Notifications
Clear all
Topic starter
22/06/2026 10:23 am
TL;DR: AI agents calling external services need authentication flows that hide tokens from the model itself, and WorkOS’s source analysis says Arcade’s zero-token-exposure approach, OAuth 2.1 handling, and just-in-time authorization are aimed at that gap. The core issue is that access review and least-privilege assumptions break down when the identity that decides what to call is separate from the identity that stores the credential.
NHIMG editorial — based on content published by WorkOS: Arcade for AI Agent Security, features, pricing, and alternatives
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams govern AI agent tool calls without exposing credentials?
A: Security teams should place credentials in a separate execution layer, not in the model context, and bind every tool call to a distinct agent identity.
Q: Why do AI agents complicate least-privilege design?
A: AI agents complicate least-privilege design because the exact tool they will need is often decided at runtime, not at provisioning time.
Q: What breaks when secret custody and model reasoning are in the same runtime?
A: When secret custody and model reasoning share the same runtime, the model becomes a potential path for secret exposure through prompts, logs, memory, or debug output.
Practitioner guidance
- Define a separate agent execution identity Create an identity and access model for the agent runtime that is distinct from the end user and from the application service account.
- Broker credentials outside the model boundary Keep OAuth tokens, API keys, and refresh secrets in a dedicated runtime or vault layer that the model cannot read.
- Scope tools by action, not just by application Review whether each agent tool can be limited to the exact action it needs, such as read-only Slack access instead of full workspace messaging.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- Pricing tier comparisons for teams evaluating whether a managed or self-hosted runtime fits their deployment model.
- Implementation details for OAuth 2.1 handling, token refresh, and per-tool credential management across supported SaaS services.
- Examples of MCP server setup and SDK usage for developers building custom authenticated tools.
- The article's own comparison of tool-calling authentication versus broader enterprise auth responsibilities.
👉 Read WorkOS's analysis of Arcade for AI agent security and enterprise auth →
AI agent tool-calling and credential isolation: are controls keeping up?
Explore further
22/06/2026 11:17 am
Zero-token exposure is a governance boundary, not a feature checkbox. The central problem in AI agent tool-calling is that credentials must be usable by runtime infrastructure but invisible to the model. That boundary matters because it prevents the agent from becoming a secret distribution surface through prompts, traces, or memory. For IAM and NHI teams, the question is whether the credential broker is the control plane or merely another place where access is cached.
A few things that frame the scale:
- Around 100,000 valid secrets were found in public Docker images, with ENV instructions alone accounting for 65% of all secret leaks in containers, according to The State of Secrets Sprawl 2025.
- 15% of commit authors have leaked at least one secret in their contribution history, according to The State of Secrets Sprawl 2025.
A question worth separating out:
Q: Should organisations treat MCP as a security control or a transport standard?
A: Organisations should treat MCP as a transport standard unless the runtime is actually enforcing policy, scope, and audit. A plain MCP server that forwards requests still leaves the core identity problem unsolved. The control value comes only when the MCP layer mediates authorisation and credential release for each tool call.
👉 Read our full editorial: AI agent tool-calling shifts identity control to the execution layer
