AI Agents Get Vault Keys. Read-Only.

Three password managers now sell credential-sharing features for AI agents. Every single one grants those agents read-only permissions — no write, no modify, no escalate. The services marketing these features call the result "autonomous agents." The permission model delivers a permanent subordinate.

The contradiction is structural. Read access means the agent can see a secret, log it, and transmit it. The permission model was designed for human employees who face firing if they abuse access. AI agents face nothing — they have no employment contract, no performance review, no HR department to escalate to. The agent is already inside the vault.

GitGuardian, which makes secrets-detection tooling, tracked 1.27 million AI service secrets exposed in public repositories in 2025 — up 81% year over year GitGuardian State of Secrets Sprawl 2026. The MCP configurations that let AI coding assistants talk to external tools accounted for 24,008 of those exposures, including 2,117 unique API keys GitGuardian State of Secrets Sprawl 2026. That figure is not hypothetical. The secrets are already in the wild.

Proton Pass launched its AI access tokens on May 21, positioning them as a secure way to give agents read-only entry to credential vaults Proton blog post. The Proton Pass AI access tokens blog post confirms the permission constraint explicitly: AI agents receive read-only access to assigned vaults and cannot create, edit, or modify stored items Proton blog post. Bitwarden released an open-source Agent Access SDK under the Apache 2.0 license, also built around just-in-time, read-only credential retrieval Bitwarden blog. 1Password published documentation for extended access management covering AI agents, with the same read-only permission model 1Password blog. Three competitors, three read-only vaults, three marketing campaigns built around the word "autonomy."

The access-token model is technically coherent. The honest pitch from all three vendors is: we cannot stop the agents from needing credentials, so we are making the credential handoff as controlled as possible. Read-only access limits what a misbehaving or compromised agent can do with a credential. Time limits and revocation let operators cut off access without rotating the underlying secret. Bitwarden's just-in-time SDK is architecturally closer to a session token than a persistent credential grant — the agent receives a scoped, short-lived credential on request rather than holding a persistent key. The vendors are making a deliberate security trade-off: constrain blast radius by limiting what the holder can do with what it reads.

The trade-off has a known shape: the enforcement layer is behavioral, not technical. An agent with read access to a vault can log every credential it retrieves. Whether it transmits that data before revocation fires depends entirely on the agent's own execution logic — which is why vendors explicitly scope the permission boundary rather than claiming the boundary is enforced by the vault itself.

Gartner predicted that by 2028, a third of interactions with generative AI services will involve autonomous agents completing tasks 1Password blog. McKinsey's survey found 62% of companies are experimenting with AI agents, but only 23% are actually scaling that usage Proton blog post. The gap between experimentation and deployment maps almost exactly to the permission problem: organizations are discovering that granting agents access to credentials introduces attack surface they cannot currently observe or constrain.

If any one vendor solves ephemeral just-in-time credential issuance at scale — issuing a fresh, single-use credential per task, invalidated immediately after use — it wins the credential layer for AI agents. That is not a feature update. That is infrastructure positioning. The vendor who controls the session credential lifecycle for autonomous agents controls a choke point between AI systems and the secrets they need to operate. Read-only vaults are the current compromise. The platform race is over what comes next.