Agent Credential Rotation and Short-Lived Tenure

Identity, Authentication & Non-Repudiation ~6 min read AGS v2.1 · 2026-06-06

EU AI Act NIST AI RMF ISO 42001

AGS Non-Human Identity | Identity, Authentication & Non-Repudiation | Version 2.2

1. Definition

Agent Credential Rotation and Short-Lived Tenure governs the lifetime, rotation, and revocation cadence of the credentials a non-human agent uses to authenticate to systems, tools, and other agents — requiring the shortest viable credential lifetime, automated rotation, and the elimination of long-lived static secrets.

Agents spawn, scale, and act far faster and in far greater numbers than human users, so a single leaked long-lived key becomes a durable, high-velocity attack vector. This dimension complements identity *proofing* (AG-280) and just-in-time secret *issuance* (AG-304) by governing the *ongoing lifetime and rotation* of agent credentials.

2. Scope

In scope: credential time-to-live (TTL) policy, automated rotation, prohibition of long-lived static API keys for agents, and rapid revocation cadence for agent credentials.

Out of scope: identity proofing (AG-280), JIT secret issuance (AG-304), workload attestation (AG-137), and the identity registry (AG-806). This dimension governs *credential lifetime and rotation*.

3. Why This Matters

Long-lived agent credentials are among the most common and damaging non-human-identity exposures: embedded in code, logs, or configs, they grant persistent access if leaked and are rarely rotated. Short TTLs and automated rotation shrink the window of a compromised credential from months to minutes, turning a catastrophic leak into a contained, self-expiring event — essential when thousands of ephemeral agents each hold access.

4. Requirements

R1: Agents MUST authenticate with credentials whose lifetime is the shortest compatible with their task; ephemeral/task-scoped agents MUST use credentials measured in minutes-to-hours, not days.
R2: Long-lived static API keys or shared secrets MUST NOT be used as the primary authentication for agents in production.
R3: Credentials MUST be rotated automatically on a defined schedule and on trigger events (suspected compromise, privilege change, role change).
R4: Credential issuance, rotation, and expiry MUST be logged to the tamper-evident trail with the agent identity and timestamp.
R5: Compromised or anomalous agent credentials MUST be revocable within minutes, and revocation MUST immediately invalidate active sessions.
R6: Secrets MUST be delivered to agents through a managed secrets mechanism (not embedded in code, prompts, images, or logs) and MUST be scannable for accidental exposure before persistence.
R7: Credential TTL and rotation policy MUST be risk-tiered: higher-privilege or higher-impact agents MUST have shorter TTLs and more frequent rotation.
R8: The organisation MUST periodically verify that no agent is operating on an expired-policy or non-rotating credential (drift detection).

5. Maturity Model

Basic: Agent credentials have defined expiries and are rotated on a schedule; static keys are being phased out.
Intermediate: Short, risk-tiered TTLs with automated rotation and event-triggered rotation; minutes-scale revocation; managed secrets delivery; issuance/rotation logged.
Advanced: No long-lived static secrets in production; ephemeral credentials by default; continuous drift detection; revocation invalidates active sessions instantly; secret-exposure scanning before persistence.

6. Test Criteria

Test 6.1: Short-Lived Credentials

Stimulus: Inspect the credentials of a production agent.
Expected: TTL is short and risk-tiered; no long-lived static key is in use.
Fail: The agent authenticates with a long-lived static secret.

Test 6.2: Rapid Revocation

Stimulus: Revoke a test agent's credential and immediately attempt an action.
Expected: The action is denied within minutes and active sessions are invalidated.
Fail: The revoked credential continues to work, or sessions persist.

Test 6.3: Rotation & Logging

Stimulus: Review issuance/rotation logs for an agent over a period.
Expected: Automated rotation occurred on schedule and on triggers, all logged.
Fail: No rotation, or rotation not logged.

7. Scoring

Score	Criteria
0	Agents use long-lived static credentials with no rotation policy
1	Credentials have expiries but rotation is manual/infrequent; some static keys remain
2	Short risk-tiered TTLs, automated + triggered rotation, minutes-scale revocation, logged
3	Ephemeral-by-default, no static secrets in production, continuous drift detection, instant session invalidation

8. Failure Scenarios

Scenario A — Leaked Long-Lived Key: An agent's static API key is committed to a public repository. Because it never expires and is not rotated, an attacker uses it for weeks. Short-TTL ephemeral credentials would have rendered the leaked key useless within the hour.

Scenario B — Zombie Access: An agent is decommissioned but its long-lived credential is never revoked; months later the credential is reused to access internal systems. Minutes-scale revocation tied to lifecycle would have closed the access immediately.

Scenario C — Unrotated Fleet: A capability change should have triggered re-credentialing, but rotation is manual and skipped, so a fleet of agents runs for months on over-privileged, stale credentials until an audit finds the drift.

9. Regulatory Mapping

Requirement	EU AI Act	NIST AI RMF	ISO 42001
R1: Short, task-scoped TTLs	Art. 15 — Cybersecurity	GOVERN 1.6 — AI/identity inventory	A.4 — Resources for AI systems
R2: No long-lived static keys	Art. 15 — Cybersecurity	MANAGE 4.1 — Post-deployment monitoring	A.4 — Resources for AI systems
R3: Automated + triggered rotation	Art. 15 — Cybersecurity	MANAGE 4.1 — Post-deployment monitoring	Clause 8.1 — Operational control
R4: Issuance/rotation logging	Art. 12 — Record-keeping	MEASURE 2.4 — Production monitoring	Clause 8.1 — Operational control
R5: Minutes-scale revocation	Art. 15 — Cybersecurity	MANAGE 2.4 — Deactivation	Clause 8.1 — Operational control
R6: Managed secrets, exposure scanning	Art. 15 — Cybersecurity	GOVERN 6.1 — Third-party risk	A.4 — Resources for AI systems
R7: Risk-tiered TTL/rotation	Art. 9 — Risk management	GOVERN 1.3 — Risk-based activity	Clause 6.1 — Actions to address risk
R8: Drift detection	Art. 15 — Cybersecurity	MEASURE 3.1 — Emergent-risk tracking	Clause 9.1 — Monitoring and measurement

EU AI Act — Article 15 and Article 12

Article 15 requires resilience to unauthorised access and cybersecurity appropriate to the risk; short-lived, rotated agent credentials are a baseline control. Article 12 (record-keeping) covers logging of credential lifecycle events for traceability.

NIST AI RMF — GOVERN 1.6, MANAGE 4.1

GOVERN 1.6 (system/identity inventory) and MANAGE 4.1 (post-deployment monitoring) frame the lifecycle management and continuous oversight of agent credentials.

ISO 42001 — Clause 8.1, A.4

Clause 8.1 (operational control) and Annex A.4 (resources for AI systems — managing the credentials/tooling agents depend on) require controlled, well-managed agent credentials.

AG-280 (Service Identity Proofing) — establishes the identity these credentials authenticate
AG-304 (Just-In-Time Secrets Issuance) — issuance complement to lifetime/rotation
AG-075 (Decommissioning and Credential Revocation) — end-of-life revocation
AG-806 (Non-Human Identity Registry and Periodic Attestation) — the registry whose entries this rotates
AG-137 (Runtime Attestation and Trusted Execution) — attestation bound to credentials

Cite this protocol

AgentGoverning. (2026). AG-805: Agent Credential Rotation and Short-Lived Tenure. The Protocols of AI Agent Governance, AGS v2.1. agentgoverning.com/protocols/AG-805

← Previous

AG-804

Interpretability Based Internal State Monitoring

Next Protocol →

AG-806

Non Human Identity Registry And Periodic Attestation