# Shadow AI agents are already in your organization. Here's how to secure their credential access

This post breaks down the three biggest credential security risks that come with AI agent adoption and introduces the Agent Access SDK built to address them.

*By Bitwarden*

*Published: June 10, 2026*

---

AI agents are already inside most organizations. Knowing what they're doing and securing their access is the challenge.

At the 2026 Gartner Security & Risk Management Summit, Bitwarden Senior Product Manager and Agentic AI Specialist Kasey Babcock made that reality hard to ignore: according to CSA research, 54% of organizations already have unsanctioned or "shadow AI” agents in use. If you're reading this thinking your organization is the exception, the odds are not in your favor. 

This post breaks down the three biggest credential security risks that come with AI agent adoption and introduces the open source standard Bitwarden built to address them.

## AI agents will do anything they can to complete a task

That behavior is by design. AI agents are goal-directed. When an agent needs a credential to complete a task, it will look for one: in .env files, chat history, and password managers. An agent explicitly told to ignore a file containing credentials will honor that instruction right up until completing its task requires otherwise. At that point, the earlier instruction loses.

"AI agents are ingesting plaintext passwords and the contents of .env files without explicit permission to do so. This is a predictable behavior pattern, and it's already happening at scale." - Kasey Babcock, Senior Product Manager and Agentic AI Specialist, Bitwarden

Cybersecurity and risk management is the top concern among IT leadership when it comes to AI agent use in their organizations, according to Omdia. The data reflects what practitioners already sense: the window between agent adoption and agent security is wide open, and closing fast.

## Three credential security risks you need to know

### 1. Overscoped access

53% of organizations report that AI agents exceed their intended permissions, according to CSA research. That means more than half of organizations have agents operating beyond what was ever sanctioned.

When an agent is granted access to a system, it uses it fully: accessing applications, devices, .env files, password managers, and entire ecosystems. The agent then completes actions that were never explicitly authorized by a human.

### 2. Data leakage

47% of organizations have already experienced an AI agent-related security incident, according to the same CSA research. For nearly half of organizations, this is no longer a hypothetical.

The exposure surface is wider than most teams realize. Credentials, passwords, logins, API keys, and SSH keys can appear in an agent's chat history. Internal financial documents and business-critical information can be surfaced the same way.

Large language models (LLMs) are powerful, but they're not designed to secure sensitive information. Credential security requires a dedicated layer built for that purpose.

### 3. The management gap

83% of IT leaders agree that business units are deploying AI agents faster than security teams can support, according to Cisco. The structural gap between adoption speed and governance capacity is a serious problem.

Most enterprises are already running agents they didn't formally approve, accessing resources they haven't explicitly scoped, in workflows security teams haven't reviewed.

## Agentic AI security best practices: Purpose-built for agents

Many organizations already have processes in place for credential access across human and machine identities. The challenge is that those processes weren't designed with AI agent behavior in mind. Here's what needs to change:

**End-to-end encryption:** All agent communications, including credential requests and the credentials themselves, should be fully end-to-end encrypted. This prevents credentials from being exposed in plaintext at any point in the exchange, including in the agent's context window or chat history.

**Just-in-time (JIT) access:** Rather than granting an agent standing access to a vault or credential store, credential access should be scoped to a single credential for a single task. When the task is complete, access ends. The next time the agent needs a credential, it goes through the process again.

**Human-in-the-loop (HITL) approvals:** A credential should only be released to an agent after a human explicitly approves the request. That human can also deny it. This is the control point that makes the other two practices meaningful. Without human authorization, encryption and scoping are safeguards without a gate.

Identity and access management (IAM) practitioners will recognize all three principles. What's new is applying them specifically and consistently to AI agent credential access.

## Introducing the Agent Access SDK

The Agent Access SDK is an open source protocol built on these three best practice principles. It's the first of its kind: an open industry standard for agentic AI security, available now at [github.com/bitwarden/agent-access](https://github.com/bitwarden/agent-access).

Bitwarden made it open source intentionally. Securing AI agent access is a global problem, and global problems need community-sourced solutions.

"This is why we decided to make the Agent Access SDK open source, so the community can work together on securing this challenge." - Kasey Babcock, Senior Product Manager and Agentic AI Specialist, Bitwarden

### How it works

The SDK operates across three components: the AI agent, a secure tunnel, and a credential provider, such as a Bitwarden vault.

When an agent needs a credential to complete a task, it sends a request to the Agent Access SDK. The SDK authenticates the agent and opens an end-to-end encrypted tunnel. That encrypted request is forwarded to the user's device, where a human reviews and either approves or denies it.

If the request is denied, the process stops. If approved, a single credential is retrieved from the password vault. The entire vault is not retrieved; only the one credential required for the task at hand is released. That credential travels back through the encrypted tunnel and is injected directly into the agent process, never exposed in plaintext.

Once the credential is used, the tunnel closes. The next time the agent needs a credential, it starts the process over: new request, new encrypted tunnel, new human approval, single credential released.

### How it addresses each risk

The Agent Access SDK directly counters all three credential security risks outlined above.

End-to-end encryption ensures credentials never appear in an agent's chat history, closing the data leakage exposure surface. Just-in-time access prevents overscoped permissions by releasing only the single credential needed for the task. Human-in-the-loop approvals close the management gap by putting a human decision point between every credential request and every release.

The SDK works with any AI agent, including Claude, Copilot, Cursor, and OpenClaw, and can be incorporated into virtually any agentic workflow.

## What to do next

AI agent adoption is accelerating. The organizations that build credential security controls now will be better positioned to scale agentic workflows safely and with confidence.

- **Try the**[**Agent Access SDK**](https://github.com/bitwarden/agent-access)**.** It's free, open source, and available now on GitHub. Test it against existing workflows. Contribute if you find ways to make it better.
- **Review the**[**Gartner presentation slide deck**](https://bitwarden.com/de-de/resources/presentations/your-companys-ai-agents-access-credentials-heres-how-to-secure-them/) to see the Agent Access SDK in action.
- **Explore**[**Bitwarden Secrets Manager**](https://bitwarden.com/de-de/products/secrets-manager/)**.** For teams managing developer secrets and machine credentials at scale, Secrets Manager now integrates with Hermes to extend secure secrets access into agentic workflows.

The security community built the controls that made cloud adoption trustworthy. Agentic AI security is the next frontier, and the same community-driven work needs to happen now.