I need some articles with respect to why the current key rotation recommendations do very little to improve security overall. Given that NIST recommends 1-2 years and others recommend 90-180 day windows, this still gives a disgruntled employee or some other attacker a LOT of time to hack you if they have access to an API key or private key. Does anyone have links to good articles/blogs/white-papers/research about this problem?
That's primarily an argument to rotate keys quicker - computers don't care that they have to remember new passwords all the time (which is the main argument against password change requirements: it encourages bad practices from users), so you can do schemes like OAuth2's Refresh Tokens. (and even slow-ish rotation helps with keys forgotten in random places)