SAIL 2.0

/

Build - AI Security Posture Management

/

Exposed AI and Agent Access Credentials in Discovered Assets

3.12

.

Exposed AI and Agent Access Credentials in Discovered Assets

sail
3.12
Risk

Exposed AI and Agent Access Credentials in Discovered Assets

Description

During the discovery of assets (code, configurations, documentation), sensitive AI and agent credentials (API keys, OAuth tokens, MCP tokens, passwords) are found to be insecurely stored or embedded.

Example

An agent configuration file discovered in a shared repository contains hardcoded API keys to a cloud AI service and a long-lived MCP server token.

Assets Affected

AI Provider Access Credentials

Agent Identity

Notebook

Agent Config

Model Metadata

Mitigation
  • Implement secure credential management practices from the outset
  • use secrets management tools
  • scan discovered code and configurations for hardcoded secrets
  • enforce policies against insecure credential storage.
Standards Mapping
  • ISO: A.4.5, A.6.2.4
  • OWASP agentic: ASI03
  • EU AI Act: Art. 15(5)
  • DASF: Agents-MCP Server 13.19, Agents-MCP Client 13.27
  • AIUC-1: B007, B008