The Identity You Can't See Is the One That Breaks You
The Korean GitHub token leaks and CISA's public-repo exposure were both filed as secrets leaks. What got out was not a file but a live identity. This piece argues that security leaders should treat API keys as identities and shift the defense from prevention rate to how fast you detect what has already leaked.

On this page(6)
Table of Contents
An API key leak is an identity crisis, not a secrets mishap. The outcome comes down to how fast you find it.
Recently, attackers harvested a large batch of API tokens that Korean companies had left exposed on GitHub. Shortly after, CISA, the U.S. agency responsible for setting cybersecurity standards, was found to have pushed internal material to a public repository by mistake. The press ran both under the same headline: "another corporate secrets leak."
That framing misses the point. What leaked was not a file. It was a live identity. The attackers didn't have to defeat authentication or break into anyone's account. They picked up credentials that were sitting in the open, with no owner, no monitoring, and no expiry. And from the moment those credentials leaked until the breach itself, the companies had no idea anything was wrong.
Attackers don't hack people. They pick up tokens.
For a decade, security budgets have gone mostly to protecting human identities. We put them behind Single Sign-On (SSO), enforce Multi-Factor Authentication (MFA), and watch their logins for anything unusual. That side of the house has matured steadily.
The trouble is that most of the identities actually running our systems are no longer human. API keys, access tokens, service accounts, CI/CD runners, bots, and now AI agents. In most organizations these non-human identities (NHIs) outnumber human accounts many times over. None of them log in, so there is no MFA to enforce, no login screen, and nothing unusual to flag. A single valid key is the identity, and it grants immediate access.
So it is no surprise that NHIs sit at the center of the most damaging recent breaches. For an attacker, a leaked token is the cheapest way in. There is no phishing campaign to run and no password to guess. They point automated scanners at the public web and collect whatever live credentials fall out.
The Four Faces of an Invisible Identity
The danger isn't weak technology. It's that these identities sit entirely outside normal identity governance. The ones that get neglected almost always share four traits.
- No owner. There is no record of who created the credential, when, or why. Often the person who made it has since left the company, and no one inherited it.
- It never expires. Passwords rotate on a schedule. A high-privilege token minted three years ago for some one-off integration is usually still active today.
- Too much access. Permissions get opened wide "just to get it working," and they are rarely walked back.
- No visibility. When one gets abused, the traffic looks like ordinary machine-to-machine calls. Nothing logs it and nothing alerts.
Put all four together and most organizations can't even say how many identities are alive inside their own perimeter. Every human account shows up in the compliance audit. The NHIs are usually not on the books at all.
Why Prevention Alone Loses
This leads to an uncomfortable conclusion. An NHI leak is not a human error you can eliminate. In a fast-moving development pipeline, it is closer to a near-certainty.
The exposure surface keeps growing. Watching your public GitHub repositories is no longer enough. Tokens now turn up in CI/CD build logs, container images, Slack and Notion threads, and even the prompt histories of AI coding assistants. You can't cover that much ground by training developers to be careful. However careful a team is, a token will eventually slip out of an automated pipeline somewhere.
CISA makes the point. If the agency whose job is to hold everyone else accountable can leak a repository, then building a strategy around 100% prevention was the wrong bet from the start.
The Real Line of Defense Is Time
Once a token hits a public repository or an exposed endpoint, bots find and abuse it within minutes. They move at machine speed, far faster than any manual response. So the metric that actually matters isn't your prevention rate. It's the golden time: the gap between exposure and revocation.
In security-operations terms, this is a matter of MTTD (mean time to detect) and MTTR (mean time to respond). When a leak turns into a serious breach, the cause is rarely the leak itself. It is the weeks or months that pass before anyone notices the door is open. Shrinking the window between exposure and abuse is what keeps the blast radius small.
A practical way to judge NHI security maturity is to ask three questions.
- Detect. When a credential leaks outside your perimeter, can you find it in real time, across the whole surface and not just GitHub?
- Classify. Once you have the key, can you tie it to its owner, its privileges, and its actual risk right away?
- Respond. Can you revoke and rotate automatically, without waiting on a person?
The Takeaway
Neither the recent token leaks nor CISA's slip is a story about one careless employee. Both expose the same structural gap. The careful governance we built for human identities never reached the non-human ones.
Leaks are going to happen. What protects you is not the promise of perfect prevention but how fast you catch an identity that has already walked out the door. It starts with making the invisible ones visible.
Get the next one in your inbox
Monthly NHI research brief from the Cremit team. One email, high signal.
