When the nation's cyber watchdog becomes a case study, the lesson belongs to all of us.
CISA is one of the most capable cybersecurity organizations in the world. It coordinates national incident response. It publishes the Known Exploited Vulnerabilities catalog that security teams across the country depend on every day. It sets the tone for how the entire industry approaches defense. So when news broke in May that a CISA contractor had accidentally exposed AWS GovCloud credentials in a public GitHub repository, the incident carried a lesson that belongs to every security team: people make honest mistakes under normal working conditions, even inside organizations built around preventing exactly that. Stanford University research has found that roughly 88 percent of all data breaches trace back to human error: people doing ordinary work in ordinary moments.
The exposure was serious. Those credentials carried access to privileged internal CISA systems. A researcher spotted the public repository and reported it. CISA moved quickly to invalidate the compromised keys and communicate transparently about what happened. That response deserves recognition: rapid action, coordinated containment, and clear communication. It is what organizational security maturity looks like under pressure.
What makes this incident valuable to every security leader is less about what happened, and more about why it keeps happening.
The Mistake that Keeps Appearing
A developer or contractor, working through a normal day, handles credentials alongside code. The repository settings get misconfigured. The keys go public. It is one of the most common security incidents across organizations of every size, and the sophistication of the team has very little to do with it.
The same pattern showed up twice more this week. At GitHub, an employee installed a malicious VS Code extension and roughly 3,800 internal repositories were breached. At Grafana Labs, a single token left over from an earlier supply chain attack went unrotated for weeks, exposing source code. Different organizations, different mistakes. The entry point in each case was a person making a routine decision at work.
IBM's 2025 Cost of a Data Breach Report found that phishing was the most common root cause of breaches studied, and that one in six breaches now involve attackers using AI to generate phishing content and deepfake impersonations. The result is a threat environment where attacks are more convincing, more targeted, and faster to produce than they were two years ago. The combination of an expanding human attack surface and AI-assisted threats means the stakes on human risk management are rising, even as many training programs stay the same.
Credential exposure through public repositories, employees installing malicious developer tools, contractors missing one key during a rotation: these are the entry points that security programs have historically underprepared for. They live in the daily workflows of developers, operations teams, and third-party contractors who carry privileged access and receive relatively little training designed around their specific responsibilities.
The World Economic Forum's Global Cybersecurity Outlook 2026 found that 85% of organizations with insufficient cyber resilience lacked trained DevSecOps engineers and identity and access management specialists, two of the roles sitting closest to the systems where credentials live. The people closest to credential infrastructure are among the least served by existing training programs.
Where the Coverage Gap Actually Sits
Most enterprise security awareness programs center on one scenario: an end user receiving a malicious email and clicking a bad link. That scenario is valid, and training for it produces measurable results. The challenge is that the human attack surface extends well beyond the inbox.
Every person in an organization who manages sensitive credentials, configures cloud infrastructure, or maintains development pipelines is a potential entry point. Many of them have never received training that reflects the actual work they do each day.
A developer under deadline pressure does not think of themselves as a security risk when they push code to a misconfigured repository. They are focused on shipping. A contractor rotating AWS keys after a disclosed incident does their best to be thorough and might miss one. These situations arise from security programs designed for one set of workflows and applied broadly across many others.
Dr. Lorrie Cranor, Director of Carnegie Mellon University's CyLab Security and Privacy Institute, has spent her career documenting this gap. Security programs designed around one set of workflows, she argues, tend to be bypassed or ignored when applied to everyone else. When a program stops feeling relevant to the work someone actually does, it becomes a compliance exercise rather than a practical guide. That is where the gaps open up.
Security leaders recognize this gap. The challenge is addressing it without adding friction that teams push back against, or layering on compliance requirements that bear no resemblance to how people operate.
Technical Controls and Training Work Together
Technical controls are a necessary foundation. GitHub's built-in secret scanning, AWS credential monitoring, and automated access rotation policies are essential layers of protection. Any organization managing sensitive infrastructure should have those controls active. They catch a meaningful percentage of credential exposures before the damage compounds.
What automated tools cannot do is change behavior at the source. Secret scanning catches a pushed credential after the fact. Training builds the habit of checking repository visibility settings before the push happens. The organizations making the most progress on human risk are deploying both: technical controls as a safety net, and training programs that reach the developers, contractors, and operations teams who work closest to sensitive systems.
That means extending coverage beyond phishing simulations to include credential hygiene, repository configuration, and access management practices. It means treating contractors and vendors as part of the security culture, held to the same behavioral expectations as internal employees. As Bruce Schneier, Fellow at Harvard's Berkman Klein Center, has put it: "Usable security does not mean 'getting people to do what we want.' It means creating security that works, given, or despite, what people do." Designing the secure workflow to be the easy workflow is how the right behavior becomes routine.
Three Things Security Leaders Can Act On
- Run a credential exposure simulation alongside your standard phishing test. Walk your development team through a scenario where live keys surface in a repository. Measure whether they know the escalation path, how quickly the issue would be contained, and where the process breaks down. Most organizations run phishing simulations quarterly but have never tested this scenario. The gaps it reveals tend to live in process and playbook.
- Audit third-party credential offboarding. When a contractor ends an engagement, how confident are you that every access key they touched has been rotated? Most organizations can answer that question for internal employees. For contractors who worked across multiple systems over an extended engagement, the answer is usually less clear. A quarterly review of third-party access cross-referenced against offboarding records consistently surfaces gaps that standard access reviews miss.
- Make near-miss reporting an explicit cultural norm. CISA's response worked because the organization had the processes to act quickly once the exposure surfaced. Teams that normalize surfacing close calls, without blame or penalty, build institutional memory that compounds over time. Document what happened, what the response looked like, and what would have caught it earlier. That record becomes one of the most durable defenses an organization can build.
The Bigger Picture
The lesson from this incident is universal. Even the most security-focused organizations in the world operate in the same human environment as everyone else. That is the reality every security program is built around managing, and it is the strongest argument for investing in training that follows risk wherever it lives.Keri Pearlson, Executive Director of Cybersecurity at MIT Sloan, puts it plainly: "We need a culture of cybersecurity because you can't tell everyone everything they need to do. You need them to understand that organizational safety is part of what they need to do in today's world."
At Adaptive Security, we work with organizations on exactly this challenge: building awareness programs that reflect how people work, covering the full range of human risk from the inbox to the development pipeline. If you are thinking about where your program has gaps, we are happy to talk.
Security culture is built one informed decision at a time. The organizations that invest in it consistently are the ones best positioned to catch the next incident early, and respond with the same clarity CISA demonstrated here.
Contents
