At first, it feels harmless.
If the agent is just reading files, editing local code, running tests, or helping me understand something inside my editor, using my own environment makes sense.
In that situation, the agent is still under my supervision. It is helping me work. I still review what it does. I still decide what leaves my machine.
The problem starts when the agent stops only helping and starts acting.
Pushing code is not the same as suggesting code.
Opening pull requests is not the same as editing a file locally.
Reading logs, triggering workflows, accessing private repositories, touching secrets, or deploying something is a completely different level of responsibility.
And this is where credentials become a real design decision.
If the agent uses my credentials, every action looks like mine
That is the part that bothers me the most.
If the agent uses my account, the audit log will probably say that I did the action.
And technically, yes, I gave it access.
But operationally, it is not the same thing as me manually doing every step with full context.
There is a difference between a human making a decision and an agent executing a chain of actions because it interpreted a task in a certain way.
That difference matters.
Not because agents are bad.
Because they are powerful.
A code agent with broad access can move very fast in the wrong direction.
The agent should not be a ghost user
I do not think a code agent should silently borrow human authority forever.
If it is doing autonomous or repeatable work, it probably needs its own identity.
But creating a dedicated credential does not automatically make the setup safer.
If I create a user called ai-agent and give it admin access to everything, I did not solve anything.
I just created a robot with too much power.
The value of a dedicated credential is not the fact that it belongs to an agent.
The value is that it can be smaller, more limited, easier to audit, and easier to revoke.
That is the real point.
Dedicated credentials make more sense when the agent has responsibility
If the agent is doing automated reviews, dependency updates, issue triage, pull request comments, repository maintenance, scheduled tasks, or CI/CD automation, then a dedicated identity starts to make a lot more sense.
Not because it is fancy.
Because it makes things clearer.
You can see what the agent did.
You can limit what it can do.
You can rotate the token.
You can revoke access without touching a human account.
And most importantly, you can separate human actions from agent actions.
That separation is important if we want agents to become a serious part of the engineering workflow.
The simple rule
For now, this is how I think about it:
If the agent is helping me work, using my credentials can be ok.
If the agent is working on my behalf, it needs its own limited identity.
And if the action is risky, like deploying, changing infrastructure, touching production data, or accessing secrets, the agent should not be free to do it alone.
It needs approval, limited access, and a clear audit trail.
The goal is not to make AI-assisted development harder.
The goal is to make it safe enough to scale.
Code agents are becoming part of how we build software.
And if they are going to act like real workers, they also need real boundaries.
OWASP GenAI Security Project: Excessive Agency
OWASP Secrets Management Cheat Sheet
GitHub Docs: GitHub credential types
Top comments (0)