AI Agents Are Privileged Identities. Most Companies Still Secure Them Like Passwords.

The fastest-growing attack surface in identity right now is not a human login. It is the API keys and AI agents that companies are wiring into their systems at speed, granting them access to customer data, cloud services, codebases, and internal workflows, then securing them like a password set once and forgotten. The tooling has made it trivial to build agentic stacks. The discipline to govern them has not kept pace, and the gap is where breaches are starting to live.

Jay Klinkowsky is an Identity and Access Management engineer at GTS, Inc. with more than 15 years in identity security, spanning Okta administration, Zero Trust design, and automated joiner-mover-leaver workflows at scale. He writes about identity-first security at his blog, Everyday Identity, and runs his own multi-agent stack at home, which makes his warnings less theoretical than most. After six to eight months building inside the agent boom, what alarmed him was how easy it is to stand something up with no guardrails at all.

"Every agent, every API key should be dealt with specifically for what the agent needs to do and nothing more. You don't just click and get full access. Don't give it carte blanche," says Jay.

Keys treated like passwords, not identities

The root problem, in Jay's telling, is a category error. Organizations log, rotate, and monitor human credentials, then grant a machine credential with far more reach and leave it untouched.

"APIs are not being treated like human identities, like a usual login," he says. "It is being handled as it's just a password. We set it. We forget it. They're not rotating their credentials." That neglect scales badly when the credential is over-scoped or hard-coded into a script, a pattern that keeps showing up in research on leaked secrets and in the supply-chain compromises that have hit AI coding agents and MCP integrations. A single leaked key to a customer database, he warns, can end a company.

Know where everything is, then watch it

Before any tooling, Jay wants visibility. His first three priorities for any security leader start with inventory, because nothing else works without it.

Find every connection first. Anyone inside a company can stand up an integration in minutes, so the controls have to start with knowing what exists. "You can't secure anything if you don't know where it's going. Companies need to be very diligent in writing policies. It's very powerful, but it's very scary if they don't do it right."

Route through a central checkpoint. Connections should pass through one place that confirms the destination is real and serves a legitimate internal use, rather than letting anyone bolt an agent onto something they found online.

Log proactively with anomaly detection. This is where AI earns its place on the defensive side. He points to impossible-travel detection, where a sign-in from New York followed 30 minutes later by one from Germany trips an automatic flag, as the model for watching API behavior and confirming the data leaving is what was actually requested.

The non-human identity problem is now formalized enough that standards bodies have started cataloging the top risks, and Jay's instinct mirrors emerging work on machine identity and authorization.

The Brute Squad as a working model

Jay's clearest argument is his own setup, a 15-agent stack he themed on The Princess Bride and structured like a business. Each agent gets a role and only the access that role requires; the same least-privilege logic applied to people, scaled up.

"I treat all of my agents as humans. We use RBAC roles," he says. A marketing agent cannot touch back-end databases, a developer agent cannot edit blog posts, and his LinkedIn agent is read-only, able to surface mentions but never to change his profile. The scoping is deliberate so that no single agent holds the keys to the castle, an approach consistent with how practitioners are starting to calibrate friction to identity.

Crucially, he never lets an agent handle its own keys. He sets API connections by hand in a secure store on the machine, because asking an agent to do it drops the credentials into a chat log or persistent memory where they can leak.

He isolates the whole stack behind a private Tailscale network so nothing touches the public internet, sets cron-job reminders to rotate keys, and recommends a 30-day cycle. He spent two to three weeks locking it down before doing any real work, motivated partly by watching a well-known platform leak hundreds of thousands of keys. "That would just shoot down my credibility."

The thread running through all of it is that AI raises the stakes on both sides of the ledger. It accelerates productivity and it accelerates attacks, which makes the unglamorous habits matter more, not less. Jay gets five or six fraudulent MFA prompts a day, the routine probing that precedes most real intrusions, and he sees the companies most exposed as the ones skipping basic education.

"Most of these problems we're seeing outside of API are just education of people," he says. "Companies that don't have a solid security refresh course every couple of months are the ones that are gonna get caught."