GitHub: Self-service credential revocation — break-glass for incident response
GitHub introduced self-service credential revocation for enterprise and individual users. Enterprise owners can instantly revoke all tokens, SSH keys, and SSO authorizations for a compromised account. An upgrade to the tools introduced in February 2026.
This article was generated using artificial intelligence from primary sources.
GitHub announced on June 24, 2026 a new capability for enterprise administrators and individual users: self-service credential revocation — a tool that significantly accelerates incident response.
What is break-glass and why does it matter?
Break-glass is an emergency security procedure by which an administrator instantly removes all access from a compromised user, analogous to breaking a glass case holding a spare key. Until now, GitHub offered enterprise administrators limited tools for such situations, and the entire process was slower and required multiple steps across different interfaces.
The new capability changes that process: enterprise owners can now revoke all credentials of a compromised EMU (Enterprise Managed User) account in a single action — SSO authorizations, personal access tokens, OAuth tokens, and SSH keys. EMUs are GitHub accounts fully managed by a company through an identity provider, making them particularly sensitive in the event of a compromise.
What do individual users gain?
Alongside the enterprise break-glass functionality, GitHub brought self-service credential management to all users within account settings (Settings → Credentials). Users can now view and revoke all active tokens, authorizations, and SSH keys in one place — without contacting an administrator.
Audit trail and notifications
Every revocation leaves a record in the audit log, and the affected user receives an email notification. Transparency is key: security teams can reconstruct the incident timeline, while the user immediately knows their credentials have been revoked.
Upgrade from February 2026
GitHub notes that these capabilities build on tools introduced on February 17, 2026, when the foundations for centralized access management were laid. The new self-service layer eliminates dependence on GitHub support or internal IT teams for routine and emergency revocation cases.
For enterprise environments with thousands of users, the difference between a slow manual process and an instant break-glass revocation can be critical — every minute of an active compromised token means potential further intrusion into repositories and internal systems.
Frequently Asked Questions
- What is a break-glass scenario in IT security?
- Break-glass is an emergency procedure by which an administrator instantly revokes all rights from a compromised user — the analogy is breaking a glass case containing an emergency key. The goal is to cut off the attacker's access as quickly as possible.
- Which credentials can be revoked with the new GitHub tool?
- Enterprise owners can revoke SSO authorizations, personal access tokens, OAuth tokens, and SSH keys for EMU (Enterprise Managed User) accounts. Individual users manage the same categories of credentials through Settings → Credentials.
Related news
Google DeepMind: AI Control Roadmap — defense-in-depth for AI agent security
IBM: IBM, Red Hat, and Palo Alto Networks expand Project Lightwell for instant software vulnerability response
arXiv:2606.23189: 11 of 15 AI agents leak private data in more than half of scenarios