The Thing Nobody Tells You About Automation
When you build your first integration—connecting Slack to your database, setting up a CI/CD pipeline, automating customer data syncs—you get a dopamine hit. The workflow runs. Data flows. Everything feels controlled. Then six months later, you realize you have no idea where all the credentials are anymore.
I built a workflow last year that pulled user analytics into a private Notion database. It worked perfectly. I moved to another client. The integration kept running, untouched, for another eight months. The API key was hardcoded in environment variables on a Vercel deployment. I'm still not entirely sure if anyone ever revoked it, and I'm not sure that matters at this point, but it definitely felt like it should.
40 to 50 Credentials Per Person Sounds Absurd Until You Count
Let's map what actually lives in your infrastructure:
- Service accounts for scheduled jobs
- API tokens for third-party integrations, which is more complex than it sounds because some get rotated quarterly, some annually, some never
- OAuth grants that accumulate silently
- Webhook secrets
- Database connection strings. SSH keys. Deploy credentials.
That 68% breach statistic from 2024? That wasn't the result of a sophisticated attack. Someone's old GitHub repository had a .env file committed. Someone left a startup and their service account kept processing transactions. A contractor finished a project, the credential was forgotten, and three years later it became a vulnerability someone could actually exploit.
I'm genuinely uncertain whether the problem is technical or organizational. The tools exist—HashiCorp Vault, AWS Secrets Manager, 1Password for Teams. But implementing them requires discipline that organizations, including mine at various points, simply don't have. You can architect perfect secret rotation. If nobody enforces it, it collapses.
Why This Matters More Now Than It Did in 2019
Complexity compounds. Every integration is another credential. Every AI agent your team spins up is another connection that needs managing. Every webhook is another secret that could escape. The surface area grew exponentially while our governance practices stayed flat.
When I'm building something, I think I'm solving a business problem. The secret management piece feels administrative, secondary. It's not. It's the difference between a system that's defensible and a system that's a liability masquerading as productivity.
The difficult part isn't knowing this is important. The difficult part is the work. Auditing every integration. Creating an inventory. Rotating credentials on a schedule that actually gets followed. Deleting things when projects end instead of just letting them go dormant. I know teams that still can't do this consistently.
The Unresolved Tension
Here's what I keep bumping into: moving fast and maintaining secret hygiene are genuinely at odds. Not philosophically. Practically. The fastest way to get an integration working is to grab a credential and use it. The secure way is slower. It involves documentation, approval workflows, automated rotation policies, offboarding checklists. Every layer of security adds friction.
Most organizations I work with choose speed until they can't anymore. Then they panic and hire someone to clean up the mess. I've been that someone. It's not pleasant work.
The question I don't have a clean answer to: is the solution better tooling, or better discipline, or some combination that I haven't seen executed well yet? I genuinely think it might be discipline. Which is the least popular answer in tech because it's not something you can buy.
What I'm Actually Doing About It
For every new integration I build now, I create an audit document. Not because it's fun. Because the alternative is waking up in two years wondering what's still connected to what. I'm using environment variable management from day one instead of adding it later.
I'm also having harder conversations with clients about offboarding. When a project ends, the credentials should too. When someone leaves, their access should terminate with actual verification, not just a checkbox on a spreadsheet.
Whether any of this actually makes a difference is still unclear. But at least the systems I touch now have some visibility. They're documented. They're probably more secure than they would be otherwise.
Still not enough, probably. But it's something.
