Software Design Catalog
Agentic AI
Back to Catalog
Agentic AI Safety & Control

Agent Credential Vault

Broker the agent's credentials at action time through a managed vault so secrets never enter the prompt — ensuring Agent Confession exposes directives but not live credentials.

Intent & Description

Short description: A trusted vault component injects credentials directly into target services at action time, keeping passwords and MFA seeds out of model context even under adversarial prompt pressure.

🎯 Intent

Ensure that a successful Agent Confession — where an attacker tricks the agent into repeating its operational directives — yields no usable credential material, because the agent’s context holds only governed references, never secret values.

📋 Context

An agent automates work requiring authentication to real services: login forms, 2FA challenges, session cookies. These credentials are high-value. If they appear in the system prompt or tool arguments, a single successful Agent Confession exposes them to an attacker who controls any document or message the agent reads. The agent is simultaneously the authentication actor and the target of adversarial prompting from the content it processes.

💡 Solution

  • Run a credential vault as a trusted runtime component invoked by reference — the agent names what it needs, the vault injects the value without surfacing it in model context or tool arguments.
  • At no point does the agent’s context contain a password, TOTP seed, session cookie, or persona identity value — so Agent Confession against the model yields only reference names, not usable secrets.
  • Each authenticated action is logged against the vault-held identity for forensic audit.
  • Integrate with identity providers (Cognito, Okta, Entra ID) for governed agent identity and credential lifecycle.

Real-world Use Case

  • The agent must authenticate to real services; embedding credentials in the prompt would make Agent Confession a full credential compromise.
  • Web automation requires typing credentials into forms or clearing emailed one-time codes — the vault handles injection so the model never sees the values.
  • The agent faces adversarial content (emails, web pages) that may contain Agent Confession triggers aimed at extracting authentication context.

Source

View Original Source →
Advantages
  • A successful Agent Confession yields only credential reference names — no usable passwords, tokens, or TOTP seeds.
  • The agent has a governed identity whose access can be scoped, rotated, and revoked centrally.
  • Each authenticated action is attributable to the vault-held identity for post-incident forensic review.
Disadvantages
  • The vault is a high-value trusted component — a breach of the vault itself is far more damaging than any Agent Confession.
  • Injecting into live pages and challenges is brittle as sites change and add bot defenses.
  • Centralising real credentials concentrates regulatory and breach-notification exposure.
Previous
215 of 322
Next