When raw secrets enter LLM workflows, they can be copied, logged, inferred, or reused across contexts that were never designed for secret custody. The result is not only leakage risk but also a weaker audit trail, because the system can no longer distinguish between model output and authorised credential use.
Why This Matters for Security Teams
Raw secrets are not just “sensitive input” to an LLM workflow. Once a token, API key, or certificate enters prompts, tools, memory, or logs, it can be replicated far beyond its intended custody boundary. That breaks the basic assumption that secret use is attributable, bounded, and revocable. It also turns a model interaction into a potential secret distribution channel, which is exactly why NHI governance has to treat LLM pipelines as credential-handling systems, not just content systems.
Industry guidance is converging on this point. The OWASP Agentic AI Top 10 and NIST AI risk guidance both emphasize runtime controls, context-aware authorization, and restricted data handling rather than trust in static boundaries. NHIMG research has also highlighted how quickly secrets sprawl once they leave controlled systems, including the Guide to the Secret Sprawl Challenge. In the current research set, The State of Secrets in AppSec reports that 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
In practice, many security teams discover this only after a prompt trace, chat export, or agent tool log has already carried the secret into places they did not intend to protect.
How It Works in Practice
The practical failure mode is simple: a secret that should have remained in a vault becomes part of a workflow transcript. That may happen through direct prompting, retrieval-augmented generation, tool calls, or agent memory. Once copied into an LLM context, the secret can be echoed back, cached, logged by observability tooling, or recomposed into downstream outputs. The problem is not limited to model memorization. It is also about uncontrolled reuse across contexts where the original authorization no longer applies.
Security teams should think in terms of workload identity and just-in-time secret use. The right pattern is to keep the model from ever seeing raw long-lived credentials where possible, and instead issue short-lived, scoped access at the moment of task execution. That aligns with the direction of NIST AI Risk Management Framework and with agentic controls in CSA MAESTRO agentic AI threat modeling framework.
- Use vault-backed, ephemeral tokens instead of static secrets in prompts.
- Pass references or capability handles, not the secret value itself.
- Apply policy-as-code at request time so the agent gets only the minimum task scope.
- Redact prompts, tool outputs, and traces before they reach logging or analytics systems.
- Separate identity of the agent from the credentials it is allowed to request.
NHIMG analysis of breach patterns in 52 NHI Breaches Analysis shows that exposed identities often become reusable across multiple systems, which makes any secret exposure broader than the first workflow that captured it. These controls tend to break down when agent pipelines share memory, reuse conversational context across tenants, or forward tool outputs into systems that were never designed for secret custody.
Common Variations and Edge Cases
Tighter secret controls often increase operational overhead, requiring organisations to balance developer convenience against exposure reduction. That tradeoff becomes more visible in agentic systems because every additional approval step can slow down autonomous workflows, but every long-lived secret increases blast radius if the agent behaves unexpectedly.
There is no universal standard for this yet, but current guidance suggests three common patterns. First, some teams keep secrets fully outside the model and expose only mediated API calls through a broker. Second, others allow the agent to request ephemeral credentials from a workload identity system such as SPIFFE-based infrastructure or OIDC-backed federation. Third, some organisations rely on policy-enforced secret retrieval only for narrowly defined tasks. The strongest approach depends on how much autonomy the agent has and how much tool chaining it can perform.
Edge cases matter. A read-only secret can still be harmful if it unlocks sensitive data, internal dashboards, or hidden context. A secret that is “temporary” is not safe if it is cached in a notebook, browser plugin, or trace store. And if the workflow crosses environments, even well-designed local redaction may fail once the data enters third-party telemetry. The 2025 State of NHIs and Secrets in Cybersecurity reports that 44% of NHI tokens are exposed in the wild, often through collaboration tools and code commits, which is a reminder that transport paths matter as much as storage. The best practice is evolving, but the core rule is stable: if the model can see the secret, assume the workflow can spread it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AGENT-05 | Agent workflows must not ingest raw secrets into prompts or tools. |
| CSA MAESTRO | M2 | MAESTRO addresses runtime controls for agent tool use and secret handling. |
| NIST AI RMF | GOVERN | AI RMF requires governance for sensitive-data handling in AI workflows. |
Remove secrets from agent context and replace them with scoped, ephemeral capabilities.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
