New ask Hacker News story: Ask HN: Articles about key rotation being worthless

Ask HN: Articles about key rotation being worthless
2 by brokenwren | 7 comments on Hacker News.
I need some articles with respect to why the current key rotation recommendations do very little to improve security overall. Given that NIST recommends 1-2 years and others recommend 90-180 day windows, this still gives a disgruntled employee or some other attacker a LOT of time to hack you if they have access to an API key or private key. Does anyone have links to good articles/blogs/white-papers/research about this problem?