TL;DR: AI agents can leak credentials through prompt injection or indirect content ingestion, so credential brokering is emerging as the trust boundary that keeps secrets out of the agent while still letting it act, according to Infisical. The core shift is that security teams must govern agent access without assuming the agent itself is a safe place to hold credentials.
At a glance
What this is: This is an analysis of credential brokering for AI agents, with the key finding that agents should use credentials without ever seeing the underlying secrets.
Why it matters: It matters because IAM, PAM, and secrets teams need a design that preserves agent utility while removing direct secret exposure from autonomous and semi-autonomous workflows.
👉 Read Infisical's analysis of credential brokering for AI agents
Context
AI agents are non-deterministic systems that can change their tool use and output based on model behaviour, which makes direct secret exposure a governance problem rather than just an implementation detail. For identity programmes, the issue is not whether the agent can call a service, but whether the credential lives in a place the agent can leak, misuse, or replay.
Credential brokering shifts the trust boundary away from the agent and toward a proxy that attaches credentials at request time. That matters for NHI governance because it aligns agent access with secrets handling, access containment, and request mediation rather than with static credential storage inside the agent runtime.
Key questions
Q: How should security teams keep AI agents useful without letting them see secrets?
A: Use a credential broker or proxy so the agent can make authorised requests without ever handling the underlying tokens, API keys, or certificates. The agent should submit a request, and the broker should attach credentials on the outbound path. That keeps secret custody outside the agent runtime and reduces exfiltration risk from prompt injection or malicious content.
Q: Why are AI agents harder to trust with credentials than traditional workloads?
A: AI agents are non-deterministic, so their tool use and outputs can change based on prompts, context, and external content. That means a secret visible to the agent is not just a stored value, it is a value the agent can be tricked into revealing. Traditional workloads are easier to bound because their execution paths are more predictable.
Q: What breaks when an agent can read its own environment variables and tokens?
A: The trust boundary breaks because the agent can be induced to exfiltrate credentials through normal actions such as logging, responding to prompts, or building requests. Once secrets are accessible inside the runtime, every downstream service tied to those credentials becomes reachable through a stolen authentication path rather than through controlled access.
Q: Who should own credential brokering in an agent programme?
A: IAM, PAM, and secrets teams should own the control model, while platform teams implement the proxy and network path. The important point is governance ownership, not tool ownership. The organisation needs a clear policy for which credentials may be brokered, where the broker runs, and how request mediation is audited.
Technical breakdown
Why direct credential exposure breaks agent security
AI agents are not fixed-path applications. Their behaviour depends on model output, so the same agent can take different actions across sessions, tools, and inputs. That makes prompt injection dangerous because the injected content does not need to take over the whole system. It only needs to persuade the agent to reveal what it already holds, including tokens, API keys, or environment variables. Once the agent can read secrets directly, every downstream service becomes reachable through a stolen credential rather than through governed request mediation.
Practical implication: treat any secret visible to the agent as exfiltratable, not protected.
How a credential broker changes the request path
A credential broker inserts a proxy between the agent and the upstream service. The agent sends a normal request with placeholders or unauthenticated fields, and the broker authenticates the agent, injects the real credential, and forwards the request. This preserves the agent's ability to act while keeping the secret outside the agent's memory and process space. In practice, the broker can sit as a sidecar, standalone service, or egress control layer. The security value comes from mediating the outbound request, not from teaching the agent to handle secrets more carefully.
Practical implication: move secret attachment to the proxy layer, not the agent runtime.
Why isolation, proximity, and private reachability matter
Broker design is only as strong as its deployment boundaries. If the agent and broker share a host kernel, a kernel exploit can collapse the isolation model. If the broker sits too far away, latency accumulates as the agent loops through many calls. If the broker is public, it becomes a reusable credential relay for anyone who can reach it. The article's design advice points to a simple architectural principle: the broker should be private, close to the agent, and isolated from the agent's execution environment.
Practical implication: keep broker traffic private and separate from the agent's host.
NHI Mgmt Group analysis
Credential visibility is the wrong trust model for AI agents. An agent that can read its own credentials can also be manipulated into disclosing them, because prompt injection and malicious content are now part of the attack surface. The governance problem is not only access, but secret possession. Identity teams should treat agent-visible secrets as already compromised from a control-design perspective.
Credential brokering is an identity control, not just an infrastructure pattern. It moves the enforcement point from the agent to a proxy that mediates outbound authenticated actions. That is a stronger fit for NHI governance because it separates runtime decision-making from secret custody. The practitioner takeaway is that agent access should be authorised at request time, while secret material stays outside the agent boundary.
Static secret handling is the named failure mode here: secret possession by the actor. The article shows why the old assumption that a workload can safely hold credentials breaks when the workload is an AI agent that may be prompted to reveal them. This is a trust-boundary problem, not merely a rotation problem. The implication is that IAM design must stop assuming the agent can be trusted as a secret container.
Interface-agnostic brokering will shape how agent governance scales. If credential mediation only works for one client style, teams will route around it as soon as agents use CLIs, SDKs, or tool chains that do not fit the model. A transparent broker aligns better with NHI governance because it controls the request path rather than the application interface. Practitioners should favour controls that survive tool diversity and agent sprawl.
AI agents collapse the traditional separation between action and authentication. In human IAM, the subject and the secret holder are usually distinct in practice. In agentic workflows, they can be the same runtime, which makes leakage a structural risk. The field should respond by designing for mediated access, not by assuming stronger prompts or better operator discipline will keep secrets safe.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- For a broader view of the control problem, see OWASP Agentic AI Top 10 and how request mediation maps to agentic threat modelling.
What this signals
Credential brokering will become a baseline control for any agent programme that touches production systems. The question is no longer whether an agent can use a secret, but whether secret custody can remain outside the agent while still supporting the workflow. Teams that keep secrets inside agent memory will inherit a preventable exfiltration risk. See also Ultimate Guide to NHIs , Static vs Dynamic Secrets.
Prompt injection now has identity consequences, not just content consequences. Once malicious instructions can influence a request path, the attack is aiming at the credential boundary as much as the task outcome. That makes access mediation, auditability, and private broker placement part of the operational design, not an optional hardening layer.
Interface-agnostic controls will matter as agent toolchains diversify. A broker that only works in one client pattern will be bypassed as soon as teams mix CLIs, SDKs, and other interfaces in the same workflow. The practical signal for practitioners is simple: if the broker cannot sit between the agent and every outbound request, it will not scale.
For practitioners
- Move secrets out of the agent runtime Use a broker or proxy so the agent can call external services without reading underlying tokens, keys, or certificates. Keep the real credential in a separate control plane and expose only request-time mediation to the agent.
- Treat prompt injection as a credential exposure risk Review every tool, external content source, and chat input that can influence an agent's behaviour. If an injected instruction can reach environment variables or secret-bearing files, the trust model is already too open.
- Keep broker endpoints private and isolated Place the broker on a private network, separate it from the agent host, and avoid shared-kernel co-location where possible. A public broker or a weak isolation boundary turns credential mediation into a reusable attack surface.
- Use placeholder substitution instead of hardcoded auth logic Let the agent send generic placeholders such as token aliases, then replace them at the proxy layer before the request reaches the destination API. That reduces interface-specific coupling and keeps the broker transparent to the agent's tools.
Key takeaways
- AI agents create a secret handling problem because their behaviour can be manipulated at runtime, making direct credential exposure a governance flaw rather than a convenience choice.
- Credential brokering separates secret custody from agent action, which is the key design shift for reducing exfiltration risk in agentic workflows.
- Practitioners should prioritise private, isolated, interface-agnostic mediation if they want agent access to scale without turning secrets into an attack surface.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent prompt injection and tool misuse are central to the broker design discussion. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | The post centers on brokered access instead of exposing long-lived secrets to the agent. |
| NIST CSF 2.0 | PR.AC-1 | The broker mediates authenticated access and changes how identity is enforced. |
Map agent request paths to OWASP agentic risks and remove direct secret exposure from the runtime.
Key terms
- Credential broker: A credential broker is a control layer that authenticates an agent or workload and attaches the right secret to an outbound request without exposing the secret to the runtime itself. In practice, it preserves functionality while moving secret custody out of the agent boundary and into a managed proxy or service.
- Prompt injection: Prompt injection is the use of malicious or misleading content to influence an AI system into taking unintended actions. For agents, the danger is not only wrong output, but also secret leakage, tool misuse, and credential exfiltration when the agent follows injected instructions as if they were legitimate context.
- Credential exfiltration: Credential exfiltration is the theft or unintended disclosure of authentication material such as tokens, API keys, or certificates. In agentic systems, it often happens when the runtime can see the secret directly and is persuaded to reveal it through logging, responses, or outbound requests.
What's in the full article
Infisical's full blog post covers the operational detail this post intentionally leaves for the source:
- End-to-end request flow showing how the broker rewrites outbound HTTPS traffic before it reaches each upstream service
- Implementation detail on placeholder substitution for different auth styles, including bearer tokens, API keys, and query parameters
- Deployment guidance for running a private broker on a separate host with proxy-based routing such as HTTPS_PROXY
- Practical design notes on isolation, co-location, and transparent interface-agnostic broker behaviour
👉 Infisical's full post covers the broker flow, deployment model, and implementation trade-offs.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org