Mastodawn

A friendly PSA to every engineer spinning up AI agents right now:

That API key hardcoded into the script?

Someone said they'd move it to a secrets manager later.

It's been 8 months.

It's still there.

It has access to prod.

Nobody knows what it's touched.

AI agents are getting handed unchecked access with zero oversight.

No rotation. No expiry. No audit trail. No least privilege.

Bhawik Bhagat May 26

We can barely manage human identities. Now we're sprinting to hand machines the keys to everything.

Every agent is an identity. Every identity is an attack surface.

(Yes, this is based on things I have seen. No, I will not elaborate. 😆)

#CyberSecurity #IdentitySecurity #PAM #NonHumanIdentity #AIAgents

∆† яɪ¢κʏ †∆May 26

@bhawikbhagat If you know how to use an AI agent, secrets detection is a prompt away. There have always been shitty developers. Now they're just 10x shitty developers making 10x shitty code.