In the first half of 2025, Entro Labs, Entro’s security research team, analyzed over 27 million non-human identities (NHIs) and hundreds of thousands of secret exposure incidents across real enterprise environments. The result: the NHI & Secrets Risk Report H1 2025, a clear, data-backed picture of how machine identities behave in the wild, where security gaps continue to widen, and what security leaders must do now to mitigate them.
From ancient credentials to over-privileged AWS roles and secrets hiding in Microsoft SaaS apps, here are five of the most urgent (and eye-opening) findings.
Enterprise Security for AI Agents & Non-Human Identities
NHIs Now Outnumber Humans Users 144 to 1
The rapid adoption and buzz around AI agents, CI/CD automation, and third-party integrations all have caused NHI sprawl to surge in 2025, a 44% year-over-year increase.
And with each new NHI comes new secrets, consumers, and entitlements to govern (or forget).
Almost Half of Exposed Secrets Live Outside Code
“Shift left” is a necessary mindset in 2025, but it is far from enough. Our data shows that 43% of all exposed secrets are found in places throughout the SDLC like CI/CD workflows logs, collaboration and project management tools, and popular messaging apps like Slack and Microsoft Teams – not just in Git code repos.
1 in 20 AWS NHIs Is a “Super NHI”
Even in mature environments, 5.5% of AWS machine identities hold administrator privileges, often by default, not by design. These “Super NHIs” represent silent escalation points attackers love to find first. And since this data reflects Entro’s customer base, organizations already prioritizing NHI security, the real number is likely much higher across less mature environments.
Aging NHIs and secrets pose persistent, underestimated risk.
7.5% of machine identities in cloud environments are between 5–10 years old, and over 2% of active secrets are more than a decade old.
By contrast, the median tenure of a human employee is just 3.9 years, yet these long-lived credentials often remain active without rotation, visibility, or ownership, dramatically expanding the attack surface over time.
NHIDR™ Risk Radar Exposes Silent NHI Threats
From NHI tokens used on multiple devices to reactivated stale identities, Entro’s NHIDR™ engine flagged the top NHI behavioral anomalies in H1 2025, patterns that often reveal compromise before security posture tools catch up. Real-time detection for NHIs and secrets is no longer optional.
Get the Full Breakdown in the H1 2025 Report
These five findings are just the beginning. The full NHI & Secrets Risk Report – H1 2025 includes deeper insights and data-backed guidance for securing NHIs across the enterprise.
Figure 1: A 56% year-over-year spike in NHIs:human ratio has dramatically widened the machine identity gap in enterprise environments.
Almost Half of Exposed Secrets Live Outside Code
“Shift left” is a necessary mindset in 2025, but it is far from enough. Our data shows that 43% of all exposed secrets are found in places throughout the SDLC like CI/CD workflows logs, collaboration and project management tools, and popular messaging apps like Slack and Microsoft Teams – not just in Git code repos.
Figure 2: Secret exposure by source
1 in 20 AWS NHIs Is a “Super NHI”
Even in mature environments, 5.5% of AWS machine identities hold administrator privileges, often by default, not by design. These “Super NHIs” represent silent escalation points attackers love to find first. And since this data reflects Entro’s customer base, organizations already prioritizing NHI security, the real number is likely much higher across less mature environments.
Figure 3: Nearly 9% of AWS NHIs are overprivileged, granted more access than they actually use.
Aging NHIs and secrets pose persistent, underestimated risk.
7.5% of machine identities in cloud environments are between 5–10 years old, and over 2% of active secrets are more than a decade old.
By contrast, the median tenure of a human employee is just 3.9 years, yet these long-lived credentials often remain active without rotation, visibility, or ownership, dramatically expanding the attack surface over time.
Figure 4: Average age of different non-human identities in H1 2025.
NHIDR™ Risk Radar Exposes Silent NHI Threats
From NHI tokens used on multiple devices to reactivated stale identities, Entro’s NHIDR™ engine flagged the top NHI behavioral anomalies in H1 2025, patterns that often reveal compromise before security posture tools catch up. Real-time detection for NHIs and secrets is no longer optional.
Get the Full Breakdown in the H1 2025 Report
These five findings are just the beginning. The full NHI & Secrets Risk Report – H1 2025 includes deeper insights and data-backed guidance for securing NHIs across the enterprise.
