Managing secrets, the API keys, authentication tokens, and encryption credentials that keep our applications securely running is a critical yet increasingly complex challenge in modern enterprises. Organizations use secret management tools like AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault to protect sensitive access credentials.
As businesses expand, particularly through mergers and acquisitions (M&A), they very often inherit multiple overlapping secret managers, creating hidden security and operational risks.
While redundancy might seem like a safeguard, in reality, managing secrets for mission-critical applications through multiple vaulting tools introduces security gaps, operational inefficiencies, and compliance challenges.
A 2024 industry survey from CyberArk and GitGuardian found that the typical enterprise had at least six different secret management solutions in place. The larger the company, the more widespread and complex this problem of ‘vault sprawl’ inevitably becomes. As with any problem, the first step to addressing the issue is understanding how teams get here.
Why Do Enterprises Use Multiple Secret Managers?
In an ideal world, every company would standardize on a single platform for secrets management. They need a way to safely store any credential, encrypted at rest, that can be programmatically called when needed throughout the software development lifecycle. These systems also offer insight into the non-human identity lifecycle, helping teams track when a secret was added and, importantly, rotated. Any good system will offer logs and make managing secrets a streamlined process.
For small companies without many products or offerings, getting everything in one place is a realistic goal, especially if standardized on a single cloud platform, like AWS, Azure, or Google Cloud. All of these platforms offer secret management services like Azure KeyVault or AWS Secrets Manager.
As new projects are launched and companies continue to grow, they often adopt a multi-cloud strategy, introducing new secrets and management needs. In some cases, moving certain services to on-premise operations makes the most sense, meaning they end up in hybrid environments. Just the built-in tools can no longer handle secrets management, and it is at this stage of maturity that we see the adoption of enterprise secret management systems, such as HashiCorp Vault or CyberArk Conjur.
Merging Complex Organizations Amplifies Secret Management Risks
Standardizing on a single platform with any central planning is hard enough in a single organization with a shared culture and mission. What happens when a completely different organization is added to the mix and needs to be accounted for?
This happens quite a lot.
According to research from PwC, approximately 50,000 merger and acquisition (M&A) deals were announced in 2024.
Let’s assume that the company initiating the merger has an average of six vault solutions deployed, and the company being acquired is fairly small and only has two secret management platforms. The newly combined organization will then have eight systems to contend with overnight. That may sound manageable, but remember, secrets management is only one security consideration that this M&S activity brings.
For very large organizations that acquire multiple companies a year, the problem of secrets to manage becomes exponential rather than linear.
Operational Overhead And Complexity
The larger the organization, however, the more likely that multiple divisions and teams will have spun up their own instance of their secrets vaulting solution of choice. Even if the organization is standardized on a single tooling choice, the likelihood that there is one, and only one, centrally managed enterprise instance of the technology is very unlikely. With multiple secret managers in play, different teams may store and manage the same secrets separately, leading to:
- Duplicated effort in storing, rotating, and auditing credentials
- Confusing access control policies across departments
- Delayed developer workflows due to integration issues
Cost is also a major concern with vault sprawl. As with any technology, the more of it you deploy, the higher your overall operational expenses are going to rise. Enterprise secrets management systems are a mission-critical infrastructure investment, costing tens or hundreds of thousands of dollars per year to license and operate. Having duplicate systems means paying that same fee through multiple contracts and, most likely, to multiple vendors.
Risks From Secrets Redundancy
Fragmented secret management landscape is the reality of large enterprise and it increases the risk of orphaned or forgotten secrets. A 2023 study found that 90% of valid secrets detected remained active 5 days later, highlighting remediation as a challenge.
Different secret managers enforce security policies unevenly. One tool may require monthly secret rotation, while another allows long-lived credentials indefinitely, creating compliance risks.
More systems mean more potential entry points for attackers. Each secret manager requires its own access controls, monitoring, and security patches. Security teams must learn and work with multiple platforms, increasing training costs and operational risk. Misconfigurations in just one of these tools can expose sensitive secrets.
There are also risks introduced as organizations attempt to manually solve the vault sprawl issue through the migration of secrets. When passing secrets between systems, secrets often get copied into temporary repositories or spreadsheets, increasing exposure risks. Anytime a person can read a secret in plaintext, that means there is a clear and simple attack path open to anyone who gains access to your internal environments.
Multiple secret managers complicate audits and regulatory adherence. Regulations like GDPR and NIST standards require strict control over credentials and access logs, which become harder to enforce across disparate tools. When an auditor comes to your door, you do not want that to be the time you start trying to consolidate systems for visibility.
Mitigating Vault Sprawl
With so many drawbacks and risks associated with vault sprawl, it is clear that security and IT leaders must work together to gain visibility into all the secrets throughout the enterprise. Addressing the existing complexity by gaining real-time visibility into the state of your secrets, how they are used, and when they need to be rotated, no matter where they are stored is the way forward.
Secrets Discovery Is The Needed First Step
Teams should first focus on discovering secrets throughout all environments, including all secret managers, rather than trying to manage the mass migration of credentials between cloud and enterprise solutions.
Taking a visibility and discovery-focused approach will also help you find all the secrets not currently stored in vaults, helping you enforce standardization of secrets management. Without knowing about a secret, it will be impossible to ensure it is properly rotated or taken out of service when no longer needed. Long-lived “zombie credentials” are one of an attacker’s favorite paths.
Automating Vault Consolidation
With the proper secrets detection tooling, enterprises can find redundancies as well, which can lead to lower operational costs and overhead. For example, if you find the same secret across multiple vaults, only one would be needed. Development teams lack this high-level insight.
Doing this process manually is time and cost-prohibitive, especially when there are thousands of valid secrets in play. The larger the organization, the more automation is required. Detection solutions need to be addressable with scripting and automation tooling. If a script can open a pull request to update the code to call the correct vault, which already contains the needed secret, then the review process for merging that change should be seconds, not days of developer rework.
Security can also help developers by investing in tools that can detect plaintext secrets before they leave the developer’s machine. Ideally any time a developer needs to invoke a new secret, their tooling should guide them down the proper path with the right documentation or even the automation to suggest the actual correct calls into the secrets management system.
Prioritizing Secrets Management In The Enterprise At Scale
Addressing vault sprawl is not just a matter of convenience; it is a critical security and operational challenge that enterprises must proactively manage, especially as mergers and acquisitions continue to drive IT complexity. The costs are high, both from a financial perspective, as paying for redundant systems, and from an overhead perspective, requiring more time and effort from your already stretched teams to keep up with multiple platforms.
The rapid accumulation of secret management tools across different business units creates unnecessary overhead, increases security blind spots, and elevates the risk of exposure due to inconsistent policies. While complete consolidation is often unrealistic in larger organizations, enterprises must prioritize visibility, standardization, and automation to mitigate these risks.
By implementing robust discovery processes, enforcing uniform secret management policies, and leveraging automation to streamline migration and enforcement, organizations can ensure that secrets remain secure, auditable, and manageable at scale. As cyber threats evolve and businesses grow, security teams must take a proactive stance in managing secrets, turning what was once a hidden risk into a well-governed and resilient security practice.
__
Author BIO
Dwayne McDaniel – Senior Developer Advocate at GitGuardian
Dwayne has been working as a Developer Advocate since 2014 and has been involved in tech communities since 2005. His entire mission is to “help people figure stuff out.” He loves sharing his knowledge, and he has done so by giving talks at hundreds of events worldwide. He has been fortunate enough to speak at institutions like MIT and Stanford and internationally in Paris and Iceland. Dwayne currently lives in Chicago.
