They should do it whenever an agent can reach production systems, customer data, or privileged workflows. Static secrets expand exposure because they can be reused outside the intended task. Ephemeral access reduces persistence, but only if issuance, expiry, and revocation are tightly controlled and the agent’s actions are fully logged.
Why Static Secrets Stop Working Once an Agent Can Act Alone
Static secrets are tolerable only when access is narrow, predictable, and easy to supervise. Once an agent can reach production systems, customer data, or privileged workflows, that assumption breaks. Autonomous software can chain tools, retry actions, and pursue goals in ways that are hard to predefine, which makes long-lived credentials a poor fit for the actual risk. Current guidance suggests shifting earlier than most teams expect, especially for agents with write access or escalation paths. The Ultimate Guide to NHIs — Static vs Dynamic Secrets and the OWASP Agentic AI Top 10 both point to the same operational problem: static credentials survive well beyond the task that justified them. That persistence turns a single mistake, prompt injection, or compromised tool call into durable access. In practice, many security teams discover the exposure only after an agent has already reused a secret outside its intended workflow, rather than through intentional credential design.
How to Move an Agent from Static Credentials to JIT Access
For agentic workloads, the safer pattern is just-in-time credential provisioning tied to a specific task, context, and expiry window. The agent should authenticate as a workload identity first, then receive a short-lived token only when policy says the requested action is acceptable. That is different from giving the agent a reusable secret and hoping role-based access will stay aligned with a changing mission. The CSA MAESTRO agentic AI threat modeling framework and NIST AI Risk Management Framework both support runtime evaluation, accountability, and continuous oversight rather than one-time approval.
Practically, the control stack should include:
- Workload identity for the agent, such as SPIFFE or OIDC-backed identity, so the system knows what the agent is.
- Intent-based or context-aware authorisation, so a request is approved because of what the agent is trying to do, not just who it is.
- Short TTL secrets or tokens issued per task and revoked immediately on completion, failure, or policy drift.
- Full request, tool, and data-access logging so the agent’s actions remain attributable.
- Automated revocation paths for any secret exposed in logs, tickets, or code.
NHIMG research shows why this matters: GitGuardian’s State of Secrets Sprawl 2026 found that 64% of valid secrets leaked in 2022 are still valid and exploitable today, which is a direct argument for expiry and revocation over detection alone. These controls tend to break down when the agent depends on legacy services that cannot issue short-lived tokens or enforce request-time policy.
Where the Rule Changes: Edge Cases, Exceptions, and Real-World Tradeoffs
Tighter ephemeral access often increases integration effort, so organisations need to balance security gain against service compatibility, operational latency, and incident response maturity. That tradeoff is real, especially for batch jobs, vendor APIs, and older platforms that only support static API keys. Best practice is evolving, and there is no universal standard for this yet, but the direction is clear: if a system can be reached by an autonomous agent, long-lived secrets should be the exception, not the default. The 52 NHI Breaches Analysis and the OWASP Non-Human Identity Top 10 both reinforce that lifecycle failure, overuse, and exposure are the common failure modes, not sophisticated cryptanalysis.
Some environments justify temporary static access during migration, but that should come with explicit expiry dates, vault controls, and owner review. Shared agents, multi-tenant orchestration, and tool-heavy pipelines usually require even stricter boundaries because one compromised workflow can cascade across many downstream systems. For high-risk use cases, static secrets should be replaced first in production, customer-facing, and privileged paths, then phased out elsewhere as platform support catches up. Anthropic’s first AI-orchestrated cyber espionage campaign report underscores why runtime control matters: autonomous behaviour changes the blast radius faster than traditional access reviews can. When an agent can pivot across tools or operate outside a single transaction, static credentials become a standing invitation to reuse and lateral movement.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A4 | Agentic apps need runtime controls for tool use and access decisions. |
| CSA MAESTRO | MAESTRO frames identity, trust, and runtime policy for agentic systems. | |
| NIST AI RMF | AI RMF supports governance and monitoring for autonomous agent behaviour. |
Bind each agent to workload identity and enforce context-aware authorization with revocation.
Related resources from NHI Mgmt Group
- When should organisations prioritise Zero Standing Privilege for non-human identities?
- Why do secrets create disproportionate risk in NHI environments?
- How should security teams decide whether JIT access is safe for non-human identities?
- What is the difference between JIT access and Zero Trust for NHIs?
