NHI & AI
GitGuardian Secrets Sprawl 2026: 29M New Secrets, AI Keys Up 81%
29 million new hardcoded secrets reached public GitHub in 2025 — the largest single-year jump GitGuardian has recorded. Leaks tied to AI services rose 81% year-over-year, with 1.27 million AI-service credentials exposed.
Key Finding
Non-human identity is leaking faster than human identity, and AI-service credentials are now the fastest-growing slice. The control that matters is not detection — it is shortening credential lifetime so the leak window closes itself.
GitGuardian's annual State of Secrets Sprawl report tracks credentials and tokens exposed on public GitHub. The 2026 edition counted 29 million new hardcoded secrets in 2025, a 34% year-over-year increase. Within that, secrets tied to AI services (OpenAI, Anthropic, model APIs, vector-DB credentials) grew 81%, reaching 1.27 million exposed AI credentials. Google API keys accounted for nearly 20% of all exposed secrets; PostgreSQL connection strings, 14%.
The compounding statistic is remediation. 64% of secrets confirmed valid in 2022 are still exploitable four years later. Rotation is not routine in most organisations; revocation is rarely the response to a leak; and the credentials therefore continue to age into the wider intelligence ecosystem.
For identity architecture the practical implication is that NHI lifetime is the lever. Detection tooling helps but only inside the leak-to-detection-to-rotation cycle, which is dominated by the time to rotation. Short-lived workload identity (mTLS, OIDC workload tokens, federated cloud roles) makes leaked-and-forgotten credentials approximately worthless. Static API keys do not.
Need help with your identity architecture?
Every incident on this page was preventable with the right architecture. Let's talk about yours.
Book a Conversation