Credentials don’t retire — they disappear. Unused API keys, dormant tokens, and overprivileged machine identities are quietly accumulating across cloud environments, forming invisible attack paths that most security tools aren’t built to catch. As AI agents multiply and non-human identities now outnumber human users in many enterprise environments, the attack surface is expanding faster than governance can follow. Ben Mudie, Field CTO for APJ at Tenable, sits down with CIO&Leader to unpack the hidden identity crisis reshaping cloud security — and why closing the exposure gap demands more than patching vulnerabilities. It requires fundamentally rethinking how organisations see, manage, and retire the access they’ve already granted.
Field CTO for APJ
Tenable.
CIO&Leader: What are “ghost secrets,” and why do they remain invisible to most cloud security tools today?
Ben Mudie: Ghost secrets are inactive credentials, such as API keys, tokens, or access secrets, that persist in an organisation’s digital environment even after they have served their purpose. They are often left behind in code repositories, configuration files, CI/CD pipelines, or cloud workloads. In many cases, they become a critical blind spot. Nearly 62% of organisations have unused keys tied to identities with critical or high permissions, highlighting how widely ghost secrets persist without active ownership or oversight.
Most cloud security tools are designed to detect active threats or misconfigurations, not credentials that appear valid but are no longer in use. As a result, ghost secrets are often treated as legitimate access paths, even though they quietly expand the attack surface. As they do not generate alerts or exhibit active behaviour, they tend to remain outside the visibility of conventional tools, making them low-hanging fruit for attackers. They allow adversaries to gain a foothold in the system without noise, and often without resistance, making detection even more challenging.
CIO&Leader: Tenable’s Cloud and AI Risk report shows 65% of organisations still have unused credentials—what’s fundamentally broken in credential lifecycle management?
Ben Mudie: Most organisations operate with a fragmented credential lifecycle, often violating basic security hygiene. Credentials are created across multiple systems, like cloud platforms, applications, and pipelines, without clear mechanisms to track, rotate, or retire them end-to-end. As digital environments evolve, these credentials often outlive the workloads, users, or processes for which they were created. Organisations are left with credentials that haven’t been used in months but still carry elevated privileges.
Most security tools, however, focus on active usage and access patterns and fail to identify unused credentials and the risks they carry. As a result, these credentials do not stand out as a threat; they fade into the background.
In short, credential lifecycle management shouldn’t end at creation and its usage. It needs to be continuously monitored, validated, and revoked when no longer required. Until that loop is closed, unused credentials will continue to persist as silent exposure.
CIO&Leader: How do overprivileged machine identities and AI agents expand the modern attack surface beyond human users?
Ben Mudie: Non-human identities, such as machine identities and AI agents, are designed to enable systems to communicate and carry out coordinated actions, and in many cases are granted more access than necessary to keep things running smoothly. Over time, this creates a layer of access that is rarely revisited. Permissions remain even after their use, leaving behind access without clear ownership.
What makes this more difficult to manage is the lack of visibility. Most of their activity happens behind the scenes and does not follow predictable behavioural patterns, making these access paths harder to trace and govern. Traditional security approaches, still centred around human users, are not designed to track how machine-driven access moves across systems.
CIO&Leader: With 52% of non-human identities now carrying excessive permissions, how should enterprises redesign identity architecture?’
Ben Mudie: As non-human identities make up a large part of the access layer, the approach to identity security needs a rethink.
To begin with, organisations need to move away from long-lived, stored credentials towards ephemeral, identity-based authentication. Access should be time-bound, task-specific, and granted only when required and revisited regularly to block entry for adversaries. This is where Just-In-Time (JIT) access becomes critical, replacing “always-on” permissions with temporary, audited access that expires once the task is complete.
Organisations need to adopt Unified Exposure Management. They cannot secure what they can’t see in context. The exposure management approach consolidates views of excessive permissions, forgotten credentials, and actual user activity into a single pane of glass. This allows security teams to identify ‘toxic combinations’ of risk and shut down those attack paths before they can be exploited.
CIO&Leader: Why is lateral movement through legitimate access becoming the preferred attack path in cloud environments?
Ben Mudie: Lateral movement through legitimate access allows adversaries to “log in” rather than “hack in”, effectively bypassing traditional security monitoring. As identities with excessive permissions become more prevalent, moving quietly across the environment without triggering alerts or raising suspicion becomes easier.
Once inside, attackers rely on living-off-the-land (LoL) techniques to blend into normal system activity. They use built-in system tools to move laterally and operate within trusted processes. This makes their actions difficult to distinguish from legitimate administrative activity, allowing them to persist longer without detection.
CIO&Leader: The report highlights an “AI exposure gap”—what does this gap look like at an architectural level, and how can CISOs close it?
Ben Mudie: In many organisations, AI integration is not always paired with the right level of monitoring. At an architectural level, this creates fragmented visibility. Security controls may exist across the cloud, identity, and applications, but AI spans all of them without being fully integrated into any of them. This is where the gap takes shape. Overprivileged identities, dormant access, and exposed AI-related secrets exist across these layers, but do not appear critical when viewed in isolation. When connected, however, they form clear exposure paths.
Closing this gap requires bringing AI into the same risk framework as the rest of the environment. CIOs need an exposure management approach that connects AI with cloud, identity, and data, rather than treating it as a separate layer.
This means identifying both authorised and unauthorised AI, understanding where it is being used, and how it connects to sensitive systems. In doing so, organisations can surface overprivileged access and risky data exposure that can act as entry points for adversaries.
A more sustainable adoption model aligns AI deployment with clear guardrails, such as access policies, data-use controls, and integration standards, applied consistently across environments. This allows organisations to scale AI while maintaining visibility and control, enabling them to identify risks early and act before they turn into vulnerabilities.
CIO&Leader: What role should automation and continuous exposure management play in eliminating identity sprawl at scale?
Ben Mudie: Organisations often create identities across cloud, applications, and AI-driven workflows at speed, but governance seldom receives the same priority. This is why automation is critical to maintain system security resilience. It ensures access is time-bound, automatically adjusted, and removed once its purpose is served.
To establish an effective strategy, exposure management needs to be in place. Instead of treating identities in isolation, it provides a unified view of identity risk across the entire environment, highlighting excessive permissions, misconfigurations, and attack paths that connect identities to critical assets. It helps spot identities that pose risks and prioritise exposures most likely to be exploited. It also provides contextual insights, allowing organisations to see how overprivileged or dormant identities can create real attack paths. Exposure management makes identity security a continuous process, reducing sprawl and preventing unnecessary access from accumulating in the first place.
CIO&Leader: As 70% of organizations integrate AI packages without central oversight, how can CIOs regain visibility and control across fragmented environments?
Ben Mudie: Exposure management becomes the anchor for regaining control in fragmented AI environments. As AI integrates across tools and workflows without central oversight, it introduces scattered exposure that is difficult to assess in isolation. Exposure management helps map how risk actually forms, especially where overprivileged access, sensitive data, and misconfigurations intersect. It shifts the focus from tracking activity to understanding exposure paths. This allows CIOs to cut through fragmented signals, prioritise what matters, and reintroduce control, without slowing down AI adoption.