Entro Security report reveals critical risks in managing NHIs
Entro Security has published its 2025 State of Non-Human Identities and Secrets in Cybersecurity report.
The research focuses on the security posture of Non-Human Identities (NHIs) and secrets management, highlighting risks such as excessive privileges, misconfigurations, and secrets management practices.
The report reveals a concerning trend regarding the handling of NHIs. According to the research, 97% of NHIs possess excessive privileges, a factor that enhances unauthorised access and broadens the attack surface. The study also found that 92% of organisations are exposing NHIs to third parties, which can lead to unauthorised access if the third parties' security practices do not match organisational standards.
One of the more alarming findings is that 44% of tokens are exposed in the wild. These tokens are often sent or stored over platforms such as Teams, Jira tickets, Confluence pages, and code commits, putting sensitive information at substantial risk of interception and exposure. This practice is identified as a core issue leading to breaches of secrets and non-human identities.
Additional key findings from the report include that there are an average of 92 non-human identities for each human identity, indicating a significant complexity in identity management and potential security vulnerabilities. Also concerning is that 91% of tokens belonging to former employees remain active, presenting a security risk.
The onboarding of new vaults without proper security approval is also highlighted as a concern, with 50% of organisations engaging in this practice. Misconfigured vaults were found in 73% of cases, leading to unauthorised access and exposure of sensitive data. Furthermore, 60% of NHIs are being overused, with the same identity utilised by more than one application, thereby increasing the risk of a single point of failure and widespread compromise if exposed.
Entro Security Labs also found that 62% of all secrets are duplicated and stored in multiple locations, increasing the chances of accidental exposure. Additionally, 71% of non-human identities are not rotated within recommended time frames, thereby raising the risk of compromise over time.
The findings suggest that organisations need to critically reassess their NHIs and secrets management practices. The data for the report was collected using a mixed-methods approach, combining quantitative data analysis with qualitative insights from industry observations. Sources include proprietary data from Entro's cybersecurity infrastructure, publicly available industry reports, and survey data from IT and security professionals.
Entro Security's research underscores the pressing need for improved secrets management practices to mitigate the substantial risks identified. The full report can be found on the company's website.