Exposed keys are a symptom; the real problem is infrastructure that's reachable from the public internet in the first place. The reason this keeps happening is that the standard solutions; VPNs and static IP whitelisting, have enough friction that small teams implement them poorly or skip them entirely.
If your backend systems aren't publicly reachable, a leaked key has nowhere to go. The secret leaks — but the infrastructure doesn't. The exception is services like S3 that are inherently public-facing — those still need their own access controls regardless.
I've been building something that tackles this directly (dynamic firewall management — writes your team's live IPs to security groups on login, removes them on logout). Happy to share more if anyone's curious.