In an era of cloud-native applications, multi-cloud deployments, and AI-driven automation, digital identities have exploded in number and diversity. Every microservice, AI agent, MCP server, container, serverless function and script–not to mention traditional servers and applications–acts as its own “identity” within an organization’s infrastructure.

But this proliferation of non-human identities (NHI) presents a looming cybersecurity challenge for enterprises: Each of these virtual identities needs access privileges and credentials, yet managing and securing those credentials at scale has outgrown the capabilities of legacy tools. It’s against this backdrop that Battery Ventures is excited to announce our new investment alongside YL Ventures in Hush Security*, a company helping to pioneer a secretless approach to identity and access management for cloud workloads.

The Identity Challenge in Cloud-Native, AI-Driven Environments

By “secretless”, I mean an approach that doesn’t require systems to permanently retain sensitive machine identities aka credentials. It’s important because modern organizations are grappling with a dangerous identity sprawl unprecedented in scale. As businesses embrace microservices architectures, serverless functions, and machine learning pipelines, the number of machine-to-machine interactions is skyrocketing. There are now 82 machine identities for every human within organizations, according to CyberArk’s 2025 Identity Security Landscape report. Yet most enterprises remain unprepared, leaving these machines dangerously privileged and ungoverned.

Every new SaaS integration, every Kubernetes deployment and every AI service account introduces a new non-human identity that must be authenticated and authorized. Traditional Identity and Access Management (IAM) solutions, originally designed for humans logging into apps, are ill-equipped to handle this volume and velocity of machine identities. Likewise, software engineering teams have relied on credential vaults and secret management tools (like HashiCorp Vault, Cyberark Conjure or cloud secret management solutions) to store API keys, certificates and passwords. But simply storing secrets isn’t enough when the sheer volume of credentials is doubling faster than teams can manage. Unmanaged credentials can sprawl across code, config files and CI/CD pipelines, creating a fertile ground for security breaches.

The consequences of this gap are already apparent. Stolen and leaked credentials remain a leading cause of security incidents, and compliance standards are beginning to reflect the urgency of better machine identity controls (for example, PCI-DSS 4.0 explicitly heightens requirements around identity and secrets management). In short, today’s cloud and AI-centric environments demand a new approach to identity and access – one that treats machines and applications as first-class identities and secures them proactively. Current tools that merely scan for hard-coded secrets or require manual secret rotation can’t keep up with the dynamic, ephemeral nature of modern infrastructure.

The call to action is clear, and several startups have begun answering that call by providing visibility into how these identities are being used across cloud and on-premise environments. Visibility alone, however, is only the first step.

Hush Security’s Secretless Access Platform:

Hush Security offers a fundamentally new approach: a platform that makes machine identities secretless. In simpler terms, Hush enables applications and services to authenticate and communicate without embedding long-lived secrets in code or configuration files. It does this through an agent and agentless deployment. Hush’s sensor runs with minimal overhead while watching relevant system calls and network requests in real time. This vantage point provides continuous discovery of when and where applications are attempting to access resources. When an app needs to connect to a database or API, Hush can just-in-time inject a short-lived secret (credential) for that session, then revoke it, rather than relying on a developer having stored a password or key somewhere in advance. The result is powerful: Even if an attacker somehow intercepts a credential, it’s ephemeral and likely useless moments later.

This secret-injection approach is paired with real-time policy enforcement and inspection. Hush’s sensor not only injects credentials on the fly, but it can also verify at runtime that the access is legitimate and conforms to security policies – essentially performing an adaptive access control check in the moment. This gives security teams granular control to allow or block actions based on context (for instance, blocking an unusual access attempt even if the correct credentials were presented). Importantly, all of this happens inline, which means Hush isn’t just observing and alerting; it’s capable of active mitigation, closing the loop from detection to response.

Few solutions today provide this level of integrated visibility and control at the workload level. Traditional secret vaults keep credentials safe at rest but don’t govern their usage, and pure monitoring tools might flag anomalies after the fact. In addition, vaults are not aware of where secrets are used, by whom, and if a large number of secrets never make it into secret stores due to huge backlogs of tasks on the engineering team. From my own experience leading large engineering groups, I saw firsthand the high coordination costs of secret and certificate lifecycle management (“it’s about to expire!” / “it leaked!” / “it’s audit time!”). Hush’s innovation is to combine visibility, analysis and remediation in one platform, reducing both security risk and the operational burden and cost of legacy secret vaults.

Backing a Team Built for This Mission

At Battery, we strive to invest in both big ideas and the people capable of executing them. In Hush, we see both. The founding team behind Hush Security has a remarkable history of collaboration and success in the startup world. CEO Micha Rave, CTO Shmulik Ladkani, VP of R&D Alon Horowitz and CCO Chen Nisknorn all previously worked together as co-founders or key leaders of Meta Networks, an Israeli cloud security startup that was acquired by Proofpoint in 2019. At Meta Networks, they tackled the challenge of zero-trust network access (ZTNA) by building a cloud-native network security platform. So, this is a team deeply familiar with the intricacies of enterprise security software. Their years of experience building secure networking products (including integrating with enterprise IT environments and scaling a security business globally) give us confidence about the path ahead for this new venture.

The team’s passion for solving the machine identity problem is palpable. They’ve lived the pain points of managing secrets and service identities in previous roles, and we believe they bring the perfect mix of domain expertise and pragmatism to attack this problem.

In Hush, we see a company charting a new course for how machines authenticate and communicate—one that could redefine best practices for cloud security. We couldn’t be more excited to partner with this talented team on the journey to make secretless, adaptive access a reality for every forward-looking organization. Just as the last decade saw a revolution in human identity management (SSO, MFA, and zero-trust for users), we believe the next decade will see a revolution in machine identity management, and Hush is poised to be at the forefront of that movement.

Want to make your workloads secretless? Give it a try: https://www.hush.security/