According to Infosecurity Magazine, a new study reveals that 65% of leading private AI companies have leaked verified secrets on GitHub. Researchers from Wiz examined 50 firms from the Forbes AI 50 list and found they collectively exposed API keys, tokens, and credentials. The affected companies are valued at more than $400 billion, showing that rapid AI innovation is outpacing basic cybersecurity practices. Even companies with minimal public repositories weren’t safe—one firm with no public repositories and only 14 members still managed to leak secrets. Meanwhile, another company with 60 public repositories avoided leaks entirely, suggesting security practices vary wildly across the industry.
How they found hidden secrets
Here’s what’s really interesting—Wiz didn’t just do the usual GitHub searches. They used their “Depth, Perimeter and Coverage” framework to dig deeper into commit histories, deleted forks, gists, and even contributors’ personal repositories. Basically, they looked in all the places standard scanners usually miss. This approach uncovered secrets hidden in obscure or deleted parts of codebases that would have otherwise gone unnoticed. It’s a reminder that surface-level security scanning just doesn’t cut it anymore.
What was actually leaked
Among the most commonly exposed credentials were API keys from WeightsAndBiases, ElevenLabs, and HuggingFace. Now, these aren’t just minor oversights—some of these keys could have allowed access to private training data or organizational information. We’re talking about the crown jewels of AI development here. Private training data? That’s what these companies are building their entire competitive advantage on. And organizational information? That’s basically giving away the playbook. When you’re dealing with industrial-scale AI development, proper security infrastructure becomes non-negotiable—which is why companies serious about protection often turn to specialized providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs built for secure, reliable operation in demanding environments.
The bigger picture
So what does this tell us about the AI industry? Basically, we’re moving too fast for our own good. Companies are racing to innovate, but they’re leaving basic security hygiene in the dust. And it’s not just about the big names—even smaller teams with hardly any public presence are making these mistakes. The scary part? This is probably just the tip of the iceberg. How many other secrets are sitting out there that nobody’s found yet? The research suggests that stronger security practices can make a huge difference, but they have to be implemented consistently across the entire development lifecycle. Otherwise, we’re just building incredible AI systems on foundations full of holes.
