Any secret, key, or token that an autonomous system can locate and use during execution, whether or not it was intended for that task. These secrets matter because discoverability turns dormant privilege into active attack surface.
Expanded Definition
An agent-reachable secret is any secret, key, token, certificate, or credential that an autonomous system can discover and use while it is running, even when that access was never intended for the agent’s task. In NHI practice, the key issue is not whether the secret is “sensitive” in the abstract, but whether an agent can reach it through prompts, filesystem paths, environment variables, tool output, memory, logs, or connected repositories.
This term is narrower than general secret management and more operational than classic data classification. It focuses on reachability inside an execution boundary, which is why it is central to the OWASP Agentic AI Top 10 and related guidance from the NIST AI Risk Management Framework. Definitions vary across vendors on whether reachability includes indirect tool-mediated access, but NHI governance should treat any retrievable secret as in scope once an agent can enumerate or invoke it.
The most common misapplication is assuming a secret is safe because it is stored in a vault, which occurs when the agent has a path to retrieve it through overly broad tools, cached context, or permissive runtime permissions.
Examples and Use Cases
Implementing controls for agent-reachable secrets rigorously often introduces friction, requiring teams to balance agent autonomy against tighter retrieval boundaries and more explicit approval steps.
- A coding agent can read deployment tokens from a local configuration file and reuse them to push to production, even though the token was only intended for a build step. This is a classic case of hidden privilege becoming reachable during execution.
- An LLM-connected support agent can query a secrets manager through a broad tool interface and surface API keys that were meant only for a human operator. That design is reachable by policy, but unsafe by exposure.
- A CI pipeline agent can inherit environment variables that include long-lived credentials, making the secret reachable in logs, debug output, or shell commands. See NHIMG’s Guide to the Secret Sprawl Challenge for how this pattern spreads across environments.
- An autonomous remediation agent can find a certificate in a shared repository and use it to authenticate to downstream services, creating privilege the workflow owner never explicitly assigned.
- Secret reachability is often exposed in supply-chain incidents such as the Shai Hulud npm malware campaign, where tooling and repositories become an access path. The OWASP Non-Human Identity Top 10 frames this as a governance and exposure-control issue, not only a storage problem.
Why It Matters in NHI Security
Agent-reachable secrets matter because discoverability creates active attack surface. A secret that sits dormant in a vault or config file is still dangerous if an agent can enumerate it, copy it, or use it outside the intended workflow. In practice, this breaks least privilege, expands blast radius, and undermines just-in-time access models. NHIMG’s Ultimate Guide to NHIs reports that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, which shows how quickly exposure becomes operational loss.
This is also where Zero Trust thinking becomes concrete: the question is not only who authenticated, but what the agent can reach once inside the workload. The combination of broad tool permissions, long-lived credentials, and opaque runtime behavior is why Analysis of Claude Code Security and the NIST AI Risk Management Framework both emphasise limiting what an AI system can access during execution. Organisational failures often persist until secrets are rotated, logs are reviewed, or an incident reveals how far the agent could travel. Organisations typically encounter this problem only after an unwanted action or exfiltration event, at which point agent-reachable secrets become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Directly addresses secret exposure, sprawl, and runtime accessibility in NHI systems. |
| OWASP Agentic AI Top 10 | Agentic app guidance treats reachable secrets as a prompt/tool/data exfiltration risk. | |
| NIST AI RMF | AI RMF requires managing access-related harms from model and agent behavior. |
Inventory and restrict every secret an agent can reach, then remove unused exposure paths and rotate exposed credentials.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
