28,649,024 secrets were exposed in public GitHub commits during 2025 β a 34% year-over-year increase and the steepest annual climb in the history of GitGuardian's State of Secrets Sprawl dataset. The cause is not developer negligence. It is AI-assisted code generation: commits co-authored by AI coding tools leak secrets at more than double the baseline rate of human-only commits. For engineering teams that have deployed AI coding assistants at scale, native security controls are proving insufficient β not because they are poorly designed, but because they were built for developer experience, not policy enforcement. Closing that gap requires a different architectural approach.
What the Data Shows
The 2026 GitGuardian State of Secrets Sprawl report β covering 28,649,024 exposed secrets across public GitHub in 2025 β provides the clearest measurement of how AI-assisted development is expanding the secrets exposure surface. AI-assisted commits leak secrets at 3.2%, compared to 1.5% for human-only commits. AI-service credentials β API keys for LLM providers, embedding platforms, and orchestration frameworks β surged 81% year over year, reaching more than 1.2 million detected leaks. Twelve of the top 15 fastest-growing leaked secret types were AI services: OpenRouter credentials grew 48x year over year; vector database credentials grew nearly 1,000%; agent-building platform credentials rose 500β600%.
A remediation failure amplifies the exposure. Nearly 70% of credentials identified as compromised in 2022 remained valid through January 2025, and 64% were still unrevoked by January 2026. Each valid, unrevoked credential is an open attack surface with an indefinite lifespan.
Code quality data adds a second dimension. Veracode's 2025 GenAI Code Security Report tested more than 100 large language models across Java, JavaScript, Python, and C# and found that AI-generated code introduced security flaws in 45% of tests β with no meaningful correlation between model size or recency and output security. The Cloud Security Alliance and Endor Labs independently put that figure at 62% for design flaws or known vulnerabilities. These are baseline rates in production workflows, not edge cases in experimental code.
Why Native Controls Fall Short
Every AI coding assistant ships with security features. They share a structural limitation: they are advisory controls positioned inside the developer's editor, not enforcement controls positioned at the merge boundary. The distinction matters because code that has not reached the merge gate has not yet entered shared infrastructure β but code that passes the merge gate has, regardless of what the editor suggested or warned. The four most common native controls each fail in a specific and predictable way.
Repository-level secret scanning detects patterns after the push. It alerts β it does not block. A developer who receives an alert post-push has already committed a credential to version control history, where it persists even after deletion in most SCM platforms. GitGuardian found that 24,008 secrets in MCP configuration files followed patterns from official quickstart documentation β meaning developers replicated unsafe patterns from trusted sources.
Content exclusion β preventing the AI from reading sensitive directories β depends entirely on teams correctly configuring exclusion lists at rollout. Misconfiguration is the default state during adoption phases. Organizations that skip this step inherit the full risk surface immediately.
"Block suggestions matching public code" targets verbatim reproduction of open-source code. It does not detect novel vulnerabilities in business logic, insecure pattern composition, or context-specific flaws β the categories where Veracode's analysis found the highest vulnerability density. Larger, newer models did not produce safer code.
Audit logging records what was suggested and accepted. It does not prevent acceptance, produce a structured risk signal, or integrate with CI/CD policy decisions. An audit log that captures a dangerous merge at T+0 and surfaces it in a SIEM at T+72 is forensics, not enforcement.
The pattern this produces is security theater: controls exist at every layer, incidents occur anyway, and the post-mortem reveals that each control was correctly configured for its designed purpose β which was not blocking merges.
Building a Technical Enforcement Stack
Effective enforcement for AI-assisted development operates across four layers. Each targets a different failure mode; together they create defense in depth from commit to merge.
Layer 1 β Pre-Commit Detection
Secret scanning must execute locally before a push reaches the remote. This requires commit hooks β pre-commit, Husky, or similar β running credential pattern detectors at commit time. The critical implementation detail: hooks must be enforced through repository initialization scripts, not offered as optional setup steps. Optional hooks are suggestions. Mandatory hooks are controls.
CISA's May 2025 AI data security guidance explicitly identifies the developer's local environment as a key control point for managing data supply chain risks in AI-assisted workflows. Pre-commit scanning is the implementation of that guidance at the code layer β and one of the lowest-cost controls relative to the risk it eliminates.
Layer 2 β PR-Level Risk Scoring
At the pull request boundary, scanning needs to produce a structured risk signal β not a binary pass/fail on a single pattern, but a composite score across multiple dimensions: secret exposure probability, dependency vulnerability density, insecure code pattern prevalence, PR size and complexity, and author provenance (human vs. AI-generated lines). A scored signal has properties a binary alert does not: it is configurable, auditable, thresholdable, and integrable with CI/CD policy decisions.
Risk scoring at the PR level also creates the evidentiary record that regulatory frameworks require. A structured score with dimension breakdown and timestamp is an auditable artifact. A failed scan notification in a chat channel is not.
Layer 3 β Policy Gates at Merge
Risk scores without enforcement are dashboards, not controls. Enforcement happens at the merge gate: a CI/CD integration that blocks merge when the PR risk score exceeds a configured threshold, surfaces the specific violation with actionable remediation guidance, and requires a documented exception workflow for overrides. Exception workflows matter as much as the gate itself β teams need a legitimate path for urgent merges that does not create an invisible bypass habit.
NIST's COSAiS framework (August 2025) β which builds SP 800-53 control overlays for AI agent use cases including "Using AI Agent Systems" β identifies policy enforcement as a required control. The merge gate is the software implementation of that requirement in a development workflow context.
Layer 4 β Machine Identity Governance
Machine identities outnumber human identities 45:1 at most enterprises according to GitGuardian's 2026 research. AI-assisted coding workflows generate service account credentials, deploy tokens, and API key references at a rate that manual rotation policies cannot track. Effective enforcement at this layer includes: automated rotation triggers when a credential appears in a diff; centralized machine identity inventories updated on each PR scan; and alerting when AI-generated code introduces new service account references outside approved identity namespaces.
The 81% year-over-year growth in AI-service credential leaks is partly a machine identity problem: AI-assisted code that calls new LLM APIs, vector stores, or agent platforms creates new credentials that fall outside existing rotation and inventory processes. Enforcement at the merge boundary is the point where this drift can be detected before it becomes unmanageable.
Regulatory Alignment
Engineering leaders preparing for regulatory scrutiny should understand how AI coding enforcement maps to current framework requirements. CISA's May 2025 guidance covers three risk categories specific to AI systems: data supply chain risks, maliciously modified data, and data drift β and refers to NIST SP 800-53 for control implementation.
NIST published a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence in December 2025, organizing AI security requirements across six functions: Govern, Identify, Protect, Detect, Respond, and Recover. A PR-level enforcement stack maps cleanly to this structure: risk scoring and merge gates address Protect and Detect; structured audit trails with AI attribution address Govern. Teams that build enforcement against these function categories will carry a more defensible posture through security reviews, vendor assessments, and board-level reporting than teams that rely on native AI tool features alone.
What to Do Now
Audit your enforcement surface. Map where current security controls sit: editor layer, repository layer, CI/CD layer. If you have no controls at the merge boundary, that is the first gap to close β not the editor-layer alerts that run after acceptance.
Deploy pre-commit scanning before expanding AI coding rollouts. Make hooks non-optional via repository initialization templates. Every repository that onboards developers using AI coding tools should have credential scanning active from day one, not added retroactively.
Define a PR risk scoring policy in writing before building it. Decide which dimensions you score, what thresholds trigger a block, and what the documented exception process looks like. A policy written after the tooling is built usually reflects the tooling's capabilities rather than the organization's risk posture.
Integrate risk scores into your CI/CD merge gate. A score that does not affect merge eligibility is a metric. A score that gates merge is a control. Only one of those reduces the incident rate.
Inventory machine identities before AI-assisted code creates new ones. Establish a rotation policy for credentials that appear in AI-assisted diffs. At a 45:1 machine-to-human identity ratio, manual tracking is not a viable posture for any team scaling AI coding tool adoption.
Map your stack to CISA and NIST CSF AI Profile functions. Document which controls address which framework functions. This evidence reduces friction in security reviews and creates the narrative thread needed for board-level risk reporting on AI tool deployment.
The 34% year-over-year increase in exposed secrets is a direct measurement of what happens when deployment outpaces enforcement. AI coding assistant adoption is accelerating; enforcement infrastructure needs to be in place before the next scaling cycle, not assembled after the first significant incident. The sequence matters more than the tooling.
re-entry.ai applies automated PR risk scoring and configurable policy gates to pull requests from AI coding assistants. To see how it works for your team, visit re-entry.ai.