What the Wiz Report Reveals About AI Secrets (And Why Scanning Won’t Fix It)

Summary:

Wiz found that 65% of Forbes AI 50 companies leaked secrets across GitHub repos, forks, gists, SaaS systems, and development tools. These exposures included API keys, model access tokens, and credentials tied to core AI pipelines, often appearing in places teams don’t normally scan, like notebooks, logs, VS Code extensions, and support portals. The takeaway is clear: AI development introduces far more identities, tokens, and access paths than traditional security practices were designed to handle, making secret sprawl both widespread and difficult to contain. Akeyless addresses this by replacing static credentials with ephemeral, just-in-time access, so there are no secrets to leak in the first place.

Wiz recently published a report that found 65% of the Forbes AI 50 have leaked verified secrets on GitHub. API keys, authentication tokens, and credentials, lurking in repositories across some of the most valuable AI companies in the world. This confirms what many CISOs and security teams already suspected: traditional controls can’t keep pace with how AI-driven organizations generate and expose credentials.

But the headline number isn’t the biggest story. The real concern is where these secrets were hiding and what that reveals about how AI development actually works. This isn’t a case of a few careless startups pushing AWS keys to public repos. Wiz went deep into commit histories, deleted forks, workflow logs, gists, and the personal repositories of organizational contributors. The kinds of places most security scanners don’t reach, but attackers increasingly do.

What Wiz Found and Why It Matters

The Wiz findings extend beyond GitHub. When taken together with related research and recent breaches, it shows a pattern of leaked credentials across a sprawl of development and collaboration surfaces, including:

• Deleted forks, commit histories, and gists: the dark corners of version control where attackers increasingly hunt but most scanners don’t
• Developer ecosystems like VS Code extensions, where Wiz separately found over 550 leaked secrets across 500+ extensions, including keys for AI platforms
• AI-assisted code, where research suggests repositories using Copilot leak secrets at higher rates, as AI-generated code quietly propagates plaintext credentials faster than humans can review
• AI pipelines, where tokens for LangChain, HuggingFace, Weights & Biases, and vector databases leak into notebooks, logs, and orchestration code
• Personal repositories, where well-meaning contributors accidentally check in company secrets with zero organizational visibility
• SaaS platforms, as demonstrated in the recent Salesloft Drift breach, which eventually allowed attackers to harvest credentials from Salesforce support cases across 700+ organizations

The Real Problem Is the Secrets No One Knows To Look For

AI environments generate machine identities at a velocity that legacy security models were never designed to handle. Every new agent, notebook, connector, integration, or LLM-driven workflow creates another identity, another credential. Many of these are long-lived, over-privileged, and unmonitored. The result is constant drift, with secrets bleeding into places no one expects and few organizations monitor.

Wiz’s disclosure results highlighted the operational strain: nearly half of alerts didn’t reach the right contact or received no response at all. These are companies worth over $400 billion collectively. This isn’t about negligence; it’s a sign that the identity surface has grown faster than security operations can track.

In short, this isn’t a “GitHub leak” problem, it’s a secrets–everywhere problem.

So what do you actually do about it? We’ve distilled five takeaways from the Wiz findings that go beyond “scan more repos.”

Takeaway #1: Secret Sprawl Is Expanding Into Places Most Teams Never Check

The Wiz research makes one thing clear: secrets aren’t just leaking from the primary codebase. They’re surfacing across a long tail of development and collaboration surfaces that most organizations never examine.

Where secrets were found:

• GitHub’s hidden surfaces: full commit histories, forks, deleted forks, workflow logs, contributor repos, and gists (lightweight shareable mini-repos with their own Git history and forks)
• SaaS systems: For example, in the Salesloft-Drift breach mentioned earlier, attackers used stolen OAuth tokens from the Drift chatbot integration to access Salesforce customer support cases containing logs, credentials, and API tokens uploaded during troubleshooting
• Peripheral AI tooling: credentials tied to model hosting, vector databases, and orchestration frameworks appeared in notebooks, configs, or scratch files far outside traditional scanning paths

This spread reflects a broader reality: as AI companies scale, their secrets don’t stay where they’re created. They move, replicate, and persist in places teams rarely think to monitor.

Takeaway #2: AI Development Environments Are High-Risk Surfaces

AI engineering stacks prioritize speed and autonomy. That’s the point. But it also means they generate secrets in places traditional DevSecOps workflows just weren’t designed to govern.

How AI development increases exposure:

• AI-assisted coding: Generative tools create or modify configs, scripts, and scaffolding that sometimes include plaintext credentials or insecure patterns
• IDE extensions as supply chain: A Wiz scan of the VS Code Marketplace and Open VSX Registry uncovered 550+ validated secrets embedded directly in extension packages, including AI-related tokens, all downloadable by anyone
• Experimentation-driven workflows: Shared notebooks, sandbox repos, orchestrators, and rapid iteration cycles make it easy for credentials to land in temporary files, logs, or collaboration tools with no governance

As AI tooling becomes the new foundation of software development, these environments are turning into high-risk surfaces that rarely appear on traditional security dashboards.

Takeaway #3: These Leaks Carry Substantial Risk

It’s tempting to assume that most leaked credentials are low-impact: test keys, expired tokens, sandbox access. The Wiz findings suggest otherwise.

What leaked credentials could access:

• Private model weights: One case uncovered a token granting access to internal AI model files, potentially enabling replication or theft.
• Training datasets and pipelines: API keys tied to HuggingFace, vector databases, and LangChain frameworks provided access to sensitive datasets and inference parameters.
• Internal organizational structures: According to the report, secrets exposed architectural details and system mappings, widening the attack surface.
• Enterprise-grade access: Several of the leaked credentials weren’t personal developer tokens at all. They were organization-level keys with broad permissions.

In a sector where product value centers on proprietary data and models, a single leaked secret can undermine years of R&D.

Takeaway #4: The AI Identity Explosion Is Outpacing Existing Governance Models

AI-native companies are generating non-human identities at unprecedented speed, yet most governance frameworks still assume humans are the primary identity type. They don’t classify machine identities well. They don’t track the lifecycle of credentials tied to short-lived processes and weren’t designed for an environment where the identity population can double in a quarter. 

What’s driving the identity surge:

• Proliferating agents and workflows: AI agents and automated workflows are rapidly outnumbering human identities, creating new access requirements with each run or task
• Service-to-service connections: Each agent-to-service connection (model endpoint, vector DB, embedding API, evaluation system) requires its own authentication material
• Ephemeral components: Model orchestration frameworks generate short-lived experiments, artifacts, and pipeline stages, each with associated credentials or tokens
• Gaps in traditional tooling: Conventional IAM tools don’t track or classify these machine identities, leaving large portions of the access ecosystem unmanaged

Credentials leak because they exist in volumes that exceed what current governance models can absorb. The sprawl isn’t a bug in developer behavior. It’s a feature of how AI systems operate.

Takeaway #5: Static Credentials Cannot Survive the AI Era

If there’s a single thread running through all of this research, it’s that static credentials and AI development are fundamentally incompatible. Traditional “rotate and scan” hygiene models cannot keep pace.

Why static secrets fail in AI environments:

• Agents can leak their own secrets: AI agents can unintentionally reveal credentials when manipulated or through prompt injection, as demonstrated at Black Hat and referenced in multiple analyses
• Secrets appear beyond source code: Credentials surface in logs, prompts, configs, and notebooks, making complete coverage through traditional scanning impossible
• Volume accelerates drift: High-volume machine interactions mean every agent, workflow, or pipeline creates more credentials, compounding exposure over time
• Broad API access is the norm: AI-native stacks depend on extensive API connectivity, increasing both the number and privilege level of tokens in circulation

The conclusion is hard to avoid. In AI-driven environments, any credential that persists long enough will eventually end up somewhere it shouldn’t.

What These Takeaways Reveal About the Real Challenge Ahead

Looked at individually, each takeaway from the Wiz report points to a specific failure mode: secrets ending up in unexpected places, high-risk development environments, exposed AI model access, and an identity population growing faster than governance can keep up.

Taken together, they reveal something deeper: AI companies don’t have a secrets problem. They have an identity problem.

AI agents, workflows, plugins, orchestration layers, and model endpoints now generate vast numbers of machine identities. Each one needs authentication. Each one produces new credentials. And each one creates new opportunities for drift. Secrets aren’t being leaked because developers are careless. They’re being leaked because AI systems create more identities, more access patterns, and more credentials than legacy processes were designed to control.

Traditional secrets-management strategies were built for stable infrastructure and predictable pipelines. AI is neither.

Secrets now appear in:

• Notebooks, scratch files, and experiment artifacts
• VS Code extensions and AI-assisted coding tools
• SaaS platforms and support portals
• Gists, forks, and personal repos
• Model hosting endpoints and vector databases
• Orchestration frameworks that spin up dynamic components

The velocity of change means any static credential, even a short-lived one, becomes a liability the moment it lands somewhere unexpected.

The path forward is not better scanning. It’s a new identity model, built around:

• Secretless authentication
• Ephemeral, just-in-time identities
• Policy-driven access instead of long-lived keys
• Governance that treats AI agents as first-class identities
• Unified visibility across humans, machines, and autonomous systems

Akeyless: Identity Security Built for the AI Era

Addressing these challenges requires more than better scanning or developer training. It requires an identity architecture designed for environments where AI agents, workflows, and automation continuously create new access needs, and where any exposed credential can undermine core IP.

The Akeyless AI Agent Identity Security solution gives AI agents real, verifiable identities and replaces hardcoded keys with secretless, short-lived access that appears only at runtime and vanishes when the task ends. By removing long-lived credentials entirely, it prevents the kinds of leaks highlighted across the Wiz findings: not just in GitHub, but in notebooks, logs, extensions, and SaaS systems.

What this makes possible:

• Secretless AI: No API keys or tokens in code, prompts, or pipelines. Agents authenticate with their native infrastructure identity, and Akeyless issues temporary credentials only when needed.
• Real AI agent identities: Ephemeral, policy-controlled identities replace static secrets and authenticate securely across clouds, SaaS, and on-prem environments.
• Privileged AI agent access: Sensitive operations run through monitored, zero-standing-privilege channels with full session visibility and termination capabilities.
• Developer-first experience: Integrations with VS Code, Cursor, and GitHub Copilot keep secrets out of developer workflows entirely, allowing developers and AI assistants to retrieve credentials securely through natural interactions.
• Unified governance: One control plane to manage humans, machines, and AI agents, with complete auditability and zero-knowledge protection.

Read the solution brief to learn more.

The Path Forward

The Wiz findings aren’t an indictment of any single company’s security practices. They’re a snapshot of a structural problem: AI systems produce more identities and access paths than legacy security models were built to handle. A few years ago, no one was checking VS Code extensions for leaked tokens. Nobody was scanning deleted forks or gists. They didn’t expect to find credentials in Salesforce support tickets or Jupyter notebooks. Now these are documented attack surfaces. And as AI teams scale, this spread only accelerates.

Akeyless makes it possible to move fast with AI while keeping secrets out of code, prompts, and tools by default. No keys to leak because no keys exist in the first place. To see Akeyless AI Agent Identity Security in action, request a demo today.