AI agents are starting to do real work against real APIs: filing tickets, moving money, updating records, calling other agents. The fastest way to get there is also the most dangerous one — paste a long-lived API key into the agent's environment and let it run. That key is now a standing liability. It rarely expires, it usually carries far more scope than the task needs, and the moment it leaks from a log, a prompt, or a compromised tool, an attacker inherits everything the agent could ever do.
The fix is not "be more careful with keys." It is to stop issuing standing keys to agents at all.
We have decades of practice applying least privilege to people. Agents are different in three ways that make standing credentials especially risky:
So the unit of access for an agent should be a short-lived, narrowly scoped credential minted for a specific task — not a copy of your production key.
A useful scoped credential pins down several dimensions at once:
In practice a grant looks something like this:
{
"audience": "api.github.com",
"operations": ["GET"],
"resources": ["/repos/acme/billing/issues/*"],
"expires_in": "15m",
"rate_limit": "60/min"
}
When all five are tight, a leaked credential is worth very little: it stops working almost immediately and only ever opened a small door.
The cleanest way to deliver this is a credential broker that sits between your agents and your secrets. The model never sees a real secret. Instead:
Because the secret is resolved at call time and never handed to the model, you can rotate or revoke it without touching a single agent. And because the broker is the one place every agent call flows through, it is also the natural place to enforce scope and capture an audit trail.
The end state: agents carry no durable secrets, every credential is minted for a purpose and expires on its own, and you can answer "what could this agent do?" by reading a policy instead of guessing. Least privilege was always the goal — scoped, short-lived credentials are how agents get it by default.