Securing AI Agents: Preventing Secret Exposure with Delegation Protocols

The Unseen Risk of AI Agents with Secrets

      As artificial intelligence agents become increasingly integrated into enterprise workflows, their ability to perform actions on behalf of users—such as calling APIs, sending messages, or managing cloud services—is invaluable. These actions are often backed by "secrets": long-lived credentials like API keys, OAuth tokens, or signing keys that grant significant authority over external services. The prevailing industry practice often involves storing these secrets in environment variables or centralized secret managers and then handing them directly to the agent runtime for use. While seemingly convenient, this approach introduces a profound and often overlooked security vulnerability, termed "authorization by exposure."

      In essence, authorization by exposure means that to empower an AI agent to act, a system must place reusable authority (the secret itself, or a derivative artifact) within the agent's operational boundary. This creates a critical weak point. If the agent's runtime is compromised—whether through a sophisticated prompt injection attack, a tool-side vulnerability, or unintended model disclosure—the reusable secret can be exposed, leading to a durable and potentially devastating account compromise. Unlike traditional applications where a breach might be isolated, the autonomous nature of AI agents means a compromised secret can be exploited broadly and rapidly, making the need for advanced security protocols more urgent than ever.

Defining the Agent Secret Use (ASU) Problem

      The core security tension with AI agents lies in their dual nature: they are highly useful because they can execute secret-backed operations, yet inherently risky because their internal execution context is susceptible to various forms of attack. The "Agent Secret Use (ASU)" problem formalizes this challenge: how can an untrusted autonomous agent be authorized to trigger a secret-backed operation without ever gaining access to the reusable authority of the underlying secret? This is a departure from the traditional focus on merely securing secrets at rest; for agentic systems, the challenge is securing secrets in use.

      Existing security paradigms, while robust in their own domains, often fall short of fully addressing the ASU problem. Solutions for secret storage, scoped delegation tokens, sender-constrained tokens, and runtime monitoring each tackle adjacent pieces of the puzzle. However, they lack a unified specification that ensures reusable authority never enters the agent's trust domain. For instance, while tokens can be scoped, if the agent still possesses the token itself, it retains a degree of reusable authority. The advent of sophisticated AI models capable of complex reasoning and interaction necessitates a cryptographic solution that establishes secret safety as an invariant, rather than relying solely on deployment discipline.

Introducing SUDP: A Secure Handshake for Agentic Actions

      To bridge this critical security gap, researchers at Imperial College London and the University of Oxford proposed the Secret-Use Delegation Protocol (SUDP). SUDP is a three-role protocol designed to realize the Agent Secret Use (ASU) problem by ensuring that reusable authority never crosses the requester's boundary. The protocol involves three distinct roles (as described in the research paper "SUDP: Secret-Use Delegation Protocol for Agentic Systems" from Xiaohang Yu, Hejia Geng, and William Knottenbelt):

• Requester (R): This is the AI agent runtime. Its role is to propose a "canonical operation," which is a precise, exact action it intends to perform. Crucially, the requester holds no secrets itself.
• Authorizer (U): This is the user, often augmented by an authenticator. The authorizer reviews the proposed operation and, if approved, issues a "grant." This grant is fresh, cryptographically signed, and specifically bound to the proposed operation, making it single-use.
• Custodian (T): This secure entity holds the sensitive secrets in a sealed state. The custodian's sole function is to redeem the user-authorized grant exactly once, using the underlying secret to execute the specified operation on the external environment.

      This structured interaction ensures that the AI agent (requester) can suggest an action, but the actual, secret-backed execution is mediated by the user and a trusted custodian. The agent never directly handles or even sees the secret, making transient security failures in the agent runtime far less impactful. This approach aligns with the stringent security requirements seen in enterprise AI deployments. For instance, solutions like ARSA Technology's AI Box Series, which deploy AI directly at the edge, would benefit significantly from such a protocol by ensuring local processing remains secure even if the agent component faces a compromise.

How SUDP Secures AI-Driven Operations

      SUDP fundamentally shifts the security paradigm from "trusting the agent with the secret" to "trusting a secure custodian to use the secret on behalf of the agent, with user consent." This protocol achieves its robust security by implementing several key properties:

• Verifiable Authorization: Every action is covered by a user-signed grant, making the authorization transparent and auditable. The user explicitly approves each operation before it can be executed.

Operation-Bound: The grant is cryptographically tied to a specific, canonical operation*. This prevents any form of operation substitution, where a malicious agent might attempt to "swap" the approved action for a different, unapproved one.

• Single-Use: Once a grant is redeemed by the custodian to perform an action, it cannot be reused. This effectively eliminates replay attacks and ensures that even if a grant is intercepted, its utility is minimal.

Requester Non-Exposure: This is the cornerstone of SUDP. Reusable authority, in the form of the actual secret, never crosses the requester (AI agent) boundary. Even a fully compromised agent can only propose* an operation, not extract or misuse the underlying credentials.

• Storage Confidentiality & Key Isolation: Under explicit sealing and erasure assumptions, SUDP ensures that the secret held by the custodian remains confidential and isolated, protected against unauthorized access.
• Forward Secrecy: If the environment is configured to rotate and revoke underlying secrets, SUDP can also provide plaintext-level forward secrecy, meaning past compromises do not reveal future secrets.

      These properties translate directly into tangible business outcomes. For enterprises deploying AI-powered systems, SUDP offers a cryptographic invariant for secret safety, significantly reducing the risk of durable account compromise stemming from agent vulnerabilities. This enables organizations to confidently expand their use of autonomous agents in sensitive areas like finance, defense, and critical infrastructure, where solutions such as AI Video Analytics are deployed, requiring secure access to and processing of sensitive visual data.

Real-World Impact and Enterprise Deployment

      The implications of protocols like SUDP are far-reaching, particularly for industries grappling with the secure integration of advanced AI. In sectors ranging from defense and government to banking and industrial operations, AI agents are increasingly performing mission-critical tasks. The ability to delegate specific, authorized actions without exposing long-lived credentials transforms the risk landscape.

      Consider an industrial setting where an AI agent monitors machinery and needs to trigger an emergency shutdown via a platform API. With traditional methods, the agent might hold the API key, making it vulnerable. With SUDP, the agent proposes the "emergency shutdown" operation. A system administrator (Authorizer) could review and digitally approve it, issuing a single-use grant to a secure custodian. The custodian, an isolated component, then executes the shutdown without ever exposing the API key to the potentially less secure agent runtime. This granular control and cryptographic assurance are vital for operational reliability and compliance. For organizations leveraging custom AI solutions for such critical applications, understanding and implementing such delegation protocols is paramount. Companies like ARSA Technology, with their custom AI solution development expertise, are ideally positioned to architect systems that integrate such robust security frameworks into complex enterprise environments.

      This approach aligns with the growing demand for privacy-by-design and on-premise AI deployments, particularly in regulated industries. By ensuring data and secrets remain within controlled boundaries and are never exposed to potentially vulnerable agent contexts, businesses can maintain stringent compliance standards while still harnessing the power of AI.

      The source for this information is the academic paper "SUDP: Secret-Use Delegation Protocol for Agentic Systems" by Xiaohang Yu, Hejia Geng, and William Knottenbelt, available at https://arxiv.org/abs/2604.24920.

      Ready to enhance the security and integrity of your enterprise AI and IoT systems? Explore ARSA Technology's cutting-edge solutions and discuss how advanced security protocols can be integrated into your operations. Contact ARSA for a free consultation today.