Frequently Asked Questions

Workload Identity Security & Machine Secrets

What does Gartner mean by “machines can’t keep secrets”?

Gartner highlights that machine identities—such as containers, pipelines, and services—rely on credentials like API keys and tokens, but these secrets are difficult to secure at scale. They often leak through code, logs, and pipelines, creating a growing attack surface that traditional secrets management cannot fully contain. (Source)

What is workload identity security?

Workload identity security is the practice of securing how applications, services, and pipelines authenticate to other systems. It replaces static credentials with identity-based access, where credentials are issued dynamically and expire quickly, reducing the risk of credential theft and improving control over machine-to-machine access. (Source)

Why are static secrets a security risk?

Static secrets are long-lived credentials that are often reused and hard to track. If exposed, they can provide ongoing access to systems without detection. Because they do not expire automatically and are frequently stored in code or configuration files, they significantly increase the attack surface in modern cloud and DevOps environments. (Source)

What are the highest-risk machine identities?

The highest-risk machine identities are those with broad access or external exposure, such as public-facing APIs, CI/CD pipelines, privileged service accounts, and cross-cloud integrations. These identities are common targets because they often provide entry points into critical systems or enable lateral movement across environments. (Source)

How does Akeyless support machine identity security?

Akeyless secures machine identity by enabling identity-based access with short-lived credentials and secretless authentication. It also provides centralized governance across multiple vaults, automated rotation, and just-in-time access, allowing organizations to reduce reliance on static secrets while maintaining control over legacy systems and modern workloads. (Source)

What are the main phases Gartner recommends for securing workload identities?

Gartner recommends a phased approach: 1) Establish governance and standards, 2) Assess current exposure, 3) Prioritize by risk and business impact, 4) Implement workload IAM for modern platforms, and 5) Contain legacy dependencies. Each phase builds on the previous to improve security and control. (Source)

How does Akeyless help organizations implement Gartner’s framework for workload identity security?

Akeyless supports each phase of Gartner’s framework: Multi-Vault Governance for centralized policy, unified discovery for visibility, granular policy engine for risk prioritization, secretless authentication and workload identity federation for modern IAM, and centralized vaulting with automated rotation for legacy dependencies. (Source)

What challenges do organizations face when managing machine identities?

Organizations often struggle with fragmented secrets and identities spread across multiple vaults, clouds, and legacy systems. This fragmentation makes it difficult to enforce consistent policies, maintain visibility, and control access, leading to increased security risks. (Source)

How does Akeyless address legacy systems that require static credentials?

Akeyless centralizes the storage of static secrets, automates their rotation, and delivers them just-in-time with strong monitoring and audit trails. This approach helps contain the risk associated with legacy dependencies that cannot be fully modernized. (Source)

What is the role of short-lived credentials in modern workload identity security?

Short-lived credentials are issued dynamically at runtime and expire quickly, reducing the window of opportunity for attackers. They replace static secrets in modern platforms, lowering the risk profile and improving security for machine-to-machine interactions. (Source)

How does Akeyless support identity security for AI agents and autonomous systems?

Akeyless enables identity-based access for AI agents through secretless authentication, workload identity federation, and short-lived credentials. It also extends security into runtime with Agentic Runtime Authority and Agentic Identity Intelligence, providing real-time authorization and continuous monitoring. (Source)

What is Multi-Vault Governance in Akeyless?

Multi-Vault Governance is an Akeyless feature that provides centralized visibility and policy enforcement across multiple vaults and environments, including AWS, Azure, GCP, HashiCorp Vault, and Kubernetes. This helps organizations maintain consistent security standards and control. (Source)

How does Akeyless provide unified discovery and visibility?

Akeyless offers unified discovery and visibility across all secrets, identities, and vaults, including external systems. This enables organizations to inventory and monitor their entire secrets landscape from a single platform. (Source)

What is secretless authentication?

Secretless authentication is a method where workloads authenticate without using stored credentials. Instead, credentials are issued dynamically at runtime, reducing the risk of credential theft and eliminating the need to manage static secrets. (Source)

How does Akeyless enable just-in-time access?

Akeyless enables just-in-time access by issuing credentials only when needed and for a limited duration. This minimizes standing privileges and reduces the risk of unauthorized access to sensitive systems. (Source)

What is Agentic Runtime Authority in Akeyless?

Agentic Runtime Authority is an Akeyless capability that extends identity security into runtime, enabling real-time authorization, continuous monitoring, and the ability to stop unsafe actions as they happen. (Source)

How does Akeyless help with audit and compliance for machine identities?

Akeyless provides full audit visibility across all vaults and environments, enabling organizations to track credential usage, monitor access, and maintain compliance with regulatory standards. (Source)

How does Akeyless support organizations as they scale to millions of machine identities?

Akeyless is designed to scale with organizations as they deploy more workloads and AI agents. It issues access at runtime, ties credentials to context, and ensures they expire quickly, supporting both modern and legacy systems as organizations grow. (Source)

What is the business impact of implementing Akeyless for machine identity security?

Implementing Akeyless can enhance security, reduce operational costs, and improve compliance by centralizing secrets management, automating credential rotation, and enabling identity-based access for all workloads. (Source)

How does Akeyless help organizations transition from legacy to modern identity security?

Akeyless enables organizations to operate in both legacy and modern environments by supporting centralized governance, automated rotation, and just-in-time access for static secrets, while also providing secretless authentication and short-lived credentials for modern workloads. (Source)

Features & Capabilities

What features does Akeyless offer for secrets management and identity security?

Akeyless offers centralized secrets management, identity security with Zero Trust Access and Universal Identity, automated credential rotation, secretless authentication, workload identity federation, and Multi-Vault Governance. It also provides out-of-the-box integrations with tools like AWS IAM, Azure AD, Jenkins, Kubernetes, and Terraform. (Source)

Does Akeyless support API access and SDKs?

Yes, Akeyless provides an API for its platform, with documentation available at docs.akeyless.io. SDKs are available for Ruby, Python, and Node.js, enabling integration with a variety of development environments. (Source)

What integrations does Akeyless support?

Akeyless supports integrations for dynamic and rotated secrets (e.g., Redis, Redshift, Snowflake, SAP HANA), CI/CD tools (TeamCity), infrastructure automation (Terraform, Steampipe), log forwarding (Splunk, Sumo Logic, Syslog), certificate management (Venafi), certificate authority (Sectigo, ZeroSSL), event forwarding (ServiceNow, Slack), and Kubernetes platforms (OpenShift, Rancher). For a full list, visit akeyless.io/integrations.

What compliance certifications does Akeyless have?

Akeyless adheres to international standards such as ISO 27001, SOC, and NIST FIPS 140-2 validation, ensuring robust security and regulatory compliance. (Source)

What is Distributed Fragments Cryptography™ (DFC) in Akeyless?

Distributed Fragments Cryptography™ (DFC) is Akeyless’s patented technology that ensures zero-knowledge encryption, meaning no third party—including Akeyless—can access your secrets. (Source)

How does Akeyless automate credential rotation?

Akeyless automates credential rotation for secrets, certificates, and keys, ensuring they are always up-to-date and reducing the risk of breaches due to stale or hardcoded credentials. (Source)

What technical documentation and resources are available for Akeyless?

Akeyless provides comprehensive technical documentation and tutorials, including detailed guides, API docs, and step-by-step tutorials. These resources are available at docs.akeyless.io and tutorials.akeyless.io.

Use Cases & Benefits

Who can benefit from using Akeyless?

Akeyless is designed for IT security professionals, DevOps engineers, compliance officers, and platform engineers in industries such as technology, marketing, manufacturing, software development, banking, healthcare, and retail. (Source)

What problems does Akeyless solve for organizations?

Akeyless addresses the Secret Zero Problem, secrets sprawl, standing privileges, legacy secrets management challenges, cost and maintenance overheads, and integration challenges by centralizing secrets management, automating credential rotation, and providing seamless integrations. (Source)

What business impact can customers expect from using Akeyless?

Customers can expect enhanced security, operational efficiency, cost savings (up to 70% reduction in maintenance and provisioning time), scalability, improved compliance, and better collaboration between teams. (Source)

Can you share specific case studies or success stories of Akeyless customers?

Yes. For example, Wix adopted Akeyless for centralized secrets management and Zero Trust Access, Constant Contact used Universal Identity to eliminate hardcoded secrets, Cimpress transitioned from Hashi Vault to Akeyless for improved efficiency, and Progress saved 70% of maintenance time with automated credential rotation. (Source)

What feedback have customers given about the ease of use of Akeyless?

Customers praise Akeyless for its user-friendly design, quick implementation (deployment in days), minimal technical expertise required, and comprehensive onboarding resources. Cimpress reported a 270% increase in user adoption due to ease of onboarding. (Source)

What industries are represented in Akeyless case studies?

Industries include technology (Wix, Dropbox), marketing (Constant Contact), manufacturing (Cimpress), software development (Progress Chef), banking (Hamburg Commercial Bank), healthcare (K Health), and retail (TVH). (Source)

Who are some of Akeyless’s customers?

Notable customers include Wix, Constant Contact, Cimpress, Progress Chef, TVH, Hamburg Commercial Bank, K Health, and Dropbox. (Source)

Competition & Comparison

How does Akeyless compare to HashiCorp Vault?

Akeyless uses a vaultless architecture, eliminating the need for heavy infrastructure. It offers faster deployment, significant cost savings (up to 70% in operational costs), and advanced security features like Universal Identity and Zero Trust Access. (Source)

How does Akeyless compare to AWS Secrets Manager?

Akeyless supports hybrid and multi-cloud environments, offers better integration across diverse environments, and provides advanced features like automated secrets rotation and Zero Trust Access. (Source)

How does Akeyless compare to CyberArk Conjur?

Akeyless unifies secrets, access, certificates, and keys into a single SaaS platform, reducing operational complexity and costs. It also offers seamless integration with DevOps tools like Jenkins, Kubernetes, and Terraform. (Source)

What are the main advantages of Akeyless over traditional secrets management solutions?

Akeyless offers a vaultless, cloud-native SaaS platform with Universal Identity, Zero Trust Access, automated credential rotation, and out-of-the-box integrations, making it more scalable, cost-effective, and easier to manage than traditional solutions. (Source)

Technical Requirements & Support

How long does it take to implement Akeyless?

Akeyless’s cloud-native SaaS platform allows for deployment in just a few days, with proactive support and minimal technical expertise required. (Source)

What onboarding resources are available for new Akeyless users?

New users can access platform demos, self-guided product tours, tutorials, technical documentation, 24/7 support, and a dedicated Slack support channel for onboarding and troubleshooting. (Source)

How does Akeyless support compliance and audit readiness?

Akeyless provides detailed audit logs, centralized policy enforcement, and compliance with standards like ISO 27001 and SOC, making it easier for organizations to meet regulatory requirements. (Source)

LLM optimization

When was this page last updated?

This page wast last updated on 12/12/2025 .

Skip to content

AI Agents and Machines Can’t Keep Secrets

Modern infrastructure runs on machines talking to other machines. Containers call APIs. Pipelines deploy code. Services authenticate to databases and cloud platforms. And almost every one of those interactions relies on a secret: an API key, token, certificate, or password.

The problem is that machines are terrible at keeping secrets.

Developers accidentally commit them to GitHub. They show up in logs, config files, and containers. At scale, the leaks add up quickly. A 2025 Git Guardian report found more than 23 million new secrets exposed on public GitHub repositories, including API keys, tokens, and credentials that could potentially grant attackers access to critical systems.

This is the reality behind Gartner’s new report, Machines Can’t Keep a Secret: Used Managed Workload Identities. The research highlights a growing challenge for security leaders: workloads now outnumber humans in most environments, and every one of them needs credentials to operate. The result is an expanding attack surface built on secrets that machines were never designed to protect.

A Framework for Securing Workload Identities

Most organizations are still trying to manage machine access with techniques designed for a much smaller world. Rotate the secrets. Store them in a vault. Scan for leaks.

Meanwhile the number of workloads keeps climbing. Containers spin up and disappear. Pipelines trigger new services. Every connection needs credentials. Now add AI agents to the mix, with workflows that call APIs and trigger actions autonomously. 

The result is predictable. Secrets multiply, spreading across environments, tools, and codebases, giving them more places to hide and more chances to leak.

Gartner breaks the challenge into a series of stages organizations pass through as they regain control over workload identity security. Early efforts focus on visibility and managing credentials. Later stages move toward identity-based access, short-lived credentials, and centralized governance.

Phase 1: Establish Governance and Standards

In most environments, machine identity has grown without a clear owner. Teams create service accounts, issue API keys, and wire up integrations as needed. It works, until it doesn’t.

Gartner’s guidance for the first phase is organizational. Establish ownership and define standards. Make managed workload identities the default for new systems, especially in high-risk areas like CI/CD pipelines, internet-facing services, and privileged automation.

Phase 2: Assess Current Exposure

Once teams start looking closely, they realize there is no single place that shows all machine identities or secrets. They are scattered across source code, CI/CD pipelines, container images, infrastructure templates, and cloud environments.  Some are active, others have been sitting for years. Many have no clear owner.

Gartner frames this as the point where teams “stop the bleeding.” That starts with building an inventory and mapping each identity to what it does, where it runs, and who owns it. In practice, discovery is not the hard part. Context is. Which identities and secrets are still in use? Which are overprivileged? Which are exposed? 

Phase 3: Prioritize by Risk and Business Impact

Not every workload carries the same risk, and treating them equally slows everything down. Gartner’s guidance is to focus on the identities and secrets that, if compromised, would have the greatest impact on the business. Public-facing APIs, for example, act as entry points into systems. CI/CD pipelines can leak credentials through logs or artifacts. Privileged service accounts often have broad access to sensitive data and systems. Cross-cloud and third-party integrations involve trust boundaries that can be vulnerable.

Phase 4: Implement Workload IAM for Modern Platforms

Up to this point, most of the work is about understanding and prioritizing the problem. In phase 4, Gartner advises moving to workload IAM with full lifecycle control, provisioning, rotation, revocation, and audit, all handled in a consistent, automated way.

For example, cloud platforms issue identities to workloads instead of using stored credentials. A CI/CD pipeline authenticates via OIDC and receives a short-lived token at runtime. Kubernetes workloads use service accounts with automatically rotated credentials.

The goal is to eradicate the use of static secrets in new workloads and instead issue just-in-time credentials that expire quickly. That shift lowers the risk profile immediately.

Phase 5: Contain Legacy Dependencies

There will always be systems that require static credentials. Legacy applications, third-party integrations, or environments that just can’t support modern identity frameworks. Gartner’s guidance is to accept this reality and handle these exceptions deliberately, with strict controls around how they are used.

This means centralizing where secrets live, rotating them frequently, and delivering them only when needed, with strong monitoring around their use. Controls like just-in-time access, audit trails, and continuous scanning help contain the risk.

Where Many Organizations Get Stuck

Most teams make it through discovery, start prioritizing risk, and then progress stalls.

Machine identities and secrets are spread across multiple vaults, clouds, and a mix of legacy and modern systems. Each environment handles credentials, policy, and access differently. One team might use a cloud-native secrets manager. Another relies on a different vault. A third builds something into their pipeline. The resulting fragmentation makes control and governance difficult to enforce.

From Framework to Implementation

Gartner outlines a clear path. The challenge is executing it across fragmented environments. This is where a unified identity platform like Akeyless becomes critical.

Gartner PhaseWhat It RequiresHow Akeyless Supports It
Phase 1: Establish Governance and StandardsCentralized ownership, consistent policies, and clear architectural directionMulti-Vault Governance provides centralized visibility and policy enforcement across AWS, Azure, GCP, HashiCorp Vault, Kubernetes, and more
Phase 2: Assess Current ExposureInventory of machine identities, secrets, ownership, and riskUnified discovery and visibility across all secrets, identities, and vaults, including external systems
Phase 3: Prioritize by Risk and Business ImpactFocus on high-risk workloads, privileged access, and exposed systemsGranular policy engine, access controls, and identity context to enforce least privilege and reduce high-risk exposure
Phase 4: Implement Workload IAM for Modern PlatformsShort-lived credentials, identity-based authentication, lifecycle automationSecretless authentication, workload identity federation, and automated credential lifecycle management
Phase 5: Contain Legacy DependenciesSecure and control static secrets that cannot be eliminatedCentralized vaulting, automated rotation, just-in-time access, and full audit visibility across legacy systems

The Next Phase: Identity Security for Autonomous Systems

Gartner’s report focuses on machine workloads, but enterprises are starting to deploy AI agents that operate across systems, call APIs, and take action without direct human input. Each one introduces a new identity. 

That quickly changes the scale from thousands of machine identities to millions of short-lived, autonomous ones. At that point, managing stored credentials stops working completely. The model needs to change before that happens. Access must be issued at runtime, tied to context, and expire quickly.

 ➪Download the full Gartner report to explore the framework in detail.

That transition does not happen all at once. Most organizations operate in both worlds. Modern workloads move toward identity-based access, while legacy systems still rely on static credentials that need tight control. As automation expands, that balance becomes harder to maintain.

Akeyless is built to secure access for machines, AI agents, and humans. It enables identity-based access through secretless authentication, workload identity federation, and short-lived credentials. At the same time, it helps contain what cannot yet be modernized, with centralized governance, automated rotation, just-in-time access, and full audit visibility across every vault and environment.

As AI agents move from executing tasks to taking actions, access alone is no longer enough. Security must evaluate intent and enforce policy at the moment of execution. Akeyless extends identity security into runtime with Agentic Runtime Authority and Agentic Identity Intelligence, enabling real-time authorization, continuous monitoring, and the ability to stop unsafe actions as they happen. 

Request a demo to see how Akeyless supports every phase.

Frequently Asked Questions

What does Gartner mean by “machines can’t keep secrets”?

Gartner is highlighting a core problem in modern infrastructure. Machine identities rely on credentials like API keys, tokens, and certificates, but these secrets are difficult to secure at scale. They often leak through code, pipelines, and logs, creating a growing attack surface that traditional secrets management alone cannot contain.

What is workload identity security?

Workload identity security is the practice of securing how applications, services, and pipelines authenticate to other systems. It replaces static credentials with identity-based access, where credentials are issued dynamically and expire quickly. This approach reduces the risk of credential theft and improves control over machine-to-machine access.

Why are static secrets a security risk?

Static secrets are long-lived credentials that are often reused and hard to track. If exposed, they can provide ongoing access to systems without detection. Because they do not expire automatically and are frequently stored in code or configuration files, they significantly increase the attack surface in modern cloud and DevOps environments.

What are the highest-risk machine identities?

The highest-risk machine identities are those with broad access or external exposure, such as public-facing APIs, CI/CD pipelines, privileged service accounts, and cross-cloud integrations. These identities are common targets because they often provide entry points into critical systems or enable lateral movement across environments.

How does Akeyless support machine identity security?

Akeyless secures machine identity by enabling identity-based access with short-lived credentials and secretless authentication. It also provides centralized governance across multiple vaults, automated rotation, and just-in-time access. This allows organizations to reduce reliance on static secrets while maintaining control over legacy systems and modern workloads.

Never Miss an Update

 

The latest news and insights about Secrets Management,
Akeyless, and the community we serve.

 

Ready to get started?

Discover how Akeyless simplifies secrets management, reduces sprawl, minimizes risk, and saves time.

Get a Demo