A new study by cybersecurity firm Wiz has revealed that nearly two-thirds of leading private artificial intelligence (AI) companies have leaked sensitive information such as API keys, tokens, and credentials on GitHub. The findings highlight a growing gap between the rapid pace of AI innovation and the slower adoption of basic cybersecurity practices across the sector.
According to Wiz, the exposed credentials include API keys belonging to ElevenLabs and HuggingFace, two of the most widely used AI platforms. Such leaks could allow unauthorized access to private training datasets, proprietary models, or other internal information, exposing companies to data theft, service disruption, or reputational damage. The report points to a broader trend in which fast-moving AI development pipelines are outpacing the implementation of standard security processes.
Commenting on the findings, Shane Barney, Chief Information Security Officer at Keeper Security, said the report underscores the growing challenge of managing machine-based credentials at scale. “The discovery of exposed API keys, tokens and other programmatic secrets across leading AI companies shows how quickly machine-to-machine connections can expand as development and automation accelerate. Each of these credentials represents an access pathway that, if left unsecured, can expose sensitive systems or data,” he said.
Barney noted that as organizations adopt AI and cloud-native development, the number of non-human accounts continues to increase. These machine identities are essential for modern operations but often fall outside traditional identity and access management frameworks. When visibility into those credentials is limited, he added, risk spreads quietly across systems that are otherwise well protected.
He said reducing that risk requires sustained visibility and control, as well as a centralized approach to managing secrets. Continuous monitoring for exposed secrets, automated credential rotation, and least-privilege access policies can help contain exposure without slowing innovation. Implementing Privileged Access Management (PAM) alongside secrets management further extends visibility and control by ensuring credentials used by systems and applications are securely stored, rotated, and monitored.
Barney said the Wiz findings serve as a reminder that as technology grows more intelligent and interconnected, security must keep equal pace. “The fundamentals still apply: know what identities exist, understand what they can access and ensure those privileges are tightly governed.”
