Direct secret handoff breaks the boundary between authority and execution. Once the secret enters the model context, it can be copied, reused, or misapplied outside the intended destination. That creates a larger trust surface than mediated access, where credentials are bound to specific systems and used without exposing the underlying secret to the agent.
Why This Matters for Security Teams
Giving secrets directly to an agent turns a controlled access event into a persistent exposure problem. The model may need to complete a task once, but the secret can outlive that task in prompts, logs, tool traces, caches, or downstream calls. That is why static secrets are a poor fit for autonomous systems, especially when the agent can chain tools, retry actions, or pursue a goal in ways the requester did not anticipate. Current guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework points toward runtime control, not trust by possession.
NHI Management Group’s research on the State of Secrets Sprawl 2026 shows how quickly secrets exposure scales once credentials enter modern workflows: 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, and 64% of valid secrets leaked in 2022 are still valid and exploitable today. For agentic systems, that means a single handoff can become a durable lateral-movement path rather than a one-time authorization.
In practice, many security teams discover this only after an agent has already reused a credential in an unintended system, rather than through intentional design review.
How It Works in Practice
The safer pattern is to keep the secret out of the agent whenever possible and replace it with mediated, time-bound authority. That usually means the agent authenticates as a workload, not as a human, and receives only the minimum token or capability needed for the specific task. Identity primitives such as SPIFFE or OIDC-backed workload identity prove what the agent is, while policy engines decide what it may do at request time. This is consistent with the direction of the CSA MAESTRO agentic AI threat modeling framework and with the control expectations in the OWASP Non-Human Identity Top 10.
Operationally, that often looks like this:
- Issue just-in-time credentials with short TTLs per task, not shared long-lived secrets.
- Bind access to workload identity and context, such as tool, target, environment, and user intent.
- Evaluate policy at runtime through policy-as-code rather than pre-approving broad role grants.
- Revoke credentials automatically when the task completes, fails, or times out.
- Store secrets only in brokered systems that return scoped tokens, not raw credentials.
This matters because an agent may be able to read, copy, or pass along anything placed in context, while a mediated token can be constrained to one action or one target. The practical goal is not only secrecy, but containment of authority. NHI Management Group’s Guide to the Secret Sprawl Challenge is clear that exposure often starts where teams assume their controls are strongest, including internal systems and workflow tooling.
These controls tend to break down when developers embed secrets directly in prompts or when an agent must interact with legacy systems that only accept static passwords and cannot validate short-lived workload tokens.
Common Variations and Edge Cases
Tighter secret mediation often increases integration overhead, so organisations must balance safety against delivery friction. That tradeoff is real in environments with legacy APIs, hard-coded vendor integrations, or tools that do not support token exchange. In those cases, best practice is evolving, and there is no universal standard for how much privilege an agent should receive versus how much should remain brokered by an external service.
One common edge case is human-in-the-loop escalation. If an agent needs a secret only after a user approves a sensitive action, the safer design is to mint a short-lived, task-specific token after approval rather than expose the underlying credential. Another edge case is multi-agent orchestration, where one agent can pass a secret to another through shared context or memory. That is why the Analysis of Claude Code Security and the Anthropic report on AI-orchestrated cyber espionage both reinforce the same operational warning: autonomous systems can reuse authority in ways humans do not predict.
Where tokenisation is impossible, the fallback is to isolate the secret behind a broker, restrict the destination, and monitor for misuse as if compromise is already possible. That approach is weaker than mediated access, but it is still safer than placing the raw secret inside the agent context.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agentic apps fail when secrets enter model context and can be reused. |
| CSA MAESTRO | M1 | MAESTRO addresses runtime trust decisions for autonomous agent workflows. |
| NIST AI RMF | AI RMF governs risk from uncontrolled agent behavior and credential misuse. |
Treat agent secret exposure as a governed AI risk with monitoring, containment, and accountability.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
