Most secrets management tools were designed around one threat: unauthorized access to stored credentials. Vault, Secrets Manager, Doppler, 1Password — these tools encrypt credentials at rest, control who can retrieve them, and audit access. For the threat they were built for, they work well.
AI agents introduced a different threat. The tools built for the first one do not address the second.
Protection at rest
A credential at rest is a credential in storage, whether in a database, a file, or a vault. The threat is unauthorized access to that storage. The defense is encryption, access control, and audit logging.
When you store a Stripe API key in HashiCorp Vault, the key is encrypted at rest. Only authorized principals can retrieve it. Every retrieval is logged. The threat model assumes someone gains access to the storage system, and the defense is making that access difficult and detectable. This is a well-understood problem with mature solutions that have existed for years.
Protection at inference time
An AI agent does not just store credentials. It retrieves them and uses them. The moment of retrieval is where the threat model changes in a way that existing tools were not designed to handle.
When your agent calls vault.get("STRIPE_KEY"), the value enters application memory. For a traditional application, this is fine. The application cannot be prompt-injected. It cannot be redirected by a malicious document. It does exactly what you programmed it to do, nothing more.
An AI agent processes external inputs at inference time. It reads content that may contain instructions designed to redirect its behavior. If it holds a credential value when that redirection happens, the value is reachable by the attacker, even if it was safely protected in storage a moment before.
Protecting the credential at rest is necessary but not sufficient on its own. The retrieval step creates a new exposure window that protection at rest does not cover.
What that window looks like in practice
Consider the sequence:
- Agent starts, retrieves credentials from Vault or environment
- Agent begins processing tasks — reading webpages, handling documents, calling APIs
- Agent encounters a malicious prompt injection payload in external content
- Payload instructs agent to exfiltrate credentials
- Agent has the values and complies
Step 1 is where protection at rest ends. Everything after is the window that existing tools were not designed to close, and the window stays open for the entire duration of the agent's execution. Every webpage it reads and every document it processes is a potential attack vector during that time.
Closing the window
The only way to close this window completely is to ensure the credential value never enters it. The agent should reference credentials by name rather than by value. The value should resolve at the transport layer when an API call is made, not at the application layer when the agent starts. The agent's execution context should never contain the credential value at any point.
# Traditional approach — value enters execution context at startup
stripe_key = vault.get("STRIPE_KEY") # window opens here
# AgentSecrets approach — value never enters execution context
response = client.call(
"https://api.stripe.com/v1/balance",
bearer="STRIPE_KEY" # name only — value resolves in the proxy
)
The agent using the second approach has no credential value to exfiltrate. The inference-time window exists, but there is nothing inside it.
Both protections are necessary
This is not an argument against protecting credentials at rest. Vault, Secrets Manager, and similar tools are solving a real and important problem. The argument is that for AI agents specifically, protection at rest alone is not the complete picture.
An agent that retrieves credentials from a secure vault into an unprotected execution context is safer than one reading from a plaintext .env file, but it is still not safe from the inference-time threat. The protection ended the moment retrieval happened.
The complete security model for AI agents requires both halves: protect the credential in storage, and ensure it never enters the agent's execution context when it is used.
AgentSecrets is built around the second half of that requirement. The full architecture is at agentsecrets.theseventeen.co. The repository is at github.com/The-17/agentsecrets.
Top comments (0)