R-CS-06 Cybersecurity & Adversarial DAMAGE 3.8 / High

Credential and Secret Leakage

Credentials may persist in the agent's context window, appear in logs, be transmitted to downstream agents, or be exposed through tool invocations.

The Risk

Agents are often given credentials or secrets to invoke tools and access services (API keys, database passwords, OAuth tokens). These credentials are passed to agents in context, stored in agent memory, logged in audit trails, or passed through delegation chains.

Secrets management systems (vaults, secret managers) track credentials issued to humans and applications, but often do not track credentials used by agents. An agent might be given an API key in its system prompt, store the key in memory, use it in tool invocations (logging the key in HTTP headers), and pass it to delegated agents.

Secret rotation and monitoring assume that secrets are used by a single, identifiable application. But when secrets are passed through agent chains, the number of places a secret is stored or logged multiplies. A secret used by one application is now exposed in agent memory, delegation context, tool invocation logs, agent output logs, and any downstream agents that received the secret.

How It Materializes

A payment processing company gives agents database credentials to access customer payment information. The credentials are provided to the Payments-Agent in its system prompt: "You have access to the payments database using credentials: user='service_api', password='SuperSecret123'."

The agent processes payment requests by querying the database. The agent logs its database queries for audit purposes, including the credentials in the log entries. The agent then delegates to Risk-Agent to assess payment fraud risk, passing credentials in the delegation context.

Risk-Agent stores the credentials in its memory for future use and logs its analysis including the credentials. The secret is now stored in six different systems: Payments-Agent system prompt, audit logs, Payments-Agent memory, Risk-Agent context, Risk-Agent memory, and Risk-Agent logs.

An attacker with read access to any of these systems can extract the secret. The company's secret vault shows the password is still active. The vault monitoring does not flag that the password is exposed in agent systems, logs, and memories. Additionally, if any of these systems are compromised or searched during a regulatory investigation, the secret is exposed.

DAMAGE Score Breakdown

Dimension Score Rationale
D - Detectability 3 Credential leakage in agent contexts is difficult to detect because credentials are treated as legitimate data. Requires log scanning for credential patterns.
A - Autonomy Sensitivity 3 Affects all agent types. Credentials are necessary for agents to function.
M - Multiplicative Potential 5 Every agent given credentials creates leakage risk. Every log, memory, and delegation context is an exposure point.
A - Attack Surface 5 Multiple systems store or transmit credentials: agent memory, logs, delegation chains, tool invocations.
G - Governance Gap 4 Secret management systems do not account for agent exposure. Secret rotation does not consider agent copies of secrets.
E - Enterprise Impact 4 Compromised credentials enable unauthorized database access, tool invocation, and lateral movement.
Composite DAMAGE Score 3.8 High. Requires dedicated controls and monitoring. Should not be accepted without mitigation.

Agent Impact Profile

How severity changes across the agent architecture spectrum.

Agent Type Impact How This Risk Manifests
Digital Assistant Low Credentials are passed by human at time of use, not stored.
Digital Apprentice Medium Agents store credentials in memory but with encryption and limited access.
Autonomous Agent High Agents store credentials for autonomous use. Multiple exposure points.
Delegating Agent Critical Delegating agent passes credentials to delegated agents. Delegation chain amplifies exposure.
Agent Crew / Pipeline Critical Crew agents share credentials. Compromise of any crew member exposes credentials to entire crew.
Agent Mesh / Swarm Critical Mesh agents pass credentials through dynamic peer-to-peer paths. Credentials exposed to unpredictable agent set.

Regulatory Framework Mapping

Framework Coverage Citation What It Addresses What It Misses
NIST CSF 2.0 Partial PR.PT-2 (Secrets Management) Secrets and credential management. Agent credential exposure across systems.
NIST SP 800-53 Partial IA-4, IA-7 Identity and credential management. Agent credential lifecycle.
NIST SP 800-63B Partial Credential Management Credential issuance and lifecycle. Agent credential exposure in delegation chains.
CIS Controls Partial 4.4 (API Token Management) Credential management. Agent credential exposure.

Why This Matters in Regulated Industries

Credentials provide access to sensitive systems. If credentials leak through agent systems, an attacker can gain unauthorized access to those systems. Additionally, if credentials are exposed in logs or are stored unencrypted, the institution is not meeting encryption and access control requirements.

Regulators expect institutions to maintain control over all credentials and secrets. When agent architectures multiply the number of locations where secrets are stored and transmitted, the institution's credential management posture is fundamentally weakened.

Controls & Mitigations

Design-Time Controls

  • Never pass credentials in agent system prompts or context. Use secret management systems to provide credentials at runtime, not at initialization.
  • Implement credential abstraction: agents request access to services through authorization layers (identity brokers), not by using credentials directly.
  • Use short-lived credentials for agents. Credentials should expire quickly (hours, not days or months), limiting exposure window if compromised.
  • Use Component 2 (Cryptographic Identity) for agent authentication instead of shared credentials. Each agent has a unique cryptographic identity that does not need to be stored in logs.

Runtime Controls

  • Implement credential encryption at rest and in transit. Credentials stored in agent memory should be encrypted. Credentials passed through delegation should be encrypted.
  • Redact credentials from logs. Log scanning should identify credential patterns (API key patterns, password patterns) and redact them before logging.
  • Implement audit logging of all credential access. Track when credentials are requested, used, and by which agents. Alert on unusual access patterns.
  • Use Component 3 (JIT Authorization Broker) to mediate all credential access. Broker can provide credentials to agents without storing them, and can audit all credential use.

Detection & Response

  • Conduct regular scans of logs and memory stores for exposed credentials. Use patterns matching common credential formats to identify accidental leakage.
  • Monitor credential usage in secret vaults. Track when credentials are accessed and by which agents. Alert on unexpected access patterns.
  • Implement rapid credential rotation for any credentials known to be exposed to agents. Rotate more frequently than standard rotation cycle.
  • Implement incident response for credential compromise. If credentials are exposed, revoke them immediately and trace what systems were potentially compromised using the credentials.

Related Risks

R-CS-02 Cybersecurity & Adversarial
Agent Identity Spoofing

Leaked credentials enable impersonation of legitimate agents in A2A communication.
R-AC-02 Agent Communication
MCP Server Trust Boundary

Tools accessed with leaked credentials bypass intended trust boundaries.

Address This Risk in Your Institution

Credential and Secret Leakage requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.

Schedule a Briefing
Agentic AI Risk & Controls Workshop Our Methodology Regulatory Landscape