65% of Leading AI Companies Found with Verified Secret Leaks (www.wiz.io)

A new analysis of 50 leading AI companies (Forbes AI 50) found verified secret leaks in 65% of organizations scanned — collectively worth over $400B — revealing API keys, tokens and credentials buried not just in public repos but deep in commit history, deleted forks, gists and workflow logs. The study introduces a “Depth, Perimeter, Coverage” scanning model: Depth expands to historical commits and deleted artifacts, Perimeter looks beyond org repos to member and contributor accounts (identified via followers, account metadata, GHArchive and cross-platform correlations), and Coverage adds detection for AI-specific secret formats that traditional scanners miss. The result: high-impact exposures — e.g., LangChain Langsmith org keys (org:manage/org:read), an enterprise ElevenLabs key stored in plaintext, a HuggingFace token in a deleted fork granting access to ~1,000 private models, and leaked Weights & Biases keys revealing training data. The implications are stark for AI teams racing to ship models: many companies lack disclosure channels (nearly half of reports went unanswered) and standard scanners don’t reach the “underwater” risk. Recommended defenses include mandatory public VCS secret scanning, established disclosure processes, proactive support for proprietary AI token types, treating employees’ public repos as part of the attack surface, and continuously extending scanner coverage as new AI secret formats emerge. The takeaway: speed can’t outpace secure secret hygiene — adopt deep, perimeter-aware, and extensible detection to protect AI infrastructure and data.