Ofir Har-Chen is the CEO and Co-Founder of Clutch Security, a leader in Non-Human Identity security and management.
The security industry was transformed when we embraced a simple but radical mindset: assume breach. It forced us to move beyond perimeter-based thinking and adopt a layered, resilient architecture—one that acknowledges compromise as a starting point.
Today, it’s time to apply that same pragmatism to a threat vector that’s grown quietly and dangerously: non-human identities (NHIs).
Assume Leak: A Mindset Shift For The Age Of Machine Access
NHIs are everywhere—API keys, service accounts, tokens, secrets and certificates. They’re now the dominant actors in most enterprise systems. And they’re not protected like users—they don’t change their password often, they’re rarely monitored and they’re frequently overpermissioned.
In most enterprises, NHIs outnumber human users by 82 to one (download). Every one of them is a potential breach point. And most are invisible to the teams responsible for securing them.
Worse: They leak constantly.
They’re hardcoded into repos. They’re stored in build logs. They’re exposed in misconfigured cloud services. They’re shared in Slack. They’re left behind in forgotten vaults.
Most security teams don’t know when it happens. And even when they do, they often can’t answer the only question that matters: Was this identity used by an attacker before we found it?
Assume Leak: What It Means
Much like the assume-breach mindset led organizations to embed detection and response across every layer of the network, assume leak reframes how we manage NHIs—treating every secret or credential as potentially exposed, unless proven otherwise.
This mindset changes the questions we ask. It’s no longer just “Is this secret stored securely?” but rather, “If this secret were leaked right now, would we detect it? Would it matter?”
It also redefines maturity. A mature security program isn’t one that rotates credentials every 90 days—it’s one that can detect misuse within 90 seconds.
Finally, it changes how we architect access. Least privilege remains the goal, but detectability becomes a core requirement. Temporary credentials reduce risk, but observability and attribution must be built in and uncompromising.
Vaults Aren’t Enough
We have to assume secrets will eventually leak. Maybe not today or tomorrow, but at some point, they will.
So far, the industry’s response to secret sprawl and leakage risk has been largely reactive: Store credentials in vaults and run scanners to catch accidental exposure. But these are point-in-time controls, built on a flawed assumption—that secrets, if stored securely, are inherently safe.
Vaults are necessary, but they aren’t sufficient: They only protect secrets at rest. The moment a secret is used—in a script, an API call or a pipeline—the vault loses all visibility and control.
If you’re not monitoring how secrets are used, then storing them securely becomes little more than a comforting illusion.
This Is Already Happening—Just Not On Purpose
We’ve seen it firsthand: When we intentionally leak credentials (for research purposes), they’re often exploited within minutes. Sometimes seconds.
The internet doesn’t wait.
But your logs do. Your detection logic does. And your ticket queues? They definitely do.
The Business Impact
According to IBM researchers, data breaches involving compromised credentials cost organizations an average of $4.81 million. Even more concerning, breaches involving stolen or compromised credentials take an average of 292 days to detect—nearly a year of undetected access, lateral movement and persistent threat activity.
When NHIs are compromised, attackers aren’t just getting in—they’re staying in. And because these identities often carry elevated or infrastructure-level access, the blast radius is often massive.
From Static Trust To Active Verification
The assume-leak mindset isn’t about paranoia—it’s about precision. We stop asking if a credential might be compromised and start asking what would happen if it already is.
That forces better controls:
• Identity-Centric Detection: Every credential should have a behavioral baseline. Unexpected usage—from a new region, at a strange hour or against sensitive resources—should trigger an immediate response.
• Zero Trust For NHIs: Credentials shouldn’t be implicitly trusted. Context-aware validation, privilege boundaries and real-time access decisions must apply to NHIs just as rigorously as they do to human users.
• Ephemeral Credentials By Default: Standing access is risky. Credentials should expire by time, scope or inactivity—and be provisioned dynamically when needed.
Security teams need to shift from credential storage to credential runtime defense.
Conclusion: It’s Time To Graduate
The eggshell is long gone. So is the blind trust in secrets.
It’s time we apply the same grown-up thinking to our non-human identities that we’ve applied to endpoints, users and networks. We assumed breaches to build more resilient networks. Now, we must assume leaks to secure the credentials that power them.
This isn’t a call to abandon (essential) prevention. It’s a call to recognize its limits.
Ask yourself: If your API key leaks today, would it give an attacker unrestricted access to your production environment? Or would it hit a wall? The answer to that question will define whether your organization is ready for the next generation of identity-based threats.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
