Identity and Permission Design
An agent is not a human. Giving an agent a human's credentials means the agent acts with the human's full privilege — and an injected agent with admin credentials is an admin compromise. Agents need their own non-human identities, scoped to the current task, exchanged per action via RFC 8693 token exchange, and isolated from the agent process entirely. The agent never holds a long-lived secret; the harness does.
An agent borrowing a human's credentials is an identity-design failure, not a convenience. The agent inherits the human's full privilege — the blast radius is the credential's scope, not the task's requirement. An injected agent with borrowed admin credentials is an admin compromise, and it looks legitimate in access logs because the credential was never stolen, it was handed over. The fix is not better injection defense (B2) or better tool provenance (B4) — it is that the agent never holds the human's credentials at all. Agents get their own non-human identities (NHIs), scoped to the task, revocable independently, and auditable as non-human. NHIs are the fastest-growing identity category in cloud security.
Least privilege for agents means per-task scoped credentials, not role-level privilege. An agent should hold exactly the permissions its current task requires, no more — not the permissions the agent's role might need across a day. The operational realization is RFC 8693 token exchange: the agent holds a short-lived session token (NHI-scoped, TTL: minutes); the harness exchanges it per action for an action token (narrower scope, specific audience, TTL: seconds). An injected agent that captures the action token gains at most one action against one audience for seconds — it cannot pivot to other APIs, scopes, or principals. The agent never holds a long-lived secret.
The load-bearing principle: credentials live in a vault the harness accesses, not in the agent process. The agent never sees the raw credential. An agent that can read its own credentials (env var, config file, system prompt) can exfiltrate them — and the system prompt is the single worst anti-pattern, because the prompt is text the model reads and can be coerced into repeating. The defense is credential isolation: the credential is never in the agent's environment; the harness retrieves it from a vault, mints the action token, makes the call, and returns only the result. This is DD-20 IronCurtain's credential quarantine (the agent holds only fake keys; the harness swaps for real) realized via a vault and token exchange without a MITM proxy. The agent cannot exfiltrate what it does not possess.
ASI03 (Excessive Agency) and ASI10 (Broken Access Control) compound into privilege-escalation chains, and the defense is the B2.3 resolution applied to the privilege boundary. Over-provisioned NHIs (ASI03) + missing scope enforcement (ASI10) = an injected agent escalates beyond its intended privilege. The defense-in-depth: per-task scoped credentials (narrow at issuance), scope-check middleware (the deterministic gate — structural, enumerable, no model in the loop, no bypass rate), credential isolation (the agent cannot steal a broader token), and API-side scope enforcement. The scope check is a compiled boolean — the agent cannot talk its way past it. This is determinism on the privilege boundary, just as B2 put determinism on the taint boundary.