Notifications
Clear all
Topic starter
12/06/2026 9:28 pm
TL;DR: AI agents are still commonly authenticated with hardcoded API keys in environment variables, leaving credentials exposed to prompt injection and runtime compromise, while only 10% of organisations have a well-developed strategy for managing non-human and agentic identities, according to Okta survey data. Static secrets are the wrong trust model for autonomous software that selects tools and calls APIs at runtime.
NHIMG editorial — based on content published by Aembit: AI agents still depend on static keys, and that breaks
By the numbers:
- Only 10% of organizations have a well-developed strategy for managing non-human and agentic identities.
Questions worth separating out
Q: How should security teams authenticate AI agents without hardcoded keys?
A: Use workload identity, cryptographic attestation, and short-lived token issuance so the agent proves where it is running instead of presenting a reusable bearer secret.
Q: Why do AI agents make static API keys a worse risk than in normal applications?
A: Because agents can be manipulated through conversation, and the same interface used for legitimate work can be used to coax them into exposing credentials or headers.
Q: What do teams get wrong about prompt injection and identity controls?
A: They treat prompt injection as a content problem instead of an access problem.
Practitioner guidance
- Eliminate persistent API keys from agent runtime paths Move AI agent authentication away from environment-variable secrets and toward short-lived credentials that are issued per request and never stored in the agent process.
- Insert a credential mediation layer before external calls Ensure the agent can request a service without ever seeing the underlying token, header, or secret material that authorises the call.
- Treat prompt injection as an identity event Add controls that prevent agents from printing configuration, leaking headers, or exposing environment variables when prompted to debug or explain themselves.
What's in the full article
Aembit's full article covers the operational detail this post intentionally leaves for the source:
- Provider-specific authentication patterns for OpenAI, Anthropic, and Google Gemini, including how the headers differ in practice.
- The runtime attestation and credential injection model step by step, including where the trust provider sits in the call flow.
- Deployment pattern examples for Kubernetes pods, VM-based services, and serverless functions that need AI agent access.
- The architectural trade-offs behind migrating existing agent builds away from environment-variable secrets.
👉 Read Aembit's analysis of AI agent identity risk and workload identity controls →
AI agent credentials and prompt injection: are your controls keeping up?
Explore further
12/06/2026 11:33 pm
Static secrets are the wrong trust primitive for autonomous software. The article shows AI agents being authenticated like long-lived applications, even though they make runtime decisions and can be coerced through conversation. That is a governance failure, not just a deployment mistake, because bearer-token identity assumes the secret can be kept separate from the actor. Practitioners should treat this as an NHI design defect, not a tuning problem.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, according to Guide to the Secret Sprawl Challenge.
- 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, showing how agent infrastructure can create new credential exposure surfaces at scale.
A question worth separating out:
Q: What should organisations do when an AI agent needs multiple LLM providers?
A: They should centralise credential issuance and mediate per-provider access rather than embedding a separate long-lived key for each endpoint. Multi-provider stacks multiply the number of bearer secrets and expand blast radius when one is exposed. A common identity layer keeps the agent code simpler and makes runtime authorisation easier to control.
👉 Read our full editorial: AI agent identity still depends on static keys, and that breaks
