When my co-founders and I started Hush Security, one thing was painfully clear: the way companies manage secrets is broken for today’s world. Vaults and secret managers solved yesterday’s problem, storing static secrets for predictable, human-driven systems.
But today’s environments are anything but predictable. Cloud-native architectures, microservices, ephemeral workloads, CI/CD pipelines, and now agentic AI have turned machine-to-machine communication into a fast, dynamic, and complex mesh. In this reality, static secrets aren’t just outdated, they’re a liability.
Having worked together for the past decade driving product innovation in cloud security, Shmulik Ladkani, Chen Nisnkorn, Alon Horowitz, and I decided it was time to disrupt the machine-to-machine access space. Instead of building more secret scanners, we founded Hush Security to deliver technology that empowers security and operations teams to completely rethink how they manage machine access, replacing outdated approaches of secrets and vaults with a solution built for today’s scale, speed, and complexity.
Why Vaults Are Failing
Vaults were built for an era when environments were static and identities were few. A secret could be created, stored in the vault, rotated occasionally, and remain valid for months, or even years. That worked when you had monolithic apps, running on-prem and mostly talking to each other in a walled garden.
Today, environments change by the second. Containers spin up and down in milliseconds, and they converse with SaaS and services, both internal and external across the internet. Developers deploy dozens of changes daily. AI agents execute workflows we didn’t anticipate in advance. In this world:
- Secrets sprawl across pipelines, repos, and multiple vaults (“vault sprawl”).
- Long-lived, static credentials outlast the workloads they’re tied to.
- Human processes and labor can’t keep up with modern machine access needs.
The result? An operational mess for DevOps, blind spots for security, and a wide fertile attack surface for adversaries.
Breaches prove the point. In one of many identity-related attacks, back in 2022, Uber had privileged access management (PAM) in place and strong security measures, yet attackers still gained full access after finding a hardcoded vault admin password in a script. A single leaked credential unraveled everything. In a recent breach involving Salesloft Drift, hundreds of OAuth tokens were exfiltrated and abused, compromising 700 tech companies.
Vaults can store secrets securely, but they can’t stop secrets from leaking, being reused, forgotten or being abused.
Agentic AI Makes It Worse
Agentic AI, autonomous agents that carry out autonomous business workflows, and connect programmatically on behalf of users and applications without governance and oversight, magnifies the problem. These agents make real-time decisions: querying databases, deploying services, calling APIs.
Traditional secret provisioning workflows fail here because:
- Secret excessive sprawl - Agents and MCPs require lots of access, extending the risk and the attack surface.
- Vibe coding and Shadow AI - secrets are embedded in code, unsupervised and unmanaged.
- Principle of least privilege breaks - giving AI broad, long-lived access is a security nightmare.
The result? Either AI agents are blocked from doing their jobs, or they’re given wide privileges tokens that violate the Zero Trust approach. Neither is acceptable. And with AI agents exploding in number, along with the number of exposed and abused secrets, the status quo isn’t acceptable, either.
It’s time for something new.
The Shift: From Vaults to Secretless Access
Managing secrets better isn’t enough, nor creating “better” vaults. We need to stop chasing static secrets altogether and rethink this access model.
If you think about it, this challenge has already been solved in a closely related domain: the human workforce identity. Vendors have spent decades refining solutions for managing human access. Just look at SSO, IGA, and PAM. These technologies proved that structured, scalable identity management can work. The question is, why not apply the same proven approach to an even bigger problem, machine access?
At Hush Security, we built a secretless, policy-based access model, in this model, a service or AI agent proves its identity and gets exactly the access it needs, for exactly the time it needs it, it otherwise has no key or token to save, use, rotate and leak.
The Future of Machine-to-Machine Communication
This is the next phase of zero trust for machines. Instead of static secrets, machines will authenticate with cryptographic identity and dynamic trust, using modern concepts like:
- Zero Trust & Least Privilege Access - machines only get the minimum access they need to perform their tasks. This limits the blast radius if an account is compromised.
- SPIFFE/SPIRE – Industry-backed workload identity frameworks for dynamic, crypto-based authentication.
- Workload Identity Federation – Policy-driven trust relationships cross clouds, SaaS and hybrid environments.
Analysts are already pointing in this direction. Close to half of companies will soon adopt a secretless approach according to Gartner. The CNCF, NIST, and other frameworks advocate for identity-first, passwordless machine authentication.
It’s the same evolution humans went through, from memorizing passwords to passwordless authentication, now applied to machines.
Why We Built Hush Security
Before Hush, I’d spent years chasing down API keys, untangling sprawl, and firefighting secret exposures. Every rotation was a stressful, error-prone and labor-intensive event. One incident, a leaked key that caused an emergency response, made me realize: secrets aren’t the endgame.
We don’t need better vaulting. We need no vaulting at all.
That’s the vision behind Hush: eliminate management of static secrets, end the vault era, and replace them with real-time, policy-driven identity for every machine, service, and AI agent. The payoff is massive:
- Security – Eliminate the risk, remove static keys from an attacker’s reach
- Simplicity – Eliminate the burden-intensive and risk-prone process of secret provisioning, storage, usage and rotation.
Oh, and everything is transparent and happening behind the scenes - no unnecessary code changes and lengthy years of implementation time.
The Bottom Line
Static secrets are a relic of a slower, simpler era. Vaults served their purpose, but they can’t keep up with cloud-native scale, AI-driven automation, and modern security expectations.
The future of machine-to-machine communication is secretless, policy-based, and identity-first. The technology exists. The standards are here. The industry is moving in this direction.
At Hush Security, we’re building the platform to make it happen, so you can innovate at full speed without worrying that the keys to the kingdom will end up in the wrong hands. We also made the technology nearly transparent to use, so adopting it would not slow your teams and your business.
So how about eliminating risk, reducing burden, and scaling your NHI security?