The incident-response agent in HashiCorp's demo connects to a production webserver and a PostgreSQL database using separate, ephemeral identities that expire after each session — no static credentials, no shared secrets.
That's the difference between treating AI agents as legacy scripts with embedded SSH keys and treating them as sensitive, auditable actors. HashiCorp's blog post on agentic AI access control, published this week, walks through a concrete scenario that shows exactly why IAM for agents can't be an afterthought.
Why Static Credentials Are a Blast Radius for Agentic AI
Most agentic frameworks today — orchestration layers, MCP servers, local tool runners — embed static credentials directly into their configuration. If that agent or its orchestration layer gets compromised, every resource those credentials can touch is exposed.
HashiCorp's solution combines Boundary for session-level access control with Vault for dynamic secrets. An agent authenticates with a short-lived identity, requests a session to a specific target (e.g., demo-web-server-target), and gets credentials injected — not stored — into that session. Once the session ends, the credential is gone and the identity is deactivated.
How the Incident Response Demo Works
The scenario starts with a Datadog alert: a production web service health check fails. The agent's local environment contains no static secrets — it holds only a pointer to a Boundary target. When the agent needs to inspect systemctl status or read /etc/demo-web-app.env, it establishes a session through Boundary's proxy, which authorizes the action, injects a Vault-generated SSH credential, and logs every command.
During the investigation, the agent queries a reporting database to identify impacted customers. The database account acfaria-codex-agent-20260515t175643z is dynamically created for that single intent. After the query, the account is destroyed. The operator sees four impacted customers — Acme Bank (1840 users), Northwind Health (620), Contoso Retail (310), Alpine Media (145) — all tied to the misconfigured PORT=not-a-number environment variable.
No Standing Privileges, Full Audit Trail
When the operator approves the fix (restore PORT=8080 and restart the service), the agent gets a fresh session account acfaria-codex-agent-20260515t181615z. Every command — tee, systemctl restart, curl — runs through Boundary's proxy, which records the session for playback.
HashiCorp's deputy CTO for security (implied author) notes that this pattern removes the single biggest attack vector in agentic AI: secrets embedded inside tool runners and orchestration frameworks. By abstracting credentials and rotating identities per session, the blast radius of any compromise is limited to exactly one session's activity.
As agentic workflows scale, treating every agent call as a fresh, auditable session is the only defensible posture — and HashiCorp just showed how.
Source: Rethinking infrastructure access in the age of agentic AI
Domain: hashicorp.com
Comments load interactively on the live page.