Secrets sprawl isn't slowing down: in 2025, it sped up faster than most security teams thought it would This article explores secrets gitguardian sprawl. . The State of Secrets by GitGuardian The Sprawl 2026 report looked at billions of commits on public GitHub and found 29 million new hardcoded secrets in 2025 alone.

This year's results show three main trends: AI has completely changed how and where credentials leak, internal systems are much more vulnerable than most businesses think, and fixing problems is still the industry's biggest problem. There are more developers and more AI-assisted code generation, which means more credentials are out there. Detection alone can't keep up. The real growth is in LLM infrastructure: Brave Search (+1,255%), orchestration tools like Firecrawl (+796%), and managed backends like Supabase (+992%).

Every time you add a new AI integration, you give the machine a new identity, which makes it easier to attack. GitGuardian found 24,008 unique secrets in public GitHub config files related to MCP, and 2,117 of them were confirmed to be real. As more people start using agentic AI, putting credentials in config files, startup flags, and local JSON will become normal.

The agent ecosystem is growing faster than security controls can keep up with. It is no longer enough to scan public repos and hope for compliance. Security teams need to be able to see all of the internal systems, collaboration tools, container registries, and developer endpoints. They need remediation workflows that can change credentials without stopping production.

And most importantly, they need to stop treating secrets like one-time events and start managing them as part of a larger program for non-human identity governance. The area of attack has changed. The question is if security programs will change along with it.

The industry is limited by its ability to answer three questions at scale: - What kinds of non-human identities are around me? - Who owns them? - What can they get to?