Keeping credentials safe while autonomous agents act on your behalf — trust models, least privilege, and secret-leak attacks.
7 articles
Agent-to-agent trust is a 4-layer stack borrowed from web auth (signed cards, OAuth/mTLS, token exchange) — and the injection gap none of it closes.
Least privilege bounds what a tricked AI agent can do — not whether it's tricked: authz policy, JIT tokens, and the confused-deputy ceiling it can't cross.
Prompt injection is a 3-stage credential kill chain: injection lands, the agent reads a secret, it leaves via an allowed channel. Three defenses matter.
Six rungs of protecting an AI agent's secret, weakest to strongest—each defeats a different threat, but none stops a tricked agent misusing what it unlocks.
Credential the LLM never sees: resolve secrets below the model, inject them on the wire, and account for MCP, logs, and confused deputies.
A poisoned AI agent memory can wait weeks, then leak an API key. Persistence and key-theft are each demonstrated; chaining them isn't—yet. Here's the fix.
AI agents warn about API keys because the risk is real. But warning after a secret enters context is not protection.