Prevent agents from discovering, extracting, or misusing credentials by brokering secrets outside agent-accessible surfaces and constraining tool access to credential stores.
AI/ML / Multi Agent Refarch / Controls / DEV
Agentic System Credential Protection Framework
CCC.MARefArc.CN15 · PREV
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.CP19 | MCP-interaction zero-trust guardrails | Enforces authentication and authorization for every MCP request and governs which agents may use which tools, applying rate limits and validating tool-call parameters. |
| CCC.MARefArc.CP07 | Unified sandboxed agent runtime | Secure, sandboxed environment where all agentic reasoning and execution occurs, providing task state management for pause/resume/handoff and intercepting and validating tool calls with credentials handled securely within the sandbox. |
| CCC.MARefArc.CP08 | Built-in trusted tools | A collection of bundled, trusted tools providing fundamental capabilities: the MCP client bridge to the external MCP layer, a sandboxed shell, workspace I/O, and web search. |
| CCC.MARefArc.CP17 | Approved MCP server registry and lifecycle | Catalog of approved MCP servers with metadata, capabilities, configuration, and usage constraints, ensuring agents connect only to servers meeting organizational, security, and compliance requirements. |
| CCC.MARefArc.CP10 | Sandboxed workspace file system | A sandboxed, persistent file system that agents use to read and write files, enabling work with large artifacts. |
| CCC.MARefArc.CP12 | Authoritative knowledge source bases | Internal and external repositories of structured data, unstructured documents, and graph-based representations that provide authoritative information for grounding. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.TH27 | Authorization bypass and tool-chain privilege escalation | Agents discover and invoke API endpoints outside their use case, chain individually authorized calls into unauthorized outcomes, circumvent segregation-of-duties workflows, or experience permission creep during operation, defeating intended authorization boundaries. |
| CCC.MARefArc.TH29 | MCP supply-chain compromise | External MCP servers are compromised, receive poisoned updates, are sabotaged by insiders, or have their protocol and transport manipulated through man-in-the-middle or downgrade attacks, or have connections redirected via DNS and infrastructure attacks, injecting malicious data or logic into services agents consume. |
| CCC.MARefArc.TH32 | Credential harvesting via agent tools and storage | Agents are manipulated into using file, database, API, and cloud-management tools to enumerate and extract credentials from configuration files, environment variables, process memory, databases, key vaults, and instance metadata, and to correlate fragments into full credentials. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.MARefArc.CN15.AR01 | Credentials MUST be brokered by the runtime and MUST NOT be exposed to agent-accessible memory, prompts, logs, or the workspace file system. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.MARefArc.CN15.AR02 | Agent tools MUST be denied access to credential stores, environment secrets, and instance metadata except through the secure-execution broker. | tlp-clear, tlp-green, tlp-amber, tlp-red |
Guideline Mappings
| Framework | ID | Remarks |
|---|---|---|
| finos-air | AIR-PREV-023 |