Rotating credentials is security hygiene. Everyone agrees. But in practice, credential rotation in large organizations is manual, error-prone, and rarely happens on schedule.
The reason isn’t laziness. It’s that rotating a credential requires knowing every place it’s used, updating each one atomically, and verifying nothing broke. In systems with hundreds of services and dozens of teams, that’s operationally impossible.
Short-lived credentials solve this by making rotation automatic and continuous. But they require infrastructure that treats identity as a first-class concern, not as something bolted on after the system is built.