NHI and Agentic Risk: Secrets, Memory, and Persistence
Leaked secrets become durable agent memory. That's why breaches linger.
Third post in the series. Focus here: secrets live longer than systems, and agents remember more than we expect.
The OWASP overlap: NHI2 (secret leakage) maps to ASI02 (tool misuse) and ASI06 (memory and context poisoning). NHI7 (long-lived secrets) maps to ASI06 and ASI08 (cascading failures). The common thread is durability — once a secret is exposed, it gets copied into places that were never designed for secret storage.
Persistence is usually mundane. Old tokens are still accepted by external tools. Credentials get copied into prompts, notes, or logs. Agent memory stores sensitive artifacts without lifecycle controls. Even after rotation, the copies stay behind.
A build token appears in CI logs. An agent troubleshooting a pipeline scrapes the logs and stores the token in working memory. Later, a different task reuses the same memory and calls a tool with that token. The incident looks like agent misuse, but the root cause is a leaked secret that was never fully removed.
The controls are familiar — they just need to cover agent systems too. Short TTLs and forced rotation to reduce dwell time. Automated discovery of unused NHIs. Memory boundaries that define what’s stored, where, and for how long. Secret scanning that includes logs, prompts, and agent memory stores, not just repositories.
In agentic systems, secrets aren’t just keys. They’re durable context. That’s why breaches linger.