Enterprise Security for AI Agents & Non-Human Identities
Secrets, NHIs, and the Attack Paths That Still Work
Verizon’s latest Data Breach Investigations Report (DBIR) confirms what many security teams already suspect: most attackers don’t need zero-days when leaked tokens, exposed service accounts, and neglected edge devices offer a much easier way in. In this post, we zoom in on the secrets and non-human identity (NHI) angles of the 2025 report – and what they reveal about the gaps organizations still need to close.
Takeaway #1: Secrets Exposure Is Led by JWTs and GitLab Tokens
Secrets management remains a glaring blind spot. Verizon analyzed over 441,000 secrets found in public git repositories, and the top two exposure categories are painfully familiar:
- 39% were web-app infrastructure secrets, with 66% of those being JWTs.
- 32% were CI/CD and development tokens, with GitLab credentials alone making up half.
These are high-leverage secrets – tokens that bypass MFA, grant broad API access, or enable lateral movement inside cloud environments. Once exposed, they rarely stay dormant for long.
Entro Insight: Entro’s platform automatically discovers these tokens across code, CI/CD, and SaaS, classifies their privilege scope, and links them to human owners for accountability and fast remediation.
Takeaway #2: It Still Takes 3 Months (!) to Remediate a Leaked Secret
Despite increasing awareness, secrets remain exposed for far too long. Verizon reports that the median time to remediate leaked secrets in public repositories is 94 days – giving attackers a 3-month head start.
Some secrets stayed exposed for over 160 days. In a world of automated scanners and infostealer bots, that’s a generous window for exploitation.
Entro Insight: With Entro, exposed secrets are automatically detected, prioritized by context and risk, and rotated or revoked via workflows – shrinking mean-time-to-remediation from months to hours.
Takeaway #3: GenAI Tools Are Becoming a Corporate Data Leak Vector
As GenAI platforms and AI agents go mainstream, corporate security policies haven’t kept up. Verizon’s data shows that:
- 15% of employees access GenAI systems from their corporate devices at least once every 15 days.
- Of those, 72% use personal (non-corporate) email accounts.
- Another 17% use corporate emails without integrated authentication (like SSO or SAML), indicating use outside policy.
The result? Sensitive corporate data – code snippets, documents, customer records – are being pasted into AI tools with no monitoring, no DLP, and no audit trail.
Entro Insight: Entro tracks how and where NHIs and secrets are used. If tokens are being leveraged by unverified GenAI plugins or outside trusted environments, Entro can flag and suspend those credentials automatically.
Final Thoughts
The 2025 DBIR reinforces a reality many security teams already live:
- Credentials and secrets are exposed in code, in repos, in logs, and attackers know exactly where to look.
- Edge exploitation and token abuse now rival phishing as initial access vectors.
- Supply chain breaches – from SaaS providers to infrastructure vendors – are increasingly the result of poor NHI hygiene.
The path forward?
- Discover every secret, service account, and token in your environment.
- Attribute ownership and enforce rotation SLAs.
- Respond in real-time to misuse or exposure.
Entro is here to close that gap.
Ready to see how? Book a demo or explore how we cut secrets dwell time for some of the world’s largest security teams.
