Identity Security Insights 25.12.1

Secrets sprawl across clouds and tools, often with over‑broad access and stale rotation is a high‑impact path for compromise. Secret Security gives you one place to see, triage, and fix these risks quickly.

New section and menu items
A new Secret Security area is available in the Insights menu with two items:

• Secrets: Overview dashboard for posture, rotation hygiene, and access breadth
• Secrets Inventory: Full, filterable catalog with detailed metadata and access analysis

From the main Insights Dashboard, selecting the Secrets count opens Secrets. Any drill‑down from visuals routes to Secrets Inventory, pre‑filtered to that slice.

Supported Providers
AWS Secrets Manager, Azure Key Vault, GitHub secret scanning, BeyondTrust Privileged Remote Access (vaulted accounts), BeyondTrust Password Safe (managed accounts)

What You Can See

• Overview KPIs: Total Discovered Secrets, Secrets Not Rotated in 1 Year, provider breakdown
• Overly Broad Secret Access: Secrets grouped by accessor count
• Direct vs True Access: Configured grants vs effective runtime access
• Inventory fields: Lifecycle, rotation status, total accessors, and Access Paths

Why It Matters
Shrink blast radius by reducing oversized audiences, close rotation gaps fast, and validate effective permissions across all providers from a single view.

Three new connectors are now available in the connectors area: OpenAI Admin, OpenAI Projects, and ChatGPT Enterprise.

What You Can See

• Accounts View: OpenAI and ChatGPT users appear alongside your existing accounts with privilege levels automatically identified (organization owners, workspace admins, project owners)
• AI Agents: OpenAI Assistants and ChatGPT GPTs are tracked as accounts, showing which users can access or control them
• Identity Linking: Accounts are linked to identities where applicable
• Access Paths: Graph analysis reveals user-to-agent relationships and who owns administrative or project-level API keys

AI Security Analysis

• Tool Capabilities: See exactly what each Assistant and GPT can do: code execution, file access, web browsing, image generation, or custom API calls
• Risk Assessment: Identify high-risk scenarios like privileged users controlling agents with code execution, overshared GPTs, or admin keys with organization-wide access
• Attack Surface: Understand which user compromises would grant access to dangerous AI capabilities
• Entitlement Tracking: View which users can use which agents, and which tools those agents can access

The Google connector now includes an Enable Vertex AI setting (Yes/No) and an Allow access to agent model details option. Selecting these options provides custom scripts that allow Insights to collect Vertex AI and Discovery Engine data.

What are Vertex AI and Discovery Engine?

Vertex AI Reasoning Engines are autonomous AI agents that organizations deploy to automate tasks like customer support, data analysis, and workflow processing. These agents run under service accounts and can access GCP resources based on inherited IAM permissions.

Discovery Engine powers AI search and conversational interfaces (chatbots) that query organizational data stores, documents, and databases to answer questions and provide recommendations.

Where You'll See This

• AI Security section: Vertex AI agents and Discovery Engines appear with their entitlement paths, service account associations, and inherited IAM permissions.
• Accounts view: GCP AI agents appear as accounts.
• Privilege graph coverage: Insights adds nodes for Vertex AI agents, models, endpoints, service accounts, and projects, plus edges that map VertexAgent-runsAs >ServiceAccount-assigned > GCPRole and WorkspaceUser-synced > GCPUser-assigned > GCPRole so entitlement paths and inherited IAM show up end‑to‑end.

Why It Matters

• Excessive permissions: Identify over‑privileged AI agents
• Change control: See who can modify AI agents
• Data exposure: Understand what data AI search engines can access
• User mappings: Trace Workspace users to GCP AI roles