Long-lived secrets become available to any tool path, prompt leak, or misconfigured connector that can reach the runtime. A credential broker pattern reduces that exposure by keeping raw secrets in a vault and exchanging them only when policy approves the request. The key failure is uncontrolled secret persistence, not just weak storage.
Why This Matters for Security Teams
Storing agent credentials only in the runtime environment turns ephemeral execution into a secret distribution layer. Any tool invocation, debugging hook, misconfigured connector, or prompt injection path that can read process state can also inherit the credential. That is a different risk profile from traditional application secrets because the agent can chain actions, retry with new context, and expose the same secret across multiple downstream systems.
This is why NHIMG repeatedly treats uncontrolled secret persistence as a core NHI failure mode, not a storage hygiene issue. The problem is visible in broader industry evidence too: NHIMG’s Ultimate Guide to NHIs — Static vs Dynamic Secrets frames why short-lived, policy-bound issuance matters, while OWASP’s OWASP Agentic AI Top 10 highlights how tool access and autonomous execution amplify blast radius. In practice, many security teams encounter runtime secret leakage only after a connector, log stream, or prompt path has already exposed production access.
How It Works in Practice
The safer pattern is to keep raw secrets out of the runtime entirely and use a credential broker or workload identity exchange at the moment access is needed. The runtime holds a proof of what the agent is and what task it is attempting, not a durable credential that can be reused elsewhere. That proof can be a workload identity token, a signed service assertion, or a short-lived token minted under policy.
This approach aligns with the emerging guidance in NIST AI Risk Management Framework and CSA MAESTRO agentic AI threat modeling framework, both of which emphasize context, governance, and runtime control. For agents, the practical control set usually includes:
- JIT credential issuance with very short TTLs and automatic revocation after task completion.
- Policy checks at request time, not only at deployment time.
- Separate identities for the agent, the tool, and the environment so one compromise does not grant blanket access.
- Vault-backed secret retrieval where the runtime receives only a scoped token or one-time credential.
- Logging that records authorization decisions without printing raw secrets into traces or prompts.
NHIMG’s research on the Guide to the Secret Sprawl Challenge shows why distributed runtime copies are hard to contain once they exist. Dynamic issuance reduces persistence, but it only works when the agent’s identity is verified, the policy engine is consulted at execution time, and the runtime cannot retain reusable credentials. These controls tend to break down when legacy plugins cache tokens locally because the broker can no longer see or revoke every copy.
Common Variations and Edge Cases
Tighter runtime secret controls often increase orchestration complexity, so teams must balance containment against operational friction. In practice, not every workload can tolerate extremely short TTLs, especially if tasks run across flaky networks or long multi-step workflows. Current guidance suggests adjusting token lifetime to the shortest workable window rather than defaulting back to static secrets.
There is no universal standard for this yet, but the direction is clear: use workload identity where possible, keep secrets in a vault, and issue purpose-bound access only when the agent needs it. NHIMG’s Analysis of Claude Code Security is a useful reminder that agentic tooling often touches code, repos, and infrastructure at the same time, which increases the chance of accidental exposure. On the vendor side, Entro Security’s reported finding that exposed AWS credentials can attract access attempts within minutes underscores how little time defenders have once a runtime-held secret leaks.
Edge cases matter. Debug mode, sidecar containers, shared workers, and multi-agent pipelines can all create extra secret replicas even when the primary runtime is clean. In those environments, the design should assume that any process memory, trace, or connector can become an exfiltration path unless the credential is both short-lived and isolated from the execution environment.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Runtime-stored secrets increase exposure and impede safe rotation. |
| OWASP Agentic AI Top 10 | A2 | Agent tool access and prompt paths can expose runtime-held credentials. |
| NIST AI RMF | AI RMF covers governance for context-aware access and runtime risk. |
Treat agent tools as privileged interfaces and gate every secret-bearing action at request time.
Related resources from NHI Mgmt Group
- What breaks when AWS credentials are stored in environment variables or config files?
- What is the difference between code scanning and runtime identity monitoring?
- What breaks when machine credentials are stored in configs and artifacts?
- What breaks when agent access is pre-provisioned instead of minted at runtime?
