Zylos LogoZylos
2026-05-07

AI Agent Credential and Secret Management in Production — Rotation, Isolation, and Least-Privilege Patterns

ai-agentssecuritycredentialssecrets-managementzero-trustIAMproduction

Executive Summary

AI agents are not traditional applications. They dynamically acquire credentials at runtime, hold OAuth tokens across multi-hour sessions, and route API calls through non-deterministic reasoning chains. This creates a fundamentally different attack surface: credentials flow through LLM context windows, stdout captures leak secrets into agent memory, and a single compromised agent can cascade across every service it touches.

The numbers are stark. GitGuardian's 2025 report documented 28.65 million new secrets leaked on GitHub (+34% YoY), including 1.2 million AI-service secrets (+81% YoY). Gravitee's 2026 survey of 919 organizations found that only 21.9% treat agents as independent identity-bearing entities, while 25.4% still use hardcoded credentials for tool access. Non-human identities now outnumber human identities 144:1 in large enterprises, and 80% of identity breaches involve compromised NHI credentials.

This article examines the credential management challenge across six dimensions: what makes agents different, how to isolate secrets between components, rotation and lifecycle patterns, least-privilege IAM across major cloud providers, agent-specific attack vectors (with real CVEs and incidents), and zero-trust architectural patterns emerging in 2026.

Why Agents Are Different

Traditional applications receive credentials at deployment time through environment variables, mounted secrets, or configuration files. The set of credentials is known at build time, and static analysis can verify that secrets are properly scoped. AI agents break every one of these assumptions.

Six Fundamental Differences

Dynamic runtime acquisition. An agent decides at inference time which APIs to call, which databases to query, which servers to SSH into. The credential set cannot be predetermined — it emerges from the reasoning chain. A user asking "check our AWS bill and compare it with last month's GCP spend" triggers credential needs across two cloud providers that no static configuration anticipated.

Credentials in the reasoning chain. LLM context windows are not secure memory. Tool descriptions, API responses, and error messages containing credential fragments all flow through the same token stream. A failed authentication attempt that includes the API key in its error message has now written that key into the model's working memory, where it can be referenced, repeated, or exfiltrated by subsequent prompts.

Non-deterministic behavior. You cannot statically reason about what credentials an agent will need or when. The same prompt can produce different tool-call sequences on different runs. This makes static secret injection fundamentally insufficient — agents need credential-on-demand architectures.

Long-running sessions. Unlike request-response APIs that complete in milliseconds, agent sessions persist for minutes to hours. OAuth tokens expire mid-session. API rate limits reset. Certificate rotations happen. The agent runtime must handle credential lifecycle events gracefully, not crash and lose context.

Multi-agent delegation chains. When Agent A delegates to Agent B, which calls Agent C's MCP server, credentials can traverse 10+ hops. Each hop creates an accountability gap. If Agent C's MCP server is compromised, it may hold credentials from the entire chain. Traditional audit trails break down because the "user" initiating the action is itself an AI.

The aggregation point problem. A single agent runtime simultaneously holds OAuth tokens for Google Workspace, GitHub, Slack, Salesforce, and a production database. Traditional applications access one or two services; agents aggregate access to dozens. Compromising the agent compromises everything it can touch — and the blast radius grows with every new integration.

Credential Isolation Patterns

Framework-Level Isolation

Major agent frameworks take divergent approaches to credential isolation, with significant security implications.

AutoGen provides the strongest structural isolation among popular frameworks by confining high-risk code execution to Docker containers. Agent code that needs to call external APIs runs inside a container with only the specific credentials mounted for that task. This prevents credential leakage between agent components through process-level boundaries rather than relying on application-level access control.

LangChain has been the site of multiple credential-related vulnerabilities. CVE-2023-46229 demonstrated SSRF via the SitemapLoader, allowing attackers to probe internal networks through the agent. CVE-2023-44467 showed how prompt injection could lead to remote code execution via Python's eval(), giving attackers access to any credential in the agent's environment. LangChain's callback handler mechanism can be used for governance — intercepting tool calls to verify credential scoping — but this is opt-in, not default.

CrewAI ships RBAC and encryption by default, but research has shown vulnerability to malicious MCP servers that hide instructions in tool descriptions. The tool description — which the agent must read to decide whether to use the tool — becomes the attack vector.

AgentSecrets (The-17/agentsecrets) takes the most radical approach: a zero-knowledge SDK with no get() method. There is literally no API call that retrieves a credential value into application code. Instead, the SDK injects credentials directly into HTTP headers or connection strings at the transport layer, making it architecturally impossible for agent code (or prompt injection attacks targeting agent code) to read raw secret values.

Process-Level Sandboxing

Claude Code's sandbox architecture illustrates production-grade credential isolation on Linux. The bubblewrap (bwrap) sandbox uses --unshare-all to isolate user, PID, network, UTS, and cgroup namespaces. Critically, it explicitly excludes sensitive credential directories from the sandbox filesystem:

  • ~/.aws (AWS credentials and config)
  • ~/.ssh (SSH keys and known hosts)
  • ~/.gnupg (GPG keys and trust database)

A restrictiveness lattice (firecracker → gvisor → bwrap → namespace → none) prevents untrusted agent configurations from downgrading the host-level isolation policy. If the host specifies bwrap isolation, an agent's CLAUDE.md cannot relax it to namespace or none.

The Stdout Leakage Problem

A 2026 academic study (arXiv:2604.03070) examining 17,022 agent skills revealed that 73.5% of credential vulnerabilities are information exposure via print() or console.log(). The mechanism is subtle: agent frameworks capture stdout from tool executions and feed it back into the LLM context window. A tool that logs DEBUG: Connecting with key=sk-abc123... has now placed that credential in the model's context, where it can be referenced by any subsequent prompt — including injected ones.

The same study found that 72% of hardcoded credential cases bear AI-assisted development signatures, suggesting that LLMs writing code for agents are themselves a major source of credential leakage — they generate code with credentials baked in because that pattern dominates their training data.

MCP Server Credential Landscape

An Astrix Security analysis of 5,200 MCP servers in 2025 found alarming credential practices:

PatternPrevalence
Static long-lived API keys53%
Environment variable injection79%
OAuth 2.08.5%
No authentication7.1%

Over 492 servers were running with zero authentication or encryption. OX Security identified architectural design vulnerabilities affecting 7,000+ publicly accessible MCP servers. Between January and February 2026 alone, 30+ CVEs were filed against MCP servers, and the first malicious MCP package appeared in September 2025.

Rotation and Lifecycle

The Vault Pattern

HashiCorp Vault remains the most mature solution for agent credential lifecycle management. Its key capability for agents is dynamic secrets — generating fresh credentials on demand with configurable time-to-live:

vault write openai/creds/my-agent-role ttl="1h" max_ttl="24h"

Each request produces a unique API key with a lease ID that auto-expires. The agent never holds a long-lived credential; if the agent is compromised, the attacker gets a token that expires in hours rather than one that works indefinitely. The Vault MCP Server (available on AWS Marketplace) enables natural-language Vault queries, allowing agents to request credentials through conversational interfaces.

Vault Enterprise 2.0 added native SPIFFE authentication and a SPIFFE secrets engine. JWT SVIDs (SPIFFE Verifiable Identity Documents) can be requested post-authentication, enabling cryptographic workload identity for agents. This means an agent can prove its identity to a downstream service using a short-lived X.509 certificate rather than a shared secret.

SPIFFE and Short-Lived Credentials

SPIFFE (Secure Production Identity Framework for Everyone) with SPIRE (SPIFFE Runtime Environment) provides the strongest credential lifecycle pattern for agents:

  • X.509 certificates with lifetimes measured in minutes to hours
  • Automatic rotation by the SPIRE daemon — no application-level renewal logic
  • Workload attestation tied to process identity, not static configuration
  • If a credential leaks, the blast radius is self-limiting because it expires almost immediately

SPIFFE IDs are tied to workloads, not people — making them architecturally suited for non-human actors like AI agents. The identity URI format (spiffe://trust-domain/workload-identifier) can encode agent identity, version, and deployment environment.

OAuth Token Refresh in Agent Runtimes

Long-running agents must handle OAuth token refresh without losing session context. The production pattern requires:

  1. Proactive refresh — renew tokens before expiry, not after failure. A token that expires in 60 minutes should trigger refresh at the 45-minute mark.
  2. Distributed locking — when multiple agent instances share credentials, prevent race conditions where two instances simultaneously refresh the same token.
  3. Atomic updates — swap old token for new in a single operation to prevent windows where no valid token exists.
  4. Exponential backoff — handle refresh failures gracefully with increasing retry intervals.

Auth0 Token Vault (launched 2025) implements a pattern specifically designed for agents: the agent trades an internal session token for a task-scoped API token just-in-time. Refresh tokens never leave the vault. The agent sees only short-lived access tokens that cannot be used to obtain new tokens if stolen.

AWS Secrets Manager Rotation

AWS Secrets Manager implements zero-downtime rotation through a dual-version staging mechanism:

AWSPENDING → AWSCURRENT → AWSPREVIOUS

A Lambda rotation function creates the new credential (AWSPENDING), tests it, promotes it to AWSCURRENT, and demotes the old credential to AWSPREVIOUS. Applications using the AWSCURRENT label see the new credential immediately; applications holding cached copies of the old credential continue working until the AWSPREVIOUS version is removed. This pattern supports RDS, Aurora, and custom secrets including API keys.

Least-Privilege Across Cloud Providers

AWS: Per-Operation Role Assumption

AWS's approach to agent least-privilege centers on per-operation AssumeRole scoping rather than assigning a single broad execution role to the agent. AWS-managed MCP servers inject context keys into IAM policy evaluations:

  • aws:ViaAWSMCPService — indicates the request originated from an MCP server
  • aws:CalledViaAWSMCP — enables policies that differentiate AI-sourced from human-sourced API calls

This allows IAM policies like "allow S3 read access only when the request comes through the approved MCP server" — the same credentials used directly by an agent (bypassing the MCP server) would be denied. However, agents with shell access can bypass MCP servers entirely, so IAM controls must combine with tool-level restriction.

GCP: The Metadata Server Incident

A confirmed security incident documented by Palo Alto Unit 42 ("Double Agents — Vertex AI", 2026) demonstrates why default service accounts are catastrophic for agents.

A deployed Vertex AI agent could be weaponized via a malicious tool call hitting metadata.google.internal/computeMetadata/v1/instance/?recursive=true. This metadata server endpoint — reachable from any GCP VM or container without authentication — returned the P4SA (Per-Product Per-Project Service Account) credentials for the AI Platform service. These credentials granted:

  • Unrestricted read access to all GCS buckets in the project
  • Access to Google's internal private Artifact Registry repositories
  • Potential lateral movement to any service the default SA could access

The root cause: GCP's default behavior assigns the project-level compute service account to VMs and containers, with cloud-platform scope. Every VM in the project shares the same service account. Any agent running on any of these VMs can obtain tokens for this service account via the metadata server (169.254.169.254) — no API key needed, no credential file needed.

Google's remediation: "Bring Your Own Service Account" (BYOSA) — replace default agents with custom, least-privilege service accounts. Google Cloud Security Command Center now ships a dedicated detection rule: "Credential Access: AI Agent Anomalous Access to Metadata Service" (MITRE ATT&CK T1552.005), triggered when AI agents attempt metadata server token fetches.

The cross-cloud pattern: Workload Identity Federation using OIDC tokens eliminates static service account keys entirely. The agent authenticates using a short-lived OIDC token from its runtime environment (Kubernetes, GitHub Actions, etc.), which is exchanged for a GCP access token with no static credentials stored anywhere.

Alibaba Cloud: RAM Sub-Users

Alibaba Cloud's Resource Access Management (RAM) follows a similar pattern to AWS IAM. For agent use cases, the recommended setup is:

  1. Create a RAM sub-user with programmatic access only (OpenAPI, no console login)
  2. Attach scoped policies (e.g., AliyunECSFullAccess, AliyunDNSFullAccess) — or custom policies restricting to specific Actions
  3. Add IP-based conditions limiting API calls to the agent's server IP
  4. Use separate RAM users per agent/component — never share credentials

The Cloud Assistant API (RunCommand) enables agents with ECS permissions to execute commands on instances without SSH keys, providing an auditable alternative to direct SSH access.

Azure: Managed Identity Layers

Azure provides the most granular agent identity model through layered Managed Identity assignments:

  1. Managed Identity — the compute resource's own identity (VM, container, App Service)
  2. Agent Identity — a separate identity for the AI agent running on the compute
  3. Downstream Resource Identity — per-resource role assignments for each service the agent accesses

Azure Foundry provides native agent identity concepts, and Managed Identity eliminates credential storage entirely — the Azure platform handles token issuance and rotation transparently.

Agent-Specific Attack Vectors

The "Comment and Control" Pattern

In 2025, security researcher Aonan Guan demonstrated the first cross-vendor credential exfiltration attack against AI coding agents, using a single attack pattern — malicious content in GitHub PR titles, issue comments, or code review text — to compromise three major platforms:

Claude Code (HackerOne #3387969, CVSS 9.3→9.4): A crafted PR title injected instructions that caused the agent to read ANTHROPIC_API_KEY and GITHUB_TOKEN from environment variables and exfiltrate them via a git commit to an attacker-controlled repository.

Gemini CLI (Google VRP #1609699, $1,337 bounty): A fake "Trusted Content Section" in a GitHub issue comment caused the agent to post GEMINI_API_KEY publicly. The attack exploited the agent's inability to distinguish trusted instructions from untrusted content within the same data source.

GitHub Copilot Agent (HackerOne #3544297): A three-layer defense bypass:

  1. The bash subprocess was filtered, but the parent process environment was not
  2. Base64 encoding defeated the secret scanning layer
  3. Credentials were exfiltrated via git commits to GitHub — a whitelisted destination that bypassed network egress controls

The stolen credentials included GITHUB_TOKEN, GITHUB_COPILOT_API_TOKEN, and COPILOT_JOB_NONCE. The root cause across all three: untrusted input (GitHub data) and powerful tool/secret access coexist in the same runtime with no privilege separation.

Zero-Click Agent Exploits

CVE-2025-32711 (EchoLeak): The first confirmed zero-click AI agent exploit. A crafted email processed by Microsoft 365 Copilot triggered full account takeover without any user interaction. The email contained hidden instructions that the Copilot agent executed upon reading, demonstrating that agents processing untrusted input are fundamentally vulnerable to credential theft.

CVE-2025-34291 (Langflow): Visiting a malicious webpage triggered full account takeover and remote code execution, exposing all API keys and access tokens in the Langflow workspace. The attack required no authentication — simply viewing the page was sufficient.

Production Incidents

Drift/Salesforce OAuth Breach (August 2025): Threat group UNC6395 used stolen OAuth tokens to access 700+ Salesforce organizations, including Cloudflare, Zscaler, and Palo Alto Networks. The breach demonstrated the aggregation risk — OAuth tokens meant for one integration provided lateral access across hundreds of organizations.

xAI Production Incident (May 2025): An employee leaked a GitHub key that granted access to 60+ private xAI LLMs, including models trained on SpaceX, Tesla, and Twitter/X data. Root cause: a static, long-lived key committed to a repository. The key had been active for months before discovery.

Telemetry as Credential Sink

OpenTelemetry span attributes are indexed by default in most observability backends (Datadog, New Relic, Grafana). If agent code stores prompt content — which may contain credentials — as span attributes, those credentials become searchable in the observability platform. The GenAI semantic conventions address this by using span events (not attributes) for prompt content, which can be selectively dropped at the Collector level before reaching storage. Codex sets log_user_prompt = false by default to prevent this leakage path.

Zero-Trust Agent Architecture

Anthropic Managed Agents: A Reference Implementation

Anthropic's Managed Agents platform (launched April 8, 2026) provides the clearest production reference for zero-trust agent credential handling. The architecture has three components:

Brain (harness + Claude): The reasoning engine that decides what tools to call and with what parameters. The brain never holds raw credentials.

Hands (gVisor sandbox): The execution environment where tool calls actually run. gVisor provides kernel-level isolation with three-layer egress control. Tools execute in a sandboxed container that cannot access the host filesystem or network except through explicitly configured channels.

Session (append-only event log): Every action is recorded in an immutable log. Credential access is auditable after the fact, and the log cannot be tampered with by the agent.

The critical design: a credential proxy sits between Brain and Hands. When Claude needs to call an external API, it invokes an MCP tool through the proxy. The proxy — not Claude — fetches the real credential from a vault, makes the API call, and returns only the result. The harness documentation states explicitly: "The harness is never made aware of any credentials."

Token Exchange Chains (RFC 8693)

OAuth 2.0 Token Exchange (RFC 8693) provides the protocol-level mechanism for least-privilege delegation across agent chains. At each delegation hop:

  1. Agent A presents Token A to the authorization server
  2. The server issues Token B with narrower scopes and shorter lifetime
  3. Token B carries cryptographic on-behalf-of semantics: the sub claim preserves the original user identity, while an act claim identifies the delegating agent

An active IETF draft (draft-oauth-ai-agents-on-behalf-of-user-01) extends this specifically for AI agents, addressing the unique challenge of agents that may spawn sub-agents across trust boundaries.

Red Hat's Four Zero-Trust Principles

Red Hat's agent security framework distills zero-trust for AI into four principles:

  1. Tokens validated at inference endpoints don't automatically apply to downstream tools. Authentication to the agent platform does not grant the agent permission to call external APIs — those require separate, scoped authorization.

  2. Each hop uses a scoped token issued specifically for that interaction. No credential reuse across tool calls. If an agent calls Slack and then GitHub, it uses different tokens for each.

  3. Expiry and revocation checked on every call, not just at login. Token validity is verified at each use, not cached from initial authentication.

  4. Workload attestation before processing requests. The agent must prove its identity (not just present a credential) before being granted access to resources.

Just-In-Time Credential Access

Aembit Workload IAM (GA 2025-2026) implements just-in-time, policy-scoped tokens per session. Its "Blended Identity" model captures both agent identity and user identity simultaneously — answering the question "which agent is acting on behalf of which user" in a single credential. A centralized policy plane governs credential issuance across all MCP-connected agents.

Anomaly Detection for Agent Credentials

Stolen-credential breaches take an average of 292 days to identify (IBM 2024). For agents, which access resources at machine speed, this window is catastrophic. Emerging detection approaches:

Microsoft Entra establishes behavioral baselines over a 2-60 day observation period, profiling IP ranges, ASN, user-agent strings, and geographic patterns per workload identity. Deviations trigger alerts.

Graph-based detection (Prisma Cloud): Models normal credential usage patterns as a graph. Out-of-context credential usage — a credential normally used from US-East suddenly appearing in an API call from Southeast Asia — triggers alerts regardless of whether the request is technically authorized. Research reports 97% detection with 0.027% false positive rate (USENIX Security 2021).

Google Cloud SCC fires its MITRE T1552.005 detection rule when ReasoningEngine agents access the metadata server, catching the Vertex AI attack pattern described in Section 4.

Exabeam (September 2025) shipped the first LLM agent monitoring capability in a commercial SIEM, applying behavioral analytics specifically to non-human identity patterns.

Industry Landscape 2026

Platform Comparison

PlatformSandboxCredential IsolationRotationAudit
Claude Codebwrap (Linux)~/.aws, ~/.ssh, ~/.gnupg excludedManualCLAUDE.md rules
Anthropic Managed AgentsgVisorZero-trust credential proxyVault-backedAppend-only session log
OpenAI CodexOS sandboxEnv var allowlist (include_only)ManualPrompt redaction default
Salesforce AgentForceEinstein Trust LayerData masking + credential protectionPlatform-managedLow-code guardrails

OWASP Agentic Top 10

The 2026 OWASP Agentic Security Top 10 places identity and credential issues at the core of agent risk. Three of the top four risks are directly credential-related:

  • ASI02: Tool/Function Abuse — agents calling tools with excessive permissions
  • ASI03: Privilege Escalation — agents acquiring credentials beyond their intended scope
  • ASI04: Delegation/Handoff Exploits — credential leakage across agent delegation chains

The core thesis: a single agent merges multiple non-human identity permissions into one execution point. The aggregation risk — not any individual credential weakness — is the defining security challenge of the agentic era.

Market Scale

The non-human identity security market reached $11.3B in 2025 and is projected to grow to $38.8B by 2036 (12.2% CAGR). CyberArk's acquisitions of Venafi ($1.54B) and Zilla Security ($175M) signal enterprise consolidation. 1Password launched Unified Access for AI Agent Security in March 2026, extending password management concepts to non-human credentials.

Recommendations

For teams deploying agents in production today:

  1. Never use root/default credentials. Create dedicated service accounts or RAM sub-users per agent, per environment. The GCP Vertex AI incident proves that default service accounts are an existential risk.

  2. Implement credential proxies. The agent reasoning engine should never hold raw secrets. Route all authenticated API calls through a proxy that injects credentials at the transport layer.

  3. Use short-lived credentials everywhere. SPIFFE/SPIRE for service identity, Vault dynamic secrets for API keys, OAuth token exchange for delegation chains. If a credential lives longer than a session, it lives too long.

  4. Audit stdout and telemetry. 73.5% of credential leaks come through print() statements captured into agent context. Strip or redact tool output before it enters the LLM context window. Use span events, not attributes, for prompt telemetry.

  5. Assume breach; detect fast. Deploy behavioral anomaly detection on workload identities. The 292-day average detection window for credential breaches is incompatible with agents that act at machine speed.

  6. Scope MCP server credentials. 53% of MCP servers use static long-lived API keys. Migrate to OAuth 2.0 or dynamic secrets. Never run MCP servers without authentication — 492 servers in the wild currently do.

References

  • GitGuardian, "State of Secrets Sprawl 2025." Annual report.
  • Gravitee, "State of AI Agent Security 2026." Survey of 919 organizations.
  • Palo Alto Unit 42, "Double Agents — Vertex AI." Threat research, 2026.
  • Aonan Guan, "Comment and Control: Cross-Vendor AI Agent Credential Exfiltration." HackerOne reports #3387969, #3544297; Google VRP #1609699.
  • CVE-2025-32711 (EchoLeak), CVE-2025-34291 (Langflow), CVE-2023-46229 (LangChain).
  • arXiv:2604.03070, "Credential Vulnerabilities in AI Agent Skills." 2026.
  • OWASP, "Agentic AI Security Top 10." 2026.
  • RFC 8693, "OAuth 2.0 Token Exchange." IETF.
  • IETF draft-oauth-ai-agents-on-behalf-of-user-01.
  • Anthropic, "Managed Agents Architecture." April 2026.
  • MITRE ATT&CK T1552.005, "Unsecured Credentials: Cloud Instance Metadata API."