Blog

Security thinking for AI agent teams.

Practical writing on credential management, zero-trust architecture, and building AI agents that security teams can approve.

Security

Why AI agents should never hold long-lived API keys

Long-lived credentials in agent contexts create an exposure surface that's fundamentally different from human authentication. Here's the threat model.

May 4, 2026 · 8 min read

Architecture

Just-in-time credentials: the security model every AI agent deployment needs

AWS STS got it right for cloud resources. Here's how to apply the same just-in-time model to every credential an AI agent might need.

May 4, 2026 · 10 min read

Guide

How to pass secrets to AI agents without putting them in the prompt

A practical guide to every method available today — environment variables, tool injection, vault references, and just-in-time nonces — with a security analysis of each.

May 4, 2026 · 12 min read

Analysis

The credential exposure surface area of a typical AI agent deployment

Most teams underestimate how many places their agent's credentials can leak. We mapped it out — from system prompts to cloud logs to memory stores.

May 4, 2026 · 9 min read

Zero Trust

Zero-trust principles for AI agent authentication

Zero-trust says "never trust, always verify." AI agents test this model in new ways. Here's how to apply zero-trust thinking to agent identity and credential access.

May 4, 2026 · 11 min read

Stop putting API keys in prompts.

10,000 nonces/month free. No credit card required.

Generate your first nonce — free