ASJSR

American Scholarly Journal for Scientific Research

Submit Paper Submit Blog

Your AI Agent Should Never Hold a Credential

By Victoria Hart ·
Your AI Agent Should Never Hold a Credential

Your AI Agent Should Never Hold a Credential

The bearer token is the breach waiting to happen.

Every AI agent deployed today inherits a security model designed for batch scripts and cron jobs. That model hands the agent a long-lived secret and trusts it to behave. Agents do not behave like scripts, and the secret always leaks.

Stop giving agents credentials. Start giving them proof.

The 90 to 1 Problem Nobody Priced In

Non-human identities already outnumber human accounts by more than ninety to one inside a typical cloud estate, according to BeyondTrust. Agents are landing on top of that pile at machine speed, each one demanding its own service account, API key, or OAuth client. Okta now reports organizations manage roughly forty-five machine identities for every human user, and agentic workloads are accelerating that ratio.

The math breaks in three places:

  • Provisioning outruns review. Knowledge workers now spin up agents faster than any access committee can certify them.
  • Credentials accumulate. Zombie agents keep valid tokens, show up in no inventory, and answer to no owner.
  • Accountability dissolves. When an agent acts, logs show the service account, not the human behind the prompt.

Scale turned a hygiene problem into a breach vector.

OAuth Was Built for Apps That Do Not Think

OAuth and SAML were designed around a simple assumption. A user consents once, a token gets issued, and the holder is trusted until expiry. The Cloud Security Alliance points out that this trust-on-first-use model collapses the moment the holder is an agent whose intent shifts mid-session.

A deterministic script performs the same call sequence every run. An agent reads context, reasons, picks a tool, and invents a request path the architects never anticipated. Curity frames this as the indeterminism problem, and it wrecks the static scope list OAuth was built around.

The token does not know what the agent is about to do. Neither do you.

The Human or Machine Question Is the Wrong Question

Most vendors are fighting about taxonomy. Is an agent a human identity with delegated authority, or a non-human workload? Aembit proposes a third category called agentic identity, where a single entity swaps between user-delegated and autonomous modes inside one task.

That reframing is useful, but it still assumes the agent walks around holding something valuable. The better question is structural. Why does the agent need to hold anything at all.

Credentials as Artifact, Not Asset

Flip the model. An agent should carry no standing secret. Every action should require a fresh, cryptographically signed attestation that encodes who requested the work, what tool is being invoked, what data is in scope, and when the permission expires measured in seconds.

The primitives already exist:

  • Ephemeral credentials. Short-lived tokens minted per task, revoked on completion, never cached to disk.
  • Asymmetric proof of possession. X509 certificates with mutual TLS, or JWT bound to a private key the agent never exports, as recommended by Curity.
  • Just-in-time access. Permissions granted at the moment of the call, not at provisioning.
  • Delegation chains. Every downstream call inherits a scoped, expirable parent attestation, preserving attribution back to the originating human.
  • Behavioral policy at the enforcement point. The API gateway evaluates intent against baseline and blocks drift before the call lands.

Under this model a stolen agent has nothing to steal. A compromised runtime cannot replay yesterday's token because yesterday's token expired in thirty seconds and was bound to a key that never left the secure enclave.

What Breaks First in Production

Real deployments hit four walls fast:

  • Discovery. You cannot govern agents you cannot see. Saviynt notes that most enterprises still lack a single inventory that covers agents, their MCP servers, and the tools they call.
  • Ownership. Every agent needs a named human on the hook. SailPoint treats this as the first control, not the last.
  • Offboarding. Oasis Security observes that agents have no structured offboarding, so credentials live forever unless you engineer their death.
  • Attribution. When an agent deletes a production table, the incident response team needs a line from the action back to the prompt, the user, and the policy that allowed it.

Each wall is fixable. None are fixed by buying another vault.

The Control Plane Is the Product

The winning architecture looks less like PAM and more like a certificate authority for intent. A central authority issues scoped attestations on demand, logs every issuance, evaluates behavioral policy, and revokes in real time. Security Boulevard argues this is an extension of existing cloud IAM, not a parallel stack, and that is the right instinct.

Treat the issuance service as the crown jewel. Treat the agent as a process that earns permission one call at a time. Treat every token as disposable by design.

Burn the Vault, Keep the Log

The industry reflex is to build bigger vaults for agent secrets. That reflex is wrong. A vault full of agent credentials is a loaded weapon pointed at the blast radius of an indeterministic process.

Replace the vault with an issuer. Replace standing access with just-in-time attestation. Replace bearer trust with cryptographic proof. The agent that holds no credential cannot leak one, and the only thing left to audit is the proof.

V

Victoria Hart

Victoria Hart writes about identity, cloud security, and the architecture of autonomous systems.