Agent Identity Sprawl
Your agent fleet mints identities at machine speed while credential scoping, rotation, and revocation crawl at human speed — leaving an ungovernable attack surface.
Intent & Description
🎯 Intent
Over-privileged, long-lived credentials pile up faster than anyone can audit or revoke them — widening the attack surface continuously.
📋 Context
Each agent, sub-agent, and tool integration needs a credential (service account, API key, OAuth token). Provisioning is instant and automated. Governing it — scoping least privilege, rotating secrets, tracking ownership, revoking on retirement — still runs through human-speed review. The mismatch is the problem.
💡 Solution
Issue short-lived, least-privilege credentials by default. Bind every identity to an owning agent and a retirement trigger so it’s revoked when the agent is decommissioned. Reconcile created vs. active vs. owned identities continuously at machine speed — flag orphans automatically. See agent-credential-vault, delegated-agent-authorization.
Real-world Use Case
- Your fleet provisions credentials faster than it retires them.
- Auditing standing access reveals orphaned API keys and service accounts of unknown ownership.
- Identity governance is waiting on human review while identity creation is fully automated.
Source
📌 TL;DR
Automate identity governance to match the speed of identity creation — or orphaned, over-privileged credentials will quietly widen your attack surface.
Disadvantages
- Orphaned credentials outlive their agents and grant standing access long after they’re needed
- No one knows who owns a given identity, so revocation gets skipped
- A single leaked long-lived token = broad standing access across the fleet