Analyst Chat #264: Persistent Identity, Ephemeral Secrets - Workload Identities in the Age of AI
Analyst Chat
KuppingerCole Analysts · Martin Kuppinger, Matthias Reinwarth
Audio is streamed directly from the publisher (media.kuppingercole.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
In this episode of the KuppingerCole Analyst Chat, Martin Kuppinger joins Matthias Reinwarth to dive deep into one of the most overlooked but critical areas in identity and security: non-human identities (NHI) and workload secrets. As cloud-native development and AI-driven workloads grow, so does the complexity of managing machine identities. With AWS now supporting long-lived API keys for generative AI, this episode explores why that's a risky move — and what a modern, secure, and developer-friendly alternative looks like.
In this episode, you'll learn:
- Why workload identities must be treated as privileged
- How long-lived secrets expand your attack surface
- Why “balancing convenience vs. security” is a false choice
- How to apply ephemeral secrets and ITDR signals
- The role of SPIFFE/SPIRE, policy-as-code (OPA), and automation
- Why developers shouldn’t own security — and what IAM must do instead
- How attackers use AI to hunt your leaked secrets
- What organizations must do to secure NHI at scale
Key takeaway: Security must be built around short-lived secrets, automation, and clear separation between identity, secrets, and entitlements — especially for workloads and AI agents.