[R]
Back to blog

Agentic Credential Architecture

AI agents need a fundamentally different security model than humans. Here's a nuanced take on what that model looks like.

#security#ai#identity#agents
TL;DR

Traditional identity and access management was designed for humans: infrequent authentication, interactive flows, durable sessions. AI agents operate under entirely different constraints.

The security model that fits those constraints is built on four principles: ephemeral credentials, contextual access, attenuating scope, and delegation lineages. This post explores what each principle means and why they matter for securing autonomous systems.

Different Actors, Different Constraints

Here's how credentials work in most AI agent deployments today: API keys live in .env files or platform secrets managers (AWS Secrets Manager, HashiCorp Vault, the secrets tab in your cloud provider's console). The agent runtime pulls them at startup or retrieves them via SDK calls. This is the recommended practice in every major agent framework's documentation.

It's also insufficient for the problem. To be clear: using secrets managers is vastly better than hardcoding credentials. The bar was "don't commit API keys to git," and most teams clear it. But clearing a low bar doesn't mean you've reached adequate security for autonomous systems.

The issue isn't developer negligence. The tooling and guidance exist, and most teams follow it.

The issue is that even well-managed secrets still result in credentials that are static, long-lived, broadly scoped, and visible to the agent runtime. Case in pointCVE-2025-68664 in LangChain core demonstrated how deserialization vulnerabilities could exfiltrate environment variables through crafted LLM outputs. The secrets were in a secrets manager. They were loaded per best practices. They were still exposed, because the agent runtime had access to them, and the agent runtime was compromised.

The fundamental issue is that we're applying a credential model designed for one set of constraints to actors operating under entirely different constraints. Traditional IAM assumes:

  1. Authentication is infrequent. Humans log in once per session, maybe once per day.
  2. Flows are interactive. There's a human available to click through consent screens and enter MFA codes.
  3. Sessions are durable. Once authenticated, access persists for hours or days.
  4. Actors are predictable. Humans follow recognizable patterns; anomalies are detectable.

These assumptions made sense for their context. They enabled pragmatic tradeoffs between security and usability that served human users well for decades.

AI agents operate under different constraints. They authenticate thousands of times per minute. They can't interact with consent flows. They spawn ephemeral sub-agents that need their own credentials. They operate with a velocity and autonomy that makes "normal behavior" difficult to define. The ratio of non-human to human identities in enterprise environments is already somewhere between 45:1 and 100:1, depending on whose research you believe. Agents are about to make that ratio look quaint.

Secrets managers solve the storage problem. Credentials aren't hardcoded; they're centralized, encrypted, access-controlled. That's necessary. But secrets managers don't solve the consumption problem: how agents use credentials at runtime. The credential pulled from Vault is still static, still long-lived, still broadly scoped. The agent runtime still has access to it (and therefore can leak it). There's no connection between the credential and the specific task it enables. There's no delegation lineage when one agent spawns another.

What we need is a credential architecture designed for agent constraints from the start. That architecture rests on four principles.

Principle 1: Ephemeral by Default

Long-lived credentials are the original sin of secrets management. We know this. We've known it for decades. And yet the default for most systems is still "create a token, use it until it breaks, maybe rotate it annually if compliance is watching."

For human users, long-lived credentials are a pragmatic tradeoff. The friction of frequent re-authentication is real, and humans are reasonably good at protecting their credentials (or at least, we've built a lot of infrastructure around the assumption that they'll try).

Agents have no such excuse. They don't experience friction. They don't get annoyed by re-authentication. They're software. The only reason to give an agent a long-lived credential is laziness in the implementation. Technical note"Ephemeral" should mean minutes, not days. For most agent tasks, a TTL of 15-60 minutes is appropriate. For sensitive operations, single-use tokens with sub-minute expiration are better. The goal is to minimize the window during which a compromised credential is useful.

The principle: credentials should live only as long as the task they enable. When an agent completes a workflow, its access should evaporate. When an agent times out or crashes, its credentials should already be expired or immediately revocable. There should be no credential lying around that a future attacker could harvest.

This isn't just defense-in-depth. It's a recognition that agents operate in environments we can't fully control. They run on infrastructure we don't own, interact with LLMs whose behavior we can't predict, and execute code paths we didn't anticipate. The blast radius of any compromise should be bounded by time.

Principle 2: Contextual Access

Static permissions are a poor fit for dynamic systems. An agent that handles customer support tickets needs different access when triaging a billing question versus escalating a security incident. The resources it touches, the actions it takes, and the sensitivity of the data involved vary by task.

The traditional approach is to grant the union of all permissions the agent might ever need. This is convenient for developers and catastrophic for security. It means every agent operates with maximum privilege, regardless of what it's actually doing at any given moment. This is the "confused deputy" problem, scaled to autonomous systems. An overprivileged agent can be tricked (via prompt injection, malformed inputs, or tool misuse) into taking actions it was technically authorized to perform but contextually shouldn't have.

The alternative is contextual access: permissions that adapt to the specific task being performed. This requires:

  1. Task-scoped credentials. Instead of "access to the email system," the credential grants "read access to emails from sender X in the last 24 hours."
  2. Runtime policy evaluation. Access decisions incorporate current context (who initiated the task, what the agent is trying to do, what resources are involved) rather than relying on static role assignments.
  3. Just-in-time provisioning. Credentials are issued at the moment of need, with scope derived from the immediate task, not pre-provisioned with broad permissions.

This is harder to build than static RBAC. It requires deeper integration between the credential system and the agent's execution environment. But it's the only way to approximate least privilege in a system where "what the agent needs" changes continuously.

Principle 3: Attenuating Scope

Agents spawn agents. A research agent might invoke a web search agent, which invokes a content extraction agent, which invokes an API calling agent. Each layer of delegation introduces a question: what permissions does the child agent inherit?

The human world has a concept for this: delegation. When I delegate a task to a colleague, they implicitly operate under my authority, constrained by organizational policies. But the controls are coarse, and the tracing is poor. If my delegate's delegate's delegate does something problematic, good luck reconstructing how authority flowed. Formal propertyThe security term for this is "monotonic attenuation" or "authority non-amplification." A derived credential can have equal or lesser permissions than its parent, but never greater. This is a fundamental property of capability-based security systems, and it's exactly what agent delegation needs.

For agents, we need a stricter model: scope can only attenuate through delegation, never expand. If Agent A has read access to all emails and delegates to Agent B for a specific task, Agent B can receive read access to a subset of emails, but cannot somehow acquire write access or access to additional mailboxes.

This seems obvious, but it's not how most systems work. In practice, delegation often involves passing the parent's full credentials to the child (scope preserved, not attenuated) or having the child authenticate independently with its own static permissions (scope disconnected from the delegation chain entirely).

The principle requires:

  1. Credential derivation. Child credentials are mathematically derived from parent credentials, with scope explicitly narrowed at each step.
  2. Policy inheritance. Restrictions propagate down the delegation chain. If the parent is rate-limited or geographically restricted, so are all descendants.
  3. Scope ceiling enforcement. The system must reject any attempt to issue a derived credential with greater permissions than its ancestor.

This is where cryptographic approaches become useful. If credentials are structured as capabilities with cryptographic attestation of their provenance, the system can verify that scope attenuation was properly applied at every delegation step.

Principle 4: Delegation Lineages

When an agent takes an action, the question "who authorized this?" should have a clear answer. Not just "which agent," but "which human initiated the workflow, through which chain of delegation, with what policies applied at each step." This is the "audit problem" that compliance teams have been struggling with since the first service account was created. Agents make it exponentially harder because the delegation chains are deeper, the actions are faster, and the human at the origin is further removed from the outcome.

Most audit logs today capture the proximate actor: "Agent X accessed Resource Y at Time Z." That's necessary but insufficient. What we need is the full lineage: "Human H authorized Agent A, which delegated to Agent B with policy P, which delegated to Agent C with policy Q, which accessed Resource Y."

This lineage serves multiple purposes:

Accountability. When something goes wrong, we can trace back to the human whose intent was (presumably) misinterpreted or exceeded. This isn't about blame; it's about understanding where the authorization model broke down.

Forensics. After a security incident, the lineage tells us exactly how the attacker (or the buggy agent) obtained the credentials used. Was it a stolen parent credential? A policy misconfiguration? An overly broad initial grant?

Policy enforcement. Some actions should require shorter delegation chains (high-sensitivity operations) or specific human oversight at certain points. The lineage makes these policies expressible and enforceable. Implementation noteLineages are most naturally represented as signed chains, where each step in the delegation appends its own attestation. Think of it like a blockchain for authority, minus the useless proof-of-work. Each credential carries the full history of how it came to exist.

The principle: every credential should carry its complete delegation history, and every action should be logged with the full chain of authority that enabled it.

Architectural Implications

These four principles have design consequences. You can't easily retrofit them onto a system designed around long-lived credentials and static permissions. They suggest:

Credential issuance as a first-class operation. The system must be able to mint credentials rapidly, with task-specific scope, derived from parent credentials with proper attenuation. This is closer to a capability system than a traditional IAM.

Separation of credential management from agent execution. Agents should not hold or manage their own credentials. They should receive credentials from a trusted issuer, use them for the immediate task, and never store them. The credential system is the security boundary; the agent is an untrusted consumer. This is the "access without exposure" model. The agent gets access to the resource, but never sees or controls the credential that grants that access. This is achievable through injection patterns (credentials populated into the execution environment by a trusted orchestrator) or proxy patterns (requests routed through a gateway that attaches credentials).

Policy engines that understand context. Access decisions need to incorporate task semantics, not just identity and resource. This likely means integration between the credential system and the agent orchestration layer, so the credential issuer knows what task is being performed and can scope accordingly.

Immutable, queryable audit logs. Lineages are useless if they're not stored durably and searchable efficiently. Every credential grant, every delegation, every access should be logged with full context. The audit system becomes a critical component, not an afterthought.

The Standards Situation

The good news is that relevant standards are emerging. MCP (Model Context Protocol) provides a foundation for agent-to-tool communication that can be secured with proper credential handling. OAuth 2.1 with PKCE, Dynamic Client Registration, and Rich Authorization Requests provides primitives for fine-grained, short-lived tokens. SPIFFE/SPIRE offers workload identity for the compute layer. The bad news is that standards are emerging. Plural. MCP, Okta's XAA, Google's A2A, various IETF drafts... the fragmentation is real, and betting on the wrong standard is expensive. My advice: build on OAuth 2.1 as the foundation (it's not going anywhere) and treat the agent-specific protocols as integration layers that can be swapped.

The bad news is that none of these standards, individually, give you the full model I've described. You need to compose them carefully, fill gaps with custom implementation, and accept that some of what you build today will need to change as standards mature.

The worse news is that most agent frameworks don't even try. LangChain, AutoGPT, CrewAI, and the rest treat credential management as someone else's problem. They assume you'll figure it out and inject the right secrets at the right time. This is perhaps understandable (framework authors can't anticipate every deployment environment) but it means the security burden falls entirely on the application developer.

Evaluating Solutions

I don't have a vendor recommendation. The market is too immature for confident picks. But I can offer evaluation criteria:

  1. Does it default to ephemeral? If the system's natural state is long-lived credentials, you're going to fight it constantly.
  2. Can it scope to context? Static roles are a red flag. You need task-level granularity.
  3. Does delegation attenuate? If a child agent can end up with more access than its parent, walk away.
  4. Are lineages preserved? If you can't trace an action back to its authorizing human through the full delegation chain, your audit capability is theater.

The organizations that get this architecture right will deploy agents with confidence. The ones that don't will deploy them anyway, crossing their fingers that nothing goes wrong.

Crossed fingers are not a security architecture.

0❤++