extensions.
Build a lightweight NHI registry as a CSV or database table with columns: credential-id, credential-type, owner-team, purpose, last-rotated, expiry-date, rotation-method (manual, automated), last-used, and status (active, dormant, deprecated). Update this registry as part of your quarterly access review process.
Dormant credentials are those unused for 90-plus days. Establish a policy: dormant credentials are disabled automatically after 90 days of inactivity and deleted after 180 days unless an owner explicitly renews them. This creates forcing functions for owners to maintain their inventory.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Rotation Automation with AWS Secrets Manager, Vault, and Azure Key Vault
Manual rotation does not scale. For any credential that authenticates to a system that supports programmatic updates, automate rotation.
AWS Secrets Manager supports native rotation for RDS, Redshift, DocumentDB, and custom Lambda-backed rotation for any other secret. Enable rotation on a schedule: aws secretsmanager rotate-secret --secret-id MySecret --rotation-rules AutomaticallyAfterDays=30. The rotation Lambda generates a new credential, tests it, updates the secret, and deprecates the old credential in sequence.
HashiCorp Vault dynamic secrets eliminate the rotation problem entirely by generating short-lived credentials on demand. For database secrets, configure a database secrets engine: vault write database/roles/my-role db_name=my-database creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON mydb.* TO '{{name}}'@'%';" default_ttl=1h max_ttl=24h. Each application that calls vault read database/creds/my-role gets a unique credential that expires automatically.
Azure Key Vault supports certificate and key rotation with Event Grid triggers. For service principal client secrets, build a rotation pipeline: an Azure Function triggered by a Key Vault expiry event that generates a new client secret, updates the Key Vault secret, and updates the application configuration referencing it. Store the rotation pipeline code in your infrastructure repository so it is reviewed and versioned.
For credentials that cannot be automatically rotated (third-party APIs with manual key generation), implement rotation reminders: tag the credential with a rotation-due date, query your registry weekly, and send Slack alerts to the owner-team 14 days before expiry.
Anomalous Usage SIEM Detection Rules
Rotating credentials stops stale-credential attacks. Detecting anomalous usage of active credentials catches in-progress abuse.
For AWS, CloudTrail provides the event source. Key detection patterns: (1) API calls from unexpected source IPs for service accounts that normally call from specific VPC CIDR ranges. (2) Calls to IAM, STS, or organization APIs from non-human identities that should only be calling application-layer services. (3) Unusually high call volumes that may indicate credential stuffing or data exfiltration.
Sentinel KQL for AWS credential anomaly: AWSCloudTrail | where TimeGenerated > ago(1h) | where UserIdentityType == "IAMUser" | where UserIdentityUserName startswith "svc-" | where SourceIpAddress !startswith "10." and SourceIpAddress !startswith "172." | project TimeGenerated, UserIdentityUserName, EventName, SourceIpAddress, RequestParameters.
For Azure service principals, use Entra audit logs: AuditLogs | where TimeGenerated > ago(1h) | where InitiatedBy.app.displayName !startswith "" | where OperationName in ("Add member to role", "Update application", "Add owner to service principal") | where Result == "success".
For GitHub, monitor for personal access tokens and deploy keys used from IP addresses that do not match your CI/CD runner ranges. GitHub audit log API provides token-level detail that can be forwarded to your SIEM via webhook.
Tooling Options Without Enterprise PAM
Enterprise PAM solutions like CyberArk and BeyondTrust are effective but cost-prohibitive for many organizations. The following stack provides comparable coverage at near-zero incremental cost for organizations already in AWS, Azure, or GitHub.
For secret storage: AWS Secrets Manager (included in AWS, $0.40/secret/month) or Azure Key Vault (included in most Azure subscription tiers). For self-hosted or multi-cloud, HashiCorp Vault Community Edition is free and supports all major cloud providers.
For discovery: TruffleHog (open source), GitHub Secret Scanning (included in GitHub Advanced Security, free for public repos), AWS IAM Credential Report (free, API-based), Semgrep with secrets rules (free tier available).
For rotation: AWS Secrets Manager rotation Lambdas (AWS-managed templates available for common databases), Vault dynamic secrets engines, Azure Key Vault rotation policies.
For inventory: A Git-tracked CSV file or a simple database table is sufficient for most organizations under 5,000 NHIs. For larger inventories, tools like Clutch (open source internal platform) or Airtable (low-code) can provide a UI over the registry without requiring a dedicated PAM product.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
NHI governance is an ongoing process, not a one-time cleanup. The inventory you build today will drift within weeks as new services are deployed and new credentials are created. Embed NHI registration into your change management process so that provisioning a new service account automatically creates the registry entry, assigns the owner, and schedules the first rotation.
Frequently asked questions
How do I handle service accounts that are shared across multiple teams and have no clear owner?
Shared ownership is no ownership. If a credential is used by multiple teams, assign primary ownership to the team that created it or the team that owns the workload it authenticates to. Secondary owners from the other teams can be listed for notification purposes, but one team must be accountable for rotation and deprovisioning decisions.
What is the right rotation interval for API keys?
For high-privilege credentials (cloud provider keys with write access, database credentials), rotate every 30 days or use dynamic credentials with hourly TTLs. For low-privilege read-only credentials, 90 days is acceptable. Any credential exposed in a breach or detected in a repository scan should be rotated immediately regardless of age.
Should managed identities replace all service accounts in Azure?
Yes, where technically feasible. Managed identities eliminate the credential entirely. The identity is tied to the Azure resource, and token acquisition is handled by the Azure platform. You cannot leak a managed identity credential because there is no credential to leak. Migrate to managed identities first for any service running in Azure App Service, Azure Functions, or Azure Virtual Machines before addressing service accounts.
How do I find secrets that were committed to a private repository years ago and then deleted from the current branch?
TruffleHog scans full git history by default, not just the current HEAD. Run trufflehog git file://path/to/repo --only-verified to scan the entire commit history. GitHub Secret Scanning also retroactively scans historical commits when enabled on a repository, not just new pushes.
What is the minimum viable NHI program for a 50-person company without a dedicated IAM team?
Focus on three controls: (1) Run the AWS IAM Credential Report monthly and disable access keys unused for 90-plus days. (2) Enable GitHub Secret Scanning on all repositories. (3) Require all new service accounts to be tagged with owner and purpose at creation. These three controls address the most common attack patterns (stale credentials, exposed secrets, unowned accounts) with minimal operational overhead.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
