How would you prevent an AI agent from leaking or misusing API credentials?
Keep raw credentials outside model context and traces. Let the model propose typed intent, authorize the final action and arguments deterministically, then have a trusted executor inject a short-lived, narrowly scoped, audience-restricted credential for one call. Re-authorize downstream and gate high-impact writes with explicit approval.
How to think about it
The model should never become the secret store. It emits a typed action; a deterministic policy evaluates principal, operation, resource, destination and provenance; a trusted executor obtains the credential only after authorization.
Limit replay value with least privilege, audience restriction, short lifetime and proof of possession where supported. Redact headers, errors and traces, and require human approval for irreversible or externally visible operations.