A Guide to Secrets Management for Security Leaders

Ask most CISOs and Security Leaders whether identity is on their radar and you'll get a confident yes. MFA is in place; PAM is deployed and SSO is rolled out. The investment has been made, and the auditors and the board are satisfied with what's in place.

But there's a second identity problem that CISOs and Security leaders often underestimate and it's the one most likely to cause a breach. The machine identity problem – API keys, tokens, service account credentials, and secrets that your applications, pipelines, AI and automated workflows rely on every day. While organisations have spent years hardening how humans authenticate, the credentials used by machines have largely been left to developers to manage as they see fit. That means hardcoded secrets in code repositories, static credentials that haven't been rotated in months, and service accounts with far broader access than they need.

It's not a niche problem. According to Microsoft's 2026 Secure Access in the Age of AI report, 97% of organisations experienced an identity or network access incident in the past twelve months. Most of those incidents didn't start with a phishing email or an unpatched vulnerability, they started with a credential.

The reason secrets management has become so urgent right now is automation. Every CI/CD pipeline, every microservice, every AI agent you deploy creates new non-human identities (NHIs) and new secrets that need to be governed. The organisations I work with are often surprised by the scale of what a discovery exercise turns up, they find secrets they didn't know existed, in places they didn't expect to find them.

That secrets sprawl is the real risk. It's not just about one exposed API key, it's about an unknown quantity of credentials operating outside of governance, with no audit trail, no rotation policy, and no clear ownership. When one of those is compromised, the blast radius can be severe.

One of the most useful things I do when speaking with a security leader is walk through a maturity model for secrets management. Not to make anyone feel bad about where they are, but because it gives a clear, honest picture of an organisation's current exposure.

Most organisations I speak to are sitting at Level 1 or Level 2. They have some controls in place, but secrets are largely static, governance is fragmented across teams, and auditability is limited. Under the incoming Cyber Security and Resilience (CSR) Bill, that fragmentation is both a security risk and a compliance liability with fines of up to £17m or 4% of global turnover for serious breaches.

Level 3 and 4 look very different: centralised control, dynamic credentials that expire after use, automated rotation, and a full audit trail that holds up to regulatory scrutiny. It's not out of reach, it just requires a deliberate approach.

Secrets management is not just another point solution to procure and deploy. Done properly, it's a foundational layer of your security architecture that underpins compliance, reduces blast radius, and gives you the auditability evidence that boards, insurers, and regulators increasingly expect.

We've created a practical guide for security leaders working through exactly this challenge. Secrets at Scale: A Security Leader's Guide to Machine Identity Risk covers the non-human identity threat landscape, the regulatory stakes across financial services, healthcare, energy and beyond, and what a mature secrets management programme looks like in practice.

If the maturity model above gave you pause, it's worth a read.

 Download the e-book: Secrets at Scale 

If you'd rather start with a conversation about your own environment, we offer a free Vault Radar Assessment. A high-level assessment that evaluates where your secrets currently sit, where they are vulnerable, and provides you with a full report.

 Book a Vault Radar Assessment →