65% of Leading AI Companies Exposes Verified Secrets Including Keys and Tokens on GitHub

A new security investigation has uncovered a troubling pattern across the AI sector: 65% of prominent AI companies have leaked verified secrets on GitHub, including API keys, tokens, and other sensitive credentials that could jeopardize core operations and intellectual property. The research, conducted by Wiz on 50 organizations from the Forbes AI 50 list, reveals a growing attack surface that extends far beyond the boundaries of official repositories.

Why this matters

Leaked secrets are more than minor slipups—they can grant attackers direct access to production systems, private models, and proprietary data. In a field where competitive advantage hinges on innovation and speed, exposed credentials can lead to service disruption, data theft, or model tampering. The Wiz findings suggest this is not a fringe issue, but a systemic problem cutting across company sizes and maturity levels.

What the researchers found

Wiz discovered that many leaks lurked in places traditional scanning often misses: deleted forks, workflow logs, gists, and personal repositories owned by organization members. These locations form a “submerged” attack surface—harder to see, but highly consequential. The exposures included:

• LangSmith API keys granting organization-wide access.
• Enterprise-tier credentials from ElevenLabs found in plaintext configuration files.
• A Hugging Face token from one anonymous AI50 company that opened the door to roughly 1,000 private models.
• Multiple Weights & Biases keys that risked exposure of proprietary training data and experiment metadata.

Collectively, 65% of the exposed companies represent more than $400 billion in valuation—yet smaller organizations were also affected, including those with very few public repositories.

How Wiz looked beyond the surface

Unlike commodity secret scanners that largely focus on public organization repositories, the researchers used a three-pronged approach designed for depth, perimeter, and coverage:

• Depth: Analyzed entire commit histories, deleted forks, workflow logs, and gists—the “iceberg” beneath the waterline that standard scans often miss.
• Perimeter: Expanded beyond official org repos to include credentials accidentally committed by employees to their personal GitHub repositories.
• Coverage: Addressed blind spots for emerging AI-specific secrets across services and platforms such as Perplexity, Weights & Biases, Groq, and NVIDIA.

Why traditional scanning missed it

• Hidden locations: Deleted forks, historical logs, and gists aren’t always included in standard organization-level scans.
• Human sprawl: Developers’ personal repos can unintentionally become extensions of corporate infrastructure, widening the blast radius.
• New secret types: AI platforms use novel token formats and credentials that many scanners don’t yet recognize.

The expanding attack surface

As AI adoption accelerates, the classic perimeter dissolves. Organizational members, contractors, and community contributors all become potential vectors for credential exposure. The report underscores a critical message: speed and scale magnify risk, especially when pipelines, notebooks, and model registries interact with dozens of APIs and cloud services.

What AI companies should do now

Wiz’s experts call for immediate, industry-wide action. Key recommendations include:

• Mandate secret scanning for all public version-control systems: Treat it as table stakes, not a nice-to-have.
• Expand scope to personal repos: Develop policy and technical controls recognizing that employee-owned repositories are part of the effective corporate perimeter.
• Create clear disclosure channels from day one: Encourage responsible reporting and streamline remediation to limit exploit windows.
• Build custom detectors for proprietary secret formats: Especially for AI-specific tools and platforms that existing scanners don’t fully cover.
• Continuously rotate and invalidate keys: Assume exposure will happen; minimize the impact window with automation.
• Harden CI/CD pipelines: Prevent secrets from entering logs, artifacts, and workflow outputs; enforce pre-commit and pre-merge checks.
• Educate developers: Integrate secure-by-default practices into onboarding, with guardrails for notebooks, model registries, and dataset handling.

The bottom line

The message is unambiguous: the industry’s pace cannot come at the expense of security. Secret exposure is a pervasive, preventable risk that demands depth-oriented detection, broader perimeter assumptions, and modern coverage for AI-native platforms. As organizations race to build and ship AI, evolving secret detection—and the policies around it—must keep up. Otherwise, an invisible trail of keys and tokens could become the easiest entry point into the AI systems shaping the future.