AI agents are starting to do real work against real APIs: filing tickets, moving money, updating records, calling other agents. The fastest way to get there is also the most dangerous one — paste a long-lived API key into the agent's environment and let it run. That key is now a standing liability. It rarely expires, it usually carries far more scope than the task needs, and the moment it leaks from a log, a prompt, or a compromised tool, an attacker inherits everything the agent could ever do.
The fix is not "be more careful with keys." It is to stop issuing standing keys to agents at all.
Least privilege, but for non-human identities
We have decades of practice applying least privilege to people. Agents are different in three ways that make standing credentials especially risky:
They act fast and unattended. A misused human credential might do damage for minutes before someone notices. An agent loop can make thousands of calls before anyone looks.






